Merrill Dresner, Editor In this issue: Pa( · Editor: Merrill Dresner ... powers to prepare enforceable Guidlelines applicable to both public aid private sectors. ... the law. I om

Editor: Merrill Dresner

No-8 November 1988

In this issue, we bring you news from the annual meeting of Data Protection Commissioners in Oslo which we attended in September. The discussion ranged over employment records, AIDS, health files, police files, tax records, research data, credit reference information, the fair obtaining of data, and Amnesty International records. This is the seventh year we have attended this meeting, gathering the news, developing our understanding of privacy trends and developing the network of personal contacts that makes possible this newsletter and related research and consulting projects.

In October, we were delighted by the very enthusiastic response to our conference in London, where there were participants from 10 countries. Both data protection authorities and companies were pleased to have an opportunity to meet informally. The papers from the conference are now available and we have started planning next year's conference.

In response to requests from our readers with operations in Ireland, we are pleased to announce a conference on Ireland's Data Protection Act, together with the Confederation of Irish Industry, on February 9th in Dublin. The Data Protection Commissioner, Donal Linehan, will give details of the Act and how it will be enforced. Privacy Laws 4 Business will explain the impact on company operations and one of the Commissioner's staff will show participants how to complete the registration forms.

The February 1989 features will include a completely updated global roundup of data protection laws and bills and summary tables... an in-depth review of the Council of Europe's role in data protection...Norway's data security policy.... We look forward in 1989 to again providing you with information and advice on international privacy laws.

Merrill Dresner, Editor

In this issue: Pa(....

* Data protection news from around the world......... 2Australia, Austria, Canada, Quebec, Denmark France, Germany, Ireland, Luxembourg, Netherlands

* New-style privacy laws: convergence..radical change..8* The Netherlands Data Protection Bill - final lap....11* Australia's Privacy Act - at last............. .....18* Canada's Privacy Act - federally-regulated sector?..24* Book reviews................................ .......25* Privacy Laws 4 Business 1987/1988 index......... . 26

Editor: Merrill Dresner, 3, Central Avenue, Pinner, Middlesex, HA5 5BT, UK.Telephone: 01-866-8641 (UK)/(+44.1) 866 8641 (International) Telex: 9312100310 TDG. Messages: Telephone: 01-958-3155 (UK)/(+44.1) 958-3155 (International).

Reproduction and transmission in any form without prior permission prohibited.Privacy Laws & Business cannot accept liability for advice given.COPYRIGHT © 1988 PRIVACY LAWS & BUSINESS. ISSN 0953-6795

1

DATA PROTECTION NEWS FROM AROUND THE WORLD

1. Countries with data protection laws

Australia: In November, the Commonwealth (Federal) Parliament passed the Privacy Act 1988. The Act applies only to the Commonwealth public sector, and not to State government agencies. The Act also covers the private sector to the extent that it imposes specific controls on companies1 use of the Tax File Number. The Privacy Commissioner is given wide delegated legislative powers to prepare enforceable Guidlelines applicable to both public aid private sectors. The Act also requires the Privacy Commissioner to encourage companies to adopt the OECD Guidelines voluntarily. It can therefore >e considered only a first installment towards Australia's compliance with tie OECD Guidelines or eligibility to ratify the Council of Europe Convention. However, it does cover both computerised and manual records. See page 18 fpr a full report.

Austria:been as follows:

Over the last year, the most significant developments have

* There have been amendments to the penal provisions of the 1978 Data Protection Act (section 49) to harmonize them with the new computer crime provisions in the Penal Code dealing with Damage to Stored Data (section 126a Penal Code) and Computer Fraud (section 147a Penal Code). The amendment entered into force on March 1st 1988.

* Court actions on cases involving employment related aspects of the Dsta Protection Act will from January 1st 1989 be heard in the Labour and Social Courts. This is the result of an amendment to section 29 of the Data Protection Act.

* The Data Protection Commission refused permission for a credit information agency to transfer abroad data about family status because EK data was not covered by the legitimate purpose of the agency. The case is now pending before the Supreme Administrative Court.

hhenet

* The right of access does not include the right to be informed about source of the data, ruled the Supreme Civil Court in a case on dir marketing and data protection. The court's reason was that the diruct marketing company had organized its data in a way which prevented it fr identifying the source of the data. This decision may lead to amendment the law. I

omof

The Privacy Commissioner, John Grace, and his staff togetn with the Treasury Board and the Department of Justice, have been briefjl Crown Corporations on their new obligations under the Privacy Act (PL&B '88 p.5). By late November, the following Crown Corporations had briefed: Air Canada, Petro Canada, Via Rail,, Canadian National Railways,

b si

individual ports of St. John's, Halifax, Saint Joan, Quebec City, Montre Prince Rupert and Vancouver, Cape Breton Development Corporation, Mari Atlantic Inc., International Centre for Ocean Development, Harbourfr Corporation, Canada Lands Company, (Mirabel, Le Vieux-Port de Qudbec, Vieux-Port de Montreal, Canada Museums Construction Corporation Inc., Atoln

erng

fteyenthe» l tneDntleic

Privacy Laws & BuaiiNovember 1988

Energy of Canada Limited, and Canada Pevelopment Investment Corporation^) Some of these corporations have wholly-owned subsidiaries which will also be covered.

The corporations will be added to the schedule of the Privacy Act by Order in Council (an Executive action) rather than by legislative amendment. With the return of the Conservative government under Prime Minister Mulroney in the recent general election, his party's de-regulatory policies may mean that the Privacy Act may not be extended to all Crown Corporations. One possibility is the extension of the Privacy Act only to those Crown Corporations which are not in direct competition with private sector companies. Such a policy would mean that the Privacy Act would not apply to those major Crown corporations, like Air Canada and Petro Canada, which do compete in the private sector (see page 24).

Other changes include:

* the extension of Privacy Act rights to anyone physically present in Canada, rather than being restricted to citizens and permanent residents;

* tightening the definition of personal information about public servants to ensure protection of sensitive data;

* tightening the security policy to enhance protection of personal information;

* improved training for federal government personnel and departmental coordinators;

* a public awareness campaign; and

* an on-line data base for the Personal Information Index, which isthe directory of federal government personal information data banks.

Quebec: The Quebec access and privacy law may be extended to certain companies regulated by the provincial government. The Quebec government is now considering whether the Act on access to documents held by public bodies and the protection of personal information should be extended to some of the private sector. Currently, the law, which was passed in 1982 and came into effect in July 1984, covers more than 3,600 public sector bodies, including local government, education and social services.

In October 1987, the Commission on Access to Information presented to the Quebec government its five yearly review of how the law was working. Subsequently, the report was presented to the Quebec Assembly which made its own examination of the Commission's recommendations. One point barely touched on by the Commission but which features in the Assembly's report, is the proposal to extend the protection of name-linked data to the private sector. In the first place, the law might be extended to priority sectors, in particular, credit agencies, insurance companies and banks. It is now for the Quebec government to take a decision.

Privacy Laws & BusinessNoveaber 1988 3

c: The amendments to Denmark's Public Authorities' RegistersAct end Private Registers Act came into effect on April let this year (PLA|b August *87 p.3, August '88 p.4).

In the public sector, the most important changes are:

* a set of detailed rules must be issued for every computerized name-linked file, except that there is an exemption for files containing little and strictly defined non-sensitive data. However, the general rules gf the law still apply to these files.

* The Justice Ministry is currently discussing with central and locdl government agencies the feasibility of automatically providing data subjects with a printout of files on themselves containing sensitive data. The main issues to be resolved are the level of interest from data subjects and cogt to the agencies.

* The Data Protection Agency (DPA) has given guidance to public authorities on the transfer of data to third parties, including other public authorities. Generally, sensitive data should only be disclosed individuals have given their consent.

In the private sector, the most important changes are:

general rules, in particular, an explicit right of access by da:asubjects to computerized files on themselves with access fees the Minister of Justice.

* On consumer credit,

determined jy

- The data protection authority has had its jurisdiction extended the transfer of consumer credit data in the banking sector.

debts- Credit information agencies may only disclose information on if: the debt is more than DKrl,000 (£80); and the individual has agreed the accuracy of the debt information or the case has been brought to court

on

- Credit information agencies may only process data by reference fto the name of individuals. Access to the information by address is no longer permitted to ensure that creditworthiness is no longer based on such unspecific information.

* On direct marketing,

- The linking of computerized files held by different companies is banned unless the purpose is limited to updating names and addresses. However, the data protection authority may issue a licence to permit othjer reasons for linking files.

- Companies may not disclose information on consumers to othercompanies for marketing purposes, unless the company has informed the consumers on the file in writing that the disclosure may occur, and the consumer has given his explicit consent in writing. The Danish dtitaprotection authority states that this provision is in accordance with the

Privacy Laws & Business 4

Council of Europe's Recommendation on Direct Marketing.

- There are restrictions on the collection of information resulting from telephone marketing.

* 0° sensitive data:

• Computerized name-linked files containing sensitive dsta may be set up only after first notifying the DPA. However, this provision does not apply to files kept by associations if the file is intended exclusively for storage of data on members of the association. The DPA has laid down rules on the details of the notification.

- With the approval of the DPA, the Minister of Justice may exemptcertain sensitive files from the duty of notification, for example: clientfiles held by lawyers or accountants; patient files held by doctors, nurses, dentists and other such health workers; and personnel files, if filing health data is a duty according to the law or is necessary according to collective agreements on pay.

- Files set up for research and statistics purposes must be notified in advance to the DPA if they contain sensitive data, and the DPA has laid down appropriate safeguards for these files.

* Name-linked information systems held by the press must be notified to the DPA.

* Personal Identification Numbers may be used only if organizations using them comply with the rules on sensitive data.

As a result of these amendments, Denmark will now be able to ratify the Council of Europe Convention.

The amended texts of the Danish data protection legislation are available in English from Privacy Laws & Business.

France: Significant decisions by CNIL, the data protection authority, over the last year relevant to companies include:

* A decision clarifying the use of smart cards for collecting sensitive data. The CNIL approved an experiment to use memory (smart) health cards for people receiving dialysis treatment by the National Federation of Civil Servants and Agents of the State Mutual Fund Societies.

* Enforcement sction has been taken mainly against insurance companies.

* A warning was given to the Hermes Association because of the use of a system to detect stolen and lost cheques which violated France's data protection law.

Germany: The Federal Data Protection Commissioner has proposedseveral amendments to the Federal Data Protection Act, currently being discussed in the legislature:


* One data protection law should cover all forma of automated and manual personal data.

* Data processing should become more transparent by restricting the use of data to its original purpose.

* The federal Data Protection Commissioner must have sufficient powers, including the right to carry out systematic checks.

* The latest management information systems, like networks, personal computers and image processing, must be taken into account when drafting amendments to the data protection law.

The federal legislature has invited the Federal Data Protection Commissioner to advise a special Committee for the Investigation of the Possibilities and Risks of Genetic Engineering. The Committee has identified a number of data protection issues related to genetics, mainly concerning the collection, storage and use of data, and in particular on:

* the genetic codes of individuals which are collected in the course of ante>natal checks or through the examination of new born babies;

* the health of employees in the context of harmful conditions at their workplace;

* health data on individuals collected to assess their insurance risk;

* data which might serve to link forensic evidence to individuals involved in criminal proceedings.

Ireland: Ireland's Data Protection Act has already been analysed idetail in previous issues (PL&B November '87 p.6, Nay '88 p.17, and August '88 p.6). The main features of the Act are that it covers automated records public and private sectors and is a second generation self-regulatory law requiring registration only by specified organizations holding the most sensitive data. This group includes the entire public sector, financiall institutions, and agencies dealing with credit information, debt collectingt aitu a y c H t i c o u c a j i i i iy l u u i t i p u i t jl»ii u i w o u « y u c u t wuAAPwvA»ivj »

__________ ing, and computer bureaux. It also includes data controllersholding sensitive data, such asHrug testing data on patients, and the health records on workers in food plants or potentially toxic environments, likechemicals factory. Companies in these sectors in particular will gain better understanding of their obligations by attending the Privacy Laws Business conference in Dublin on February 9th.*

Here, we will focus on the timetable for bringing the law into force as announced by Donal Linehan, the Data Protection Commissioner, at th Privacy Laws & Business conference on October 19th. A copy of his paper i available from the Privacy Laws & Business office.

*es

1. The Data Protection Commissioner was appointed on July 22nd.

2. He then had to establish his office and appoint his staff.

6Privacy Laws & BusinessNovember 1988

3. The next etage hae been the Making of regulations, for exaaple, to cover fees, the right of access to health data and the procedures for registration.4. In Oecenber, the Conniasioner plana to publish the registration forms together with an explanatory note. There will be five registration forms covering: data controllers and processors, purposes for holding name-linked data, data processing bureaux, amendments to organizations* registration applications, and continuation of registration.5. In January 1969, registration will begin and continue for a period of three months. Also in January, the Irish government plans to deposit its instrument of ratification for the Council of Europe Convention in Strasbourg.6. In April 1989, the Act and its regulations will come fully into force together with Ireland's ratification of the Council of Europe Convention.

• Privacy Laws 1 Business is organizing, in association with the Confederation of Irish Industry, a conference on Ireland*s Data Protection Act in Dublin on February 9th. this conference will focus on companies'7- obligations underTreland'a Data Protection Act and the registration process. For further details, please contact the Privacy Laws & Business office.

.Luxembourg: The most significant developments over the last year in Luxembourg relevant to companies have been:

* The ratification of the Council of Europe Convention (PLAB February '88p.2) on February 10th, which came into force on June 1st this year. This has led to the amendment of Luxembourg's data protection law to ban thecollection and storage of name-linked dsta revealing racial origin.

* The data protection Consultative Commission has issued standard rulings for name-linked data held by the banking sector, insurance companies, company accountants, and lists of members. It has waited for the completion of the Council of Europe Recommendation on Employment Records before tackling this sector.

* Robert Biever, President of the Commission since 1982, resigned from his post at the end of 1987 and was replaced by RenA Faber, Secretary General of Techno-Arbed Luxembourg, who has been a member of the Commission since 1980.

2. Countries planning data protection lawe/rule8

Netherlands: On November 29th, the Committee of the Upper House of the Netherlands legislature approved the Data Protection Bill (PLAB 'August 88 p.9), which was adopted by the Lower House of the States General on September 8th 1987. It is expected that the pill will be finally approved in a debate in the Upper House scheduled for January 24th 1989. See a full report on page 11.

Privacy Lews A BusinessNovember 1988 7

MEM-STYLE DATA PROTECTION UWSt CONVERGENCE OR RADICALCHANGE

FlfUm ymmrs M pinta 1973, whan Sweden paawd the world's firat national data pcotaction law covering the public and private vectors, aid Maw bar 1908 uhan Australia paaaad ita privacy legislation. Mill tha Swadlah aadal of a coaprahanaiva law, fallowad by east Eurnpaan cauwtrlaa in tla 1970'a and 1980'a, convarga with tha melf-rsqulstory privacy codas favoured In tha USA, Canada, and Australia In a aiddle way; aalf-raqulatlan within tte lad? Alternatively, do tha aaoond ganaration Fimiah and Irish laws - soon tfo ba followed by the Natherlanda - represent a

In 1973, the aain fear was that individuals' records were being held on aainframe computers, and that they had no way of finding out that thene records existed. Not only was there no way to gain access, there was no wuy to ensure that individuals had a right of access. At that tiae, organizations considered that they owned the files, and gaining access was considered un infringement of the data owner's property rights. This is still the legal position in half the members of the EEC which have no data protection laus (Belgium, Greece, Italy, the Netherlands Portugal and Spain).

The Swedish model of a mass registration system was designed to give new rights to data subjects, and new rules for public and private sectors.

1. the existence of every data base in the country holding name-linked records would be centrally registered; (does a file exist?)

2. The Data Protection Authority has the power to give permission for file keepers to maintain certain sensitive files.

3. individuals are able to find out the types of data files each organization holds on them; (what sort of files are they?)

A. individuals can establish if the organization holds a file on themselves (have they got a file on me?)

5. individuals have a right of access to files on themselves; (I demand see a copy of your record on me.)

6. data subjects have a right of correction, or at least a right to reccirdtheir version of the facts if the parties cannot agree on the facts, demand to put the record straight).

to

(I

This Swedish model was very influential in the way that legislation was drawn up and enacted in France, Denmark, Norway and Austria in 1978, Luxembourg in 1979, Israel and Iceland in 1981, the IK in 1984, the Isle of Nan and Guernsey in 1986, and Jersey in 1987.

Germany — the odd man out?

seenFive years ago the German data protection law, passed in 1977,

as being the odd man out. One can now see with hindsight that it«astas

many of the characteristics of what are now called second requiring a degree of self-regulation within the law.

Privacy Laws &1988

generation laws

8

The Min principle in the German law ia that the proceaaing of peraonel data ia permitted i f the law allow8 i t , or the individual has given hia conaent. This ia d ifferent from the other countriea which make the legal proceaaing of name-linked data conditional on the f i le being regietered with a central authority. In addition, in the German law:

* the data eubject muat be informed of the contenta of a f i le when data on h ia ia stored for the f i r a t time, unleaa he already knows about i t ;

* the data subject has a right of access to his data f i le for a minimal fee

* Incorrect data muat be corrected;

* A data subject may erase data that ia of doubtful accuracy, where the original need for i t s storage no longer applies, or where the data was not legally permitted;

* Personal data must be protected by adequate security measures.

Why should the German law should be regarded as self-regulatory? The reason is that the law requires any company carrying out a significant amount of processing of name-linked data to appoint a Company Data Protection Controller. The Controller must report to top management but be independent of i t while carrying out his functions as Controller.

These principles have been worked into the new law in Finland, passed in February la s t year; the new law in Ireland, passed la s t July; the b il l about to be passed in the Netherlands; and the Swiss b i l l which will soon begin to be considered in the Swiss parliament.

Why the Shift to the Self-Regulatory Model?

Why has there been such a sh if t in approach in the la s t few years? There have been three major factors: the rapid growth of microcomputers; the practical lim its to enforceable regulation; and a reappraisal of data protection laws as alleged barriers to the free flow of data.

In short, the factors behind the sh if t towards second generation data protection laws can be best explained in terms of what is feasible in a democratic society. They have asked themselves: what is manageable, what is affordable, what should we concentrate on to achieve maximum results with limited resources?

Arm the old-style laws converging with the new?

Will codes of practice and sectoral recommendations converge in the future with new-style debureaucratized data protection authorities? 1 think not. Self-regulation does not successfully work in the nuclear power industry, the stock markets, or any other area of l i f e where there is inherent conflict between corporate and consumer in te rests . There may be common in te re s ts , for example, in the fie ld of data security to counter hacking and computer viruses. Independent data security audits could play a

Privacy Laws A Business 9NOveater 1986

useful ro le in the absence of leg isla tion , end could even check on e coapsny's adherence to the OECD Guidelines on the Protection of Privecy. But: the ceee for self-regulation alone reeeins unproven.

New-atyle dete protection laws do represent a radicsl change froa the o ld-sty le laws in tha t they offer a more meaningful ro le fa r corporate se lf-regulation . But by i t s e l f , self-regulation i s not enough. There wii:i always be a need for d issa tisfied data subjects to appeal to an independent oabudaan figure. While the trad itional European approach aey be aeon ae too le g a lis tic end expensive, leg isla tion is s t i l l needed to raise the awareneso of data owners to th e ir responsib ilities to aaintain high standards ami coaply with data protection principles.

In short, i f the job of data protection is to be done, i t requires legal requirements end legal sanctions. The challenge for companies is how, in practice, to manage self-regulation within the law.

Note: This is an edited version of the introductory address by Privecy Law 1 Business on the theme of our conference - Data Protection in Ireland, the Netherlands and Switzerland: Managing Self-Regulation Within the Law, held on October 19th in London. The papers are available from our office.

Privacy Lews & Business Id

THE NETHERLANDS DATA PROTECTION BILL

Th» Orta Protection Bill** Current Status

The Deta Protection B ill wee accepted by the Lower House of the Dutch parliament in September 1967 end wee then paeeed to the tipper House. The U|>per House does not have the power to amend the b i l l end can only eey yes or no. The b i l l is currently a t the committee stage where questions are put to the government which w ill be followed by a general debate. I expect th is debate w ill take place in the course of November or December and that the b i l l w ill be passed by parliament around the end of the year.

The Background to the B ill

In order to understand th is leg isla tion , i t ie important to understand i t s history. In 1971 there was a periodical census in the Netherlands, and a large proportion of citizens refused to co-operate. Some individuals were brought to court on criminal charges. Finally this case was dropped, but i t created 8 big po litica l row.

Since th is refusal to cooperate with the census was obviously related to privacy worries, the government promised to se t up s Royal Commission (the Koopmans Commission), to study the problem. The Royal Commission issued i t s report in 1976. I t contained a draft b i l l and commentary following the Swedish model with a licensing system.

In 1975, ju st a year before tha t, the government, expecting that i t might take some time to collect comments, and that another approach might have to be taken, decided to lay down a policy of self-regulation for central government f ile s . The rationale was that i t was not necessary to wait for formal leg islation to be passed by parliament. Instead the government could introduce self-regulation in the form of provisional measures for the protection of privacy. As a resu lt, the government issued guidelines saying that no personal data f i le , no automated f ile should be kept in the central administration without complying with a published set of rules laid down by the controlling authority.

These guidelines are s t i l l in effect and s t i l l working and there are now about 200 or 250 different regulations for automated personal data f ile s in the central government. These regulations are not perfect. They are provisional. But they hsve led the wsy in establishing clear practice in the direction of data protection leg isla tion . The example was followed by local government, provincial government and municipal government, and by several sectors of private industry. So self-regulation in data protection is a well- established practice in the Netherlands.

In addition, under a general heading of c iv il law, criminal law, and administrative law, we've had cases, and a growing number of cases, in which courts have given th e ir decision on privacy matters. So on top of se lf- regulation practice we have had, in the absence of formal leg isla tion , many precedents dealing with the subject.

Privacy Laws ft BusinessNovember 1988 11

In 1981 fin a lly , the government submitted tha f i r s t data protection b i l l . Not the currant one, but the one which was baaed on the report outwitted 5 years before, which followed the Swedish approach.

I t net severe c r i t ic is a , not only in parliaaant but also outside parliament. I t was f a i t to be too bureaucratic and too complicated. In addition, i t was f a i t that i t s scope was too lim ited because i t dealt wiJ‘ only automated f i le s . Moat people fe lt tha t with a subject like th is the regulations should not be limited to automated f i le s because i t la a general problem, which should be addressed in a general way.

Finally, we had a change of constitution. The Dutch constitution wbs revised and a new text promulgated in 1983. I t contained a general provision on the right to respect privacy and in addition laid down an obligation :o leg is la te on the protection of privacy regarding personal data. This b i l l is meant to give effect to the constitutional provision, and is intended to giye effect to the Council of Europe Convention as well.

The Data Protection B ill * *

1 . Scope

We have deliberately tr ied to come up with a regulation which is las simple as possible. The scope of the b i l l is much wider than the originajl

* This bill covers automated and non-automated f ile s as well. In the la tte r C8se, a f i le has been defined in such a way thst it covers data whijch is systematically accessible and structured.

* I t is concerned with physical persons only and the definition of personal data follows that of the Council of Europe quite closely.

* I t re la tes to the public and the private sectors, and in substance i t makes l i t t l e difference, the main provisions apply to both sectors.

* I t contains some exemptions - i t does not apply for instance to personal data which by i t s nature is intended for personal or domestic uSe. Examples are the typical private notebook in computer form, and things which by th e ir nature happen a t home. This exemption does not apply to a businessman working a t home. This is an example of data protection meeting privacy protection. In th is instance we have chosen privacy protection rather than data protection.

We have excluded data f ile s which sre intended solely for use in the supply of information to the public by! the press. This provision enables a reconciliation between freedom of information and privacy principles. Therp, i t i s freedom of information saying stop to data protection.

We have exempted the police and the secret services - not completely but there w ill be a special Act in the former case, and there is already >ne in the la t te r case, dealing with privacy protection in these fields.

Privacy Laws ft BusinessNoveaber 1988

2. Material Standards

The b i l l addressee the controller along the lines of the Council of Europe Convention and i t deals with the processor who is sore or less the computer bureau in the UK leg isla tion . The Act contains Material standards which are d irectly applicable - they way be applied d irectly or they nay be enforced - applying to a l l these personal data f i le s .

The "iron triangle" of data protection principles is reflected inthe tex t:

Firstly* the purpose should be specific, specified and legitim ate. In the case of a f i le sec up by a government agency, i t should be necessary for the task of th is particular agency.

Secondly, the f i le may contain only data which is in accordance with that purpose. The data should be obtained fa irly and legitim ately; and in the case of a government agency the data should be necessary for the purpose of the f i le . There should be necessary measures to ensure accuracy and completeness. All th is has been written down in very short statements of princip le.

Thirdly, data may be used only in a way compatible with the purpose of the f i le . “

3. Sensitive Data

The b i l l does not go into details as far as sensitive data is concerned - further rules will be laid down within a year. Three years la te r - as stated in the b i l l - there should be a change in the law with provisions dealing with these sensitive matters. Frankly, we did not manage to work out these rules before introducing the b i l l and th is is just a procedure to agree on a solution.

4. Data Security

There is a section sta ting the respon8ib il i ty of the controller in terms of security. He should take the necessary technical and organisational measures to maintain security, according to the technical p o ss ib ilitie s , the nature of the f i le and so on.

5. Transfer of Data to a Third Party

There are provisions in part 3 of the b i l l dealing with the communication of information to th ird parties . The basic rule is that the trenafer of data to a th ird party may take place only i f i t follows from the purpose. In addition to th a t, such a transfer may take place under a statutory requirement, typically taxes and social security, and with the consent of the data subject. This consent should be specific and in writing a fte r the data subject has been given proper information.

For special cases we have some provisions for s ta t is t ic s , emergencies e tc . Section 13 deals with information bureaux, the typical case where the purpose of the f i le is communication of data to th ird parties . Section 14 deals with the transfer of names and addresses which may be communicated in


certain situations but not i f the data subject has objected

6 . Codes of Conduct end Registration

These provisions are very general. We wanted to d ifferen tia te according to sectors because these rules have to be applied to the specific problems of each aector. A way to do that is to allow for self-regulation , which i s envisaged cm two levels in th is b i l l . I f the Data Protection Act ie aeen as the top level, then there is self-regulation on both the Middle leve l, the aector level, and a t the baae, the data processing f i le level.

6.1 The Sector Level

On the Middle level there is a chapter (Part 4) dealing with codes of conduct. Codes of conduct nay be developed without the law saying so. But according to section 15 the code of conduct nay be submitted for approval to our data protection authority, the Registration Chamber. Then the authority w ill have to check:

* whether the organisations submitting the code are sufficiently representative for the sector to which the code applies.

* that the code has been drawn up with due care and with adequate consultation with other interested organisations. So i f , for example, ii social research association submits a perfect code but has given no-one else an opportunity to comment, then approval w ill not be possible. I t is ii mechanism to promote a process of bargaining.

* that the code is in conformity with the Data Protection Act, and f u lf i l ls reasonable requirements for the protection of the privacy of dati subjects.

A code of conduct approved by the Registration Chamber is not legally binding but in practice i t w ill have considerable authority. The nore care given to the preparation and procedure according to which i t is approved, the more authority i t w ill have. So a controller or in stitu tio n which wants to forget about th is code might run into problems.

The approval of the Registration Chamber is valid for wily 5 years. After th is time the code w ill have to be re-submitted for approval i f the organisation would like to work within i t s approved framework.

In aection 16 there is an in teresting sanction. I f a sector does not develop a code of conduct where the Registration Chamber thinks i t necessary, or where a code has been developed but is not enforced in practice, then the government nay step in and lay down binding ru les. This is possible only a fte r 3 years to give organisations time to develop th e ir own codes c f conduct. The exp lic it purpose of th is provision is to give leverage to promote self-regulation.

6.2 The f i le Level

The b i l l also covers self-regulation on the base level, that of the


data processing f i le . In parts 5 and 6 of the b i l l there ia a distinction between the public and the private sectors.

In the public sector, including education, health care and the like there ia a duty to laydown regulations, formal ru les, the subjects of which •re spelled out in the law - purpose, content, transfer to th ird parties e tc . These rules should be made public, and notification given to the Registration Chamber. These rules are binding on the controller, an outside data processing bureau and a l l others involved in the f i le . All have to comply with these regulations. Clearly, i t ia dangerous to lay down rules and forget •bout them because that would lead to illeg a l conduct. I t ia possible to change the regulations but of course these regulations have to be in conformity with the law, they have to be published, and new notifications sent to the Registration Chamber.

In the private sector there is a duty to give notification with a formal form which, in the way i t has been worked out, is very close to the formal regulations for the public sector - only i t w ill be much siap ler. I t w ill deal with the same subjects, (purpose, content, use e tc .) and the notification w ill be binding on the controller and his en tire organisation. Once he has issued his notification to the Registration Chamber i t is binding. I t is public, so interested parties may go to court and ask for enforcement.

6.3 Exceptions

There are interesting exceptions for both public and private sectors because we fe lt that a law with such a wide scope, covering a l l automated and manual personal data, could never impose a duty of regulation andnotification to the fu lles t extent. So we adopted a rule of thumb that the obvious does not have to be regulated, or notified . That is why there is an exception for these obvious cases like staffing and payroll systems,accounting systems, subscription records, membership and things like th a t. There w ill be an administrative order - executive regulation - giving the exact description of the standard cases which do not have to be notified .

The policy idea is that about 80% of the f ile s w ill be covered by an exception so the Registration Chamber w ill be able to concentrate on the exceptional rather than the obvious cases. Again, the controller has his choice - he can choose to be covered by the standard. Alternatively, he cansay that he has special reasons for doing i t in a different way. In that casehe has to notify the Registration Chamber - that is im plicit s e lf- regulation. The purpose is obvious - ^o lim it bureaucracy and to concentrate limited funds on high p rio rity tasks.j

7. Rights of Information and Correction

The provisions on the rights of information and correction impose a duty on the controller to notify a person that data on him haa been entered into a f i le for the f i r s t time - but again there is an exception that the obvious does not have to be reported. If a data subject i s aware of the existence of a f i le , then notification is not necessary:

* I f I take a subscription to a newspaper then the newspaper (toes not have to t e l l me that I am on the subscribers' l i s t .

Privacy Laws A Business 15

* I t is possible, for instance in banking and credit in stitu tio n s, to give advance information that asking for credit w ill lead to credit reporting a t a certain cred it information organization.

The right to information includes information stored on the source of the data, and the communication of the data to th ird p artie s . Third parti »s in the Netherlands b i l l includes other legal persona. Ohce again, t ie controller does not have to a te te the obvious - i f avery month or every yeir there is communication of salary data to the tax au thorities, or wages are being paid, he does not have to give such information to the data subject.

His duty ia greater when data of a very sensitive nature is involved When a medical f i le is involved, the controller has a much wider duty of care than when only names and addresses are involved, provided the addresses do not re la te to a group which has a very sensitive background.

8 . Enforcement

8.1 Penal Sanctions

There are only a very few penal sanctions to be found in th is b i l l . Practically the only duty subject to penal sanction ia to notify the existence of a f i le and to lay (town regulations. Having a black l i s t would be illeg a l and would lead to penal sanction.

8.2 Informal and Civil Sanctions

Aside from th a t, i t ia purely a matter of informal and c iv il sanctions. A data subject may go to the Registration Chamber and ask for an investigation. The Chamber has fu ll powers to investigate the case. I t may then recommend a certain course of action to the data protection controller and i t may make th is recommendation public. I t w ill give the outcome of the investigation both to the controller and to the complainant. This has been done in a deliberate effo rt to trigger o ff a c iv il case i f the controller does not follow up the recommendation. But the Registration Chamber does not have the power to go to court. I t may use informal sanctions to bring pressure - like going to the press - but i t does not have the power to go to court. Instead we have included sections 9 and 10 in the Act which make i t easier than usual for interested parties to go to court.

8.3 Damages

Section 9 deals with l ia b i l i ty , f i r s t of a l l on top of normal to r t l ia b i l i ty , i t allows for immaterial damage. In section 9.3 there ic a provision on s t r ic t l ia b il i ty for a controller of the f i le . The controller w ill be held liab le for any damages material or immaterial resulting from acta or ommissions which are contrary to the rules of the Act or contrary to the rules in the regulations or the notification requirement. The lia b ili ty of the controller even covers computer fau lts , and any actions or omissions at a computer bureau. A processor or computer bureau ahall be liab le for any loss or damage resulting from his actions.


8.4 Rights for Lsgal Persons

According to section 10, not only the dste eubject himself but slso legel persons like consumer unions, labour unions, end c iv il liberty groups may se t to protect th e ir in te re s ts . This is s mechanism growing in importsnee in the Netherlands end we expect i t to work well in the area of data protection.

f . International Transfers of Pets

Sections 47, 48 end 49 deal with international aspects. In principle, the Dutch Data Protection Act w ill apply to everything that happens on Dutch te rr ito ry .

In addition, the law w ill apply to a personal data f i le not located in the Netherlands - but kept by a controller established in the Netherlands. If a Dutch insurance company has i t s data in Germany or the UK, Dutch law would apply to the controller and to the data. I t should make no difference whether the data is being stored in UK, Germany or wherever around the world. In the above examples, German and UK law may also be applicable. In Section47.2 the Minister of Justice, having consulted the Registration Chamber, may give an exemption in a specific case. That i s ju st a way to accommodate possible conflicts of law.

Another case of a Minister of Justice exemption, covered by section 48, is where a controller outside the Netherlands, say the USA, Australia or South America may have his data in the Netherlands because a computer ia located there as part of a worldwide network. Then, i t would not be very practical to apply Dutch law, provided that there is proper security in the Netherlands bureau and provided that there are adequate safeguards for the privacy of the data subject. The Data Protection B ill therefore ensures public order, as the Netherlands does not want to be a data haven.

We do not have a provision laying down the requirements for a license on transborder dsta flows. There is only in section 49 the possib ility of an emergency brake i f a f i le ia set up in another country in an effo rt to circumvent Dutch law. I f such a transfer of data has serious adverse effect on the privacy of the persons concerned, then any communication back and forth to that f i le may be banned under criminal sanctions.

10. Summary

In short, the b i l l consists of general provisions and self-regulation but the sword of Damocles in terms of enforcement. No criminal cases because the courts are blocked. In terms of crime, data protection is relatively unimportant. In c iv il cases, the outcome may be heavy sanctions. In theory the court may say, stop the operation or change the system. The idea is that the controller w ill look ahead and build in a certain margin of data protection and work out what is really necessary; th is is again a kind of self-regulation.

This is an edited version of a paper given by Mr Peter Huatinx, Legal Advisor on Public Law, the Netherlands' Ministry of Justice, the Hague a t the Privacy Laws A Business Conference on October 19th in London.

Privacy 17

POLITICS TRIUMPHS IN AUSTRALIA'S NEW DATA PHOTECTION LAW

A fter • dNMb o f indecision, bureaucratic s ta llin g and p o litic a l cont r oversy, A ustralia baa a t la s t Joined auch o f the re s t of the in d u stria lised world in enacting national data protection legis lat ion. Grahae fttasnlaaf exaainsa the now law.

In Novsaber the Cowwonwealth Parliaaent passed the Privacy Act 1988. The Act only applies to the Coaaonwealth (Federal) public sector, and not to State governaent agencies nor to the private sector. I t can therefore only be considered a " f i r s t instalment" toward A ustralia 's coapliance with the OECD Guidelines or e l ig ib il i ty to ra tify the Council of Europe Convention. However, i t does cover both computerised and manual records.

A vindication of the p o litic a l process

The Act is a very significant improvement on both the Draft Privacy B ill recommended by the Australian Law Reform Commission in i t s 1983 Privacy Report, end on the Privacy B ill 1986. The 1986 B ill was introduced into Parliament by the Government as part of a package with the defeated national Identity Card (ID) proposal, the so-called "Australia Card." I t contained many subtle qualifications, and some serious omissions, designed to ensure; that i t would be ineffective, by a Commonwealth bureaucracy and a Labour Government indifferent to privacy.

However, the rejection of the ID Card le f t the Government desperate to enact some measure of information surveillance through an enhanced Tac File Number, to attempt to reduce tax and social security fraud. Faced with n hostile upper house (the Senate), the Government was forced to accep: substantial amendments to the Privacy B ill as the p o litica l price for ths passage of i t s Tax File Number leg isla tion . On th is occasion the p o litica l process has, on balance, resulted in informed amendments which favour individual lib e rtie s against the extension of bureaucratic control.

Structure of the Act

The core of the Act consists of eleven information Privacy Principles which are enforceable against Commonwealth government agencies. Individuals may enforce the Principles by injunctions, and may obtain compensatory damages for any loss or damage caused by a breach of the Principles. The Ac creates a Privacy Commissioner, who will have power to investigate complaints of breaches of the Principles and to seek injunctions against agencies to enforce them, as well as other functions. There are few exemptions from the Principles stated in the Act. Instead, any agency may seek an exemption from some part of the operation of the Principles on the grounds of public in te re s t, by application to the Privacy Commissioner, who w ill then make a Public In terest Determination afte r hearing from interested parties.

The Act does not include e registration system involving either prior approval (the strong Scandinavian nodal) or prior notification (the weak B ritish nodel). Instead(Principle 5 requires each agency to aaintain a record stating the nature, purpose, access and discloaure conditions etc . for each type of record, and to make i t available for public inapeetion. Agencies must also eake a copy of the record available annually to the Privacy Goaaisaioner, who w ill publish an annual Personal Information Digest of such d e ta ils .

The Act also contains numerous specific and parallel controls on the use of the Tax f i le Number, including i t s use in the private sector. In the European usage, th is is sectoral leg isla tion interwoven into the general Act, and i t w ill not be discussed here. I t is sign ifican t, however, that i t gives wide delegated leg isla tive powers to the Commissioner to prepare enforceable Guidelines on the use of the Tax f i le Number, applicable to both public and private sector users.

The Information Privacy Principles

The eleven Information Privacy Principles (sl4) are sim ilar in many respects to the principles contained in the New South Wales Privacy Committee Guidelines (1978), the OECD Guidelines (1980), the Council of Europe Convention (1980) and the United Kingdom Data Protection Act (1984). The Principles are paraphrased below.

Principle 1 Agencies must not collect personal information unless:( i) i t is collected for a lawful purpose directly related to function or activ ity of the agency; and( i i ) the means of collection are lawful and fa ir .

Principle 2 Agencies must ensure that people from whom they so lic it personal information are generally aware of: ( i) the purpose of collection; ( i i ) any legal authority for the collection; and ( i i i ) any th ird parties to which the collecting agency discloses such information as a usual practice.

Principle 3 Where an agency so lic its personal information (whetherfrom the subject of the information or otherwise), i t must take reasonable steps to ensure that the information is ( i) relevant to the purpose of collection, up-to-date and complete; and ( i i ) i t s collection does not unreasonably intrude upon the person's a ffa irs .

Principle 4 An agency must protect personal information against misuse by reasonable security safeguards, including doing everything within i t s power to ensure that authorised recipients of the information do not misuse i t .

Principle 5 Any person has a right to know whether an agency holds any personal information (whether on him or her or not), and i f so (a) i t s nature; (b) the main purposes for which i t is used; (c) the classes of persons about whom i t i s kept;

Privacy Laws & Business 19November 1988

Principle 6

(d) the period for which each type of record is kept;(e) the persons who are en titled to have access to i t , and under what conditions; ami (f) how to obtain access to i t . Each agency must maintain an inapectable reg ister of th is informetion, and must inform the Privacy Commissioner annually of i t s contents.

A person has a right of access to personal information held by an agency, subject to exceptions provided in the freedom of Informetion Act 1982 or any other law.

Principle 7 Agencies must make corrections, deletions and additions to personal information to ensure that i t i s ( i) accurate; ( i i ) relevant, up-to-date, complete and not misleading (given the purpose of collection and related purposes), subject to exceptions provided in the "freedom of Information Act 1982" or any other lew. Agencies are also required to add a reasonable statement by a person to that person's record, on request.

Principle 8 Agencies must take reasonable steps to ensure that personal information is accurate, up-to-date and complete (given the purpose of collection and related purposes) before using i t .

Principle 9 Agencies may only use personal information for purposes to which i t is relevant.

Principle 10 Agencies may not use personal information for purposes other than for which i t was collected, except (a) with the consent of the person; (b) to prevent a serious and imminent threat to a person's l i f e or health; (c) as required or authorised by law; (d) where reasonably necessary for the enforcement of criminal or revenue law; or (e) for a d irectly related purpose. In the case of exception (d), but not otherwise, the use must be logged.

Principle 11 Agencies may not disclose to anyone else personal information, with the same exceptions as apply to Principle 10 (a) - (d), plus an additional exception where the subject of the information ia reasonably likely to be aware of the practice of disclosure (or reasonably likely to have been made aware under Principle 2). The recipient of information under one of these exceptions may use i t only for the purpose for which i t was disclosed.

The use and disclosure Principles (10 & 11) do not apply to information which has already been collected.

Enforcement of the Principles

Agencies are prohibited from breaching the Principles ( s l6) , thereby opening the way for individuals to seek to enforce th e ir observance. Any person may seek an injunction from the federal Court to restrain an agency


(or any o ther person) from contravening the Act, or to require s person to take actions so th a t the Act w ill not be contravened (a98). I t i s therefo re not only ac tual data su b jec ts , or only persons who have su ffered or are l ik e ly to eu ffer hern because o f the breach, who can enforce the P rin c ip les .

Individuals aay a lso complain to the Privacy Commissioner o f an " in te rfe ren ce with privacy" (s36). "In terference with privacy" la defined so th a t i t includes only a breach o f the P rinc ip les or a breach o f the Guidelines concerning Tax f i l e Numbers (a l3 ) . I f the Coaaiesioner finds the coap lain t substan tia ted he or she nay seek to c o n c ilia te (s27), or nay sake a d ec lara tio n th a t the agency should d e s is t fron fu rth er breaches, perform ac tions to remedy any lo ss or damage su ffered by the complainant (s52) or pay pay compensatory damages to the complainant (a 52). Complainants may also be awarded payment o f expenses incurred in pursuing a complaint, irresp ec tiv e of the declara tion made (e52(3)). Such declara tions are binding on the agency concerned (8855-56). Complainants can recover compensatory damages and coats as a debt (s57), and can enforce other determ inations in the federal Court (a59). Both 8 complainant and an agency may appeal against a decision o f the Commissioner to the Adm inistrative Appeals Tribunal (a58), and thence to the fed era l Court.

"Representative complaints" may be made on behalf of more than one person (s36 (2 )), but in th a t case damages may not be awarded (s52).

The Commissioner may a lso in v es tig a te possib le breaches o f the P rinc ip les or Guidelines on h is or her own in i t ia t iv e (s40 (2 )). I f the agency concerned f a i l s a f te r 60 days to comply with any recommendations the Commissioner makes, the Commissioner may have a report tab led in Parliament in a fu rth er 15 days (s30). He or she may a lso seek an in junction from the federal Court to remedy any breaches found (s98), without any need to delay. The ever-present p o ss ib il i ty o f an in junction could be expected to make agencies take s30 recommendations somewhat more seriously than they might otherwise be disposed to .

The range o f measures availab le to enforce the P rinc ip les are therefo re comprehensive, ranging from persuasion to in junctions and, most im portantly , damages. They are a lso a jud icious blend of what Norways's Knut Selmer characterised a t the 1988 Data Protection Commissioner's Conference as "the American approach o f enforcement by indiv idual in i t i a t iv e , and the European approach of enforcement by a government a u th o rity ."

The Privacy Co— issio n e r

The Privacy Commissioner i s to be appointed by the Government for a seven year term (819), and i s to be p a rt o f the e x is tin g Human Rights and Equal Opportunities Commission.

Almost a l l o f the Commissioner's functions (a27) a re re la te d to , and therefo re lim ited by, references to " in te rfac es with privacy", the meaning of which i s lim ited to breach o f the P rinc ip les and breach o f the Tax f i l e Number Guidelines (e l3 ) . The Act does not give the Commissioner any s ig n if ic a n t ro le concerning "invasions of privacy" outside these two sp ec ific ca teg o ries . Any lim ita tio n s in the scope of the P rincip les w ill therefore


have a d ire c t e f fe c t on the Coaeieeiooer'e functione. In c o n tra s t , the Nm South Melee Privacy Coae i t te e can in v es tig a te any type o f " in te rfe rence with p rivacy ," but haa vary U n ite d anforcanent powera.

Subject to th ia vary a t r i c t l i a i t a t io n , the nora a ig n iflean t functione o f the Coaai aaionar a re : to a tta a p t to o a t t la ooap la in ts b> c o n c ilia tio n ; to examine proposed Acts when requested to do eo by a M inister; to ao n ito r developaenta in computing, including data-aatching anc d a te -lin k ag e ; to au d it records o f agencies fo r coapliance with the P rin c ip le s ; to exaaine data-aatching or data-linkage proposals on request by a M in ister; and to encourage corporations to adopt the OECD Guideline!) v o lu n ta rily .

Outside enforceaent o f the P rin c ip les , discussed above, the Commissioner's a b i l i ty to take independent ac tion to warn the public of dangerous developaenta th rea ten ing privacy are very lim ited . Mia or her power to examine proposed le g is la t io n or proposed data-aatching and data-linkagu p rac tic e s i s l i a i te d to when requested by a M in ister, and even then there in no r ig h t to repo rt to the public or Parliament on what was found. Thu Commissioner must make an Annual Report to Parliament on the operation of the Act (s97), and may presumably there give d e ta i ls of the exercise o f every one of h is or her functions. There i s no equivalent to the NSW Privacy Commmittee's r ig h t to make public statem ents on m atters concerning privacy generally .

There w ill a lso be a Privacy Advisory Committee o f 6 part-tim e members appointed by the Government, but with a m ajority coming from outside the public sec to r (s82), and chaired by the Commissioner. The Committee caii give advice to the Commissioner, but has no independence from th ; Commissioner whatsoever, being unable to even meet without the Commissioner's consent, and unable to make i t s own report to Parliam ent.

Exemptions from the P rin c ip les

The Act contains few express exemptions from the operation o f thle P rin c ip les . The main exemptions a re : those in the use and disclosureP rinc ip les (10 & 11), as l i s te d above; the exceptions to the sub ject access and co rrec tion P rinc ip les (6 & 7) imported from the "Freedom of Information Act", the exemption o f some agencies in respect o f th e ir commercial a c t iv i t ie s ; and a blanket exemption emanating from them (P art 11).

Instead , one o f the main functions o f the Privacy Commissioner w ill be to make the d e ta iled decisions as to whether to exempt sp e c if ic agencies from p a rts o f the P rinc ip les fo r c e r ta in a c t iv i t ie s , on the grounds o f public in te r e s t . The Commissioner i s empowered to make such an exemption where the public in te r e s t in an agency breaching a P rinc ip le "outweighs to a su b s ta n tia l degree" the public in te re s t in adhering to the P rinc ip le (s72). Such a "Public In te re s t Determination" means th a t such a c ts are deemed not to be a breach. The onus i s properly l e f t with the agency seeking exemption. The Commissioner must publish any agency app lica tion for a Determination (s74) take account o f any submissions received (s79), and hold a conference on the app lica tion i f any person eo requ ires (s76).

22Privacy Laws A BusinessNovember 1988

This i s one o f the most novel re s to re s o f the A ustralian Act. In p rin c ip le i t seeiss to be s sensib le compromise between the desire fo r very generel P rinc ip les which in most esses esn be applied s t r i c t l y , and a recognition th a t P rin c ip les o f such genera lity w ill inev itab ly need some exceptions, given the d iv e rs ity o f governmental a c t iv i t ie s th a t they re g u la te . The c rea tio n o f a public arena where the d e ta i ls o f the proper scope o f data su rve illance and d a ta ■pro tec tion can be debated and developed con tinually on a c le a r b asis o f public in te re s t c r i t e r i a , but w ith procedural f l e x ib i l i ty , seem to be a sound so lu tio n .

However, the implementation o f the Public In te re s t Determination procedures i s one o f the weakest p a rts of the Act, because these procedures are s t i l l b la ta n tly biased in favour of agencies seeking exemptions.

An agency may apply for s determ ination under s72 in re la tio n to such ac ts and p rac tic e s as i t decides (s73), but the Commissioner can only e ith e r dism iss the app lica tion or give i t unconditional approval (s78). The Commissioner cannot impose conditions on allowing a breach o f the P rin c ip les , nor even allow such breaches on condition th a t the s e t te r be re-examined a f te r a period o f tim e. Nor i s there any provision for the Commissioner or anyone e lse to re-open the ap p lica tio n . Since exemptions from the P rincip les are inheren tly undesirable, th is i s c lea rly u n sa tis fac to ry .

Further evidence of b ias i s found in the requirement th a t the Commissioner make a d ra f t determ ination only on the evidence of the applicant agency (s75); th a t agencies can have lega l rep resen ta tives a t conferences but ind iv iduals cannot (s77); and, most e x tra o rd in a rily , th a t an agency can suppress the d isc losure of evidence on which i t s app lica tion i s based to those who wish to con test i t merely by claiming th a t the information i s exempt under the "Freedom of Information Act" (s74)!

The Commissioner's Determinations may be disallowed by Parliament (sBO), which i s e n tire ly appropriate for what i s , in e f fe c t , the making of delegated le g is la t io n . U ltim ately, th e re fo re , any exemptions from the P rinc ip les must run the gaun tlet of Parliam ent.

An i n i t i a l app ra isa l

The p o l i t ic a l process seems to have served the A ustralian public w ell, in so fa r as the Privacy B ill has been converted from a travesty of data p ro tec tion in to what i s in many respects a very strong Act, although one lim ited in scope. Such novel and complex le g is la tio n cannot be expected to be p e rfe c t, and the Privacy Act w ill need .amendment, p a rtic u la rly in re la tio n to Public In te re s t Determinations.

The Act allows the Commissioner, indiv idual c it iz e n s , the Courts, and even Parliament to each play a continuing ro le in the development o f data p ro tec tion law w ithin i t s framework. There i s ample scope for them to make the Act a powerful weapon to p ro tec t indiv idual l ib e r t i e s .

Graham Greenleaf i s a Lecturer in Law, a t the U niversity o f New South Wales, A u stra lia , and i s a Member o f the New South Wales Privacy Demerittee. He was the f i r s t A ustralian rep resen ta tive to a ttend the annual meeting o f Data P rotection Commissioners, held th is year in Oslo in September.


THE COSE A6AINST CAECA'S PRIVACY ACT COVERING FEDERALLY REGULATED COMPANIES

Hielegislation is wttle■sin difftthat ths Canadian Ret dots protactic only liis fsdsibat Privacy cover both thecurrently considering legislation, are evaluating both aodela. A data protection legislation should extend to eoae or all state and uhether it should be extended to the 25,000 state like banks.

This question i s re levan t only where a data p ro tec tio n law ib r e s t r ic te d to government agencies. Where s law covers both public and privatjs se c to rs , then i t extends autom atically to s t a t e .regulated organizations a lso

The argument in favour o f extending a data p ro tec tion law tb s ta te -re g u la te d organ izations i s th a t by doing so , a government shows th a t i t supports the p rin c ip le s o f data p ro tec tion to a l l organizations over which i t has d ire c t superv ision . I f a policy i s c o rre c t, l ik e non-discrim ination against m in o ritie s , then i t should be implemented in every organization where the s ta te has con tro l or in fluence . The argument against i s based on a b e lie f th a t s e lf-re g u la tio n should be given a chance to work f i r s t and, second, i t would requ ire more s t a f f and fin an c ia l resources than would be av a ilab le .

John Grace, the Privacy Commissioner, in h is annual report published in the summer, explains why he i s against extending the Privacy Act to t t e federa lly regulated se c to r:

"A broadening o f the Privacy’s Act universe beyond governmnent would, o f course, be ju s t i f ie d by demonstrable and endemic abuses o f p rivacy ....T fie p o s s ib i l i t ie s o f v io la tio n are enormous and such nervousness i s e n tire ly prudent. Yet, while the dangers are r e a l , the heavy hand of regu la tion should only be imposed i f the p riv a te sec to r does not vo lun ta rily take step s 1:o address them." In p a r t ic u la r , he c a l ls upon companies to scrupulously adhere to the data p ro tec tion p rin c ip le s in the OECD Guidelines:.

"Banks and th e ir c re d it card a sso c ia te s , fo r example, have recognized th a t a high standard o f privacy p ro tec tion i s simply basic good business:. Thus, along with other businesses, they are developing, a lb e it slowly, the:ir own codes of f a i r inform ation p ra c tic e . Privacy codes have a lso been adopted by the cable te le v is io n , d ire c t marketing and inform ation processing in d u s tr ie s ."

"In another business se c to r , a t the in i t i a t iv e o f the Canadian Radii)- Television and Telecommunications Commission, privacy p ro tec tion p ro v is io is have been w ritten in to new telephone company reg u la tio n s . The CRTC's a c t im provides a model fo r o ther r e g u l a t o r s . . . . . . . "

"The general p rin c ip le s enuncisted in broadly-applied le g is la tio n may not well serve d iverse groups, fo r example, i t i s highly doubtful th a t the Privacy A ct..can be an e ffe c tiv e code o f f a i r inform ation p rac tic e a t the same time fo r , not only video s to re s , but the d ire c t mail in d u stry , credlit bureaux and cable te le v is io n ."

P i t i P ro tection Uw, by S i m Chalton and Shelagh G eakill

Data p ro tec tion law ia a usefu l reference book w ritten by p rac tis in g s o l ic i to r s fo r any le g a l professional who wants to achieve a good understanding o f the United Kingdom Data P rotection Act. I t packs in to 530 pages a d e ta ile d analysis o f the beckground and each provision o f the UK Act. I t a lso reproduces in f u l l the te x ts o f the UK, Is le o f Man and Jersey data p ro tec tio n laws. I t s leng th , leyou t, d e ta ile d approach and s ty le make i t su ita b le for lawyers and data p ro tec tion oanagera in la rg e r o rganisations who need to have a thorough understanding of th e law. The formal layout and ra th e r long sentences could make i t heavy going fo r those data p ro tection managers seeking to understand ju s t enough o f the law to submit th e ir o rg an isa tio n 's re g is tra tio n form to th e R e g is tra r 's o ff ic e . However, even such a user would find th is book usefu l as soon as h is organisation receives a d i f f ic u l t request fo r eccess to records, or ia served with an enforcement no tice by the R egistrar and wishes to appeal to the data p ro tec tion tr ib u n a l.

These pages are a repackaging o f the h eart o f the Encyclopedia of Data Protection - a lo o se -lea f volume a lso published by Sweet and Maxwell. This book represen ts by fa r the beet value for money. The re s t of the encyclopedia co n sis ts mainly of m aterial such as the R e g is tra r 's gu idelines, which can be obtained free o f charge from the R e g is tra r 's O ffice.

Published in 1988 by Sweet and Maxwell,

ISBN 0 421 39820 5

11 New F e tte r Lane, London EC4 Tel 405 5711

Managing Data Protection by Dr C.N.M. Founder, M. Kosten, S. Papadopouloa,and A. Rickard

Managing Data P rotection i s extremely valuable for any manager who needs to both understand the UKlaw and implement i t in h is o rgan isation . The book ia r ich in re a l l i f e examples taken from the media to i l l u s t r a te the data p ro tec tion p rin c ip le s such as accuracy and relevance and explains how they should be teck led . The book goes much fu rth er and provides a whole chapter on s ta f f tra in in g with sn o u tline of a seminar and a model employee l e a f le t . One chapter a lso has ou tlines fo r tra in in g sp e c ific groups lik e board members, systems designers and departmental l ia iso n o f f ic e rs . One th ird o f the book i s devoted to data secu rity with separate chapters on management s tra te g y ; the conditions necessary fo r physical se cu rity ; software u t i l i t i e s , passwords, and access r ig h ts ; microcomputers; and network se cu rity . The appendices contain model forms for an o rg an isa tio n 's procedural review of i t s data processing a c t iv i t ie s to provide the information on which a corporate data p ro tec tion s tra tegy may be based.

The wealth o f experience th a t th e authors have poured in to the book ie c le a r ly presented and accessib le to any n o n -sp ec ia lis t but with enough d e ta i l fo r most s i tu a tio n s . The book's emphasis on how to manage the common privacy p rin c ip le s would make i t a good buy for data p ro tec tion managers in any country.

Published (1987) by the Chartered In s t i tu te o f Public Finance and Accountancy 3, Robert S tre e t, London WC2N 6BH TelOl 930T3456 I5BN 0 85299 366 B


PRIVACY LAMS AMD BUSIICSS 1987/88

COUNTRY INDEX

A ustralia........... Fab 88 p.23; Aug 88 p.32; Nov 88 p .2f 8, 1 8 - 2 3

Austria...............Fab 87 p.2; Nay 87 p.10; Aug 87 p.3; Nov p.13;Fab 88 p.7, 23; Aug 88 p.28; Nov 88 p.2;

Belgium............... Feb 87 p .5, 15; Hay 87 p.3;Fab 88 p.23; Nov 88 p 8;

Canada................Fab 87 p.5; May 87 p.3; Aug 87 p.21;Fab 88 p.23; May 88 p.5; Aug 88 p.7, 19, 22 - 24, 28, 32 Nov 88 p.2, 3 (Quebec),8, 24;

Cyprus................ Feb 87 p .l ;

Denmark............... Feb 87 p.2; May 87 p.2, 10; Aug 87 p.3Fab 88 p.7, 23; Aug 88 p.4, 28; Nov 88 p.4, 5, 8;

Finland............... Feb 87 p.7; May 87 p.14; Nov 87 p.3Feb 88 p.3, 23; May 88 p.6, 19; Aug 88 p.4, 28; Nov 88 p.8,9;

France................Feb 87 p.10; May 87 p.6, 10; Nov 87 p.13Feb 88 p.24; Aug 88 p.28; Nov 88 p.5, 8;

Germany...............Feb 87 p.3, 11; May 87 p.10, 14; Nov 87 p.3, 14Feb 88 p.3, 18; Aug 88 p.6, 29, 32; Nov 88 p.5, 6, 8;

Greece................ May 87 p.6; Aug 17 p.3Feb 88 p.6, 24; May 88 p.7; Nov 88 p.8;

Guernaey........Aug 87 p.4Feb 88 p.24; May 88 p.6; Aug 88 p.29; Nov 88 p.8;

Hong Kong.............May 88 p.7, 14; Aug 88 p.9

Iceland................ May 87 p.10Feb 88 p.24, Aug 88 p.29; Nov 88 p.8;

I re la n d .. . . ........Fab 87 p .l ; May 87 p.2, 4; Nov 87 p.5, 6Feb 88 p.6, 24; May 88 p.8, 17; Aug 88 p.6, 29; Nov G8p. 6,7,8; f

Iala of Man........Aug 87 p.4Feb 88 p.24; May 88 p.6; Aug 88 p.6, 29; Nov 88 p.8;

Ia rae l..................May 87 p.10Feb 88 p.25; Aug 88 p.29; Nov 88 p.8;

I ta ly ...................May 87 p.2, 4Feb 88 p.25, May 88 p.8; Nov 88 p.B;

Privacy Laws A BusinessNoveaber 1988

16

Japan...................Nay 87 p.5Feb 88 p.25; Nay 88 p.8; Aug 88 p. 22, 24 - 26

Je ra ey ...* .........Nay 87 p.3; Aug 87 p.4Fab 88 p. 25; Nay 88 p.6; Aug 88 p.30; Nov 88 p. 8;

Luxembourg......May 87 p.10Feb 88 p .25, Aug 88 p.30; Nov 88 p.7, 8;

Netherlands.....Feb 87 p.7; Nay 87 p.2, 14, 18; Nov 87 p.5Feb 88 p.6, 7, 25; Nay 88 p.9, Aug 88 p.9; Nov 88 p.7,9, 11-18;

New Zealand........Feb 87 p.7; Nov 87 p.5Feb 88 p.25; Nay 88 p.9; Aug 88 p.30

Norway.............H ay 87 p.10; Aug 87 p.5; Nov 87 p.3Feb 88 p. 25; Aug 88 p.30; Nov 88 p. 8;

Portugal.............Feb 87 p.8, 20* May 87 p.5Feb 88 p.26; Nov 88 p.8;

Scotland............. Aug 87 p.17Feb 88 p. 19

Spain....................Hay 87 p.10Feb 88 p.26; May 88 p.10; Nov 88 p.8;

Sweden...............Feb 87 p.4; May 87 p.10, 14; Aug 87 p.6Feb 88 p.4, 7, 16, 26; Aug 88 p.30; Nov 88 p.8

Switzerland........Feb 87 p.8; May 87 p.5Feb 88 p.26; May 88 p. 10, 11; Aug 88 p.9; Nov 88 p.9;

T urkey ..........A ug 87 p.20

UK..................... Feb 87 p.4; May 87 p.10; Aug 87 p.7; Nov 87 p.4, 13Feb 88 p.5, 26; May 88 p. 6; Aug 88 p. 7, 10 - 18, 30; Nov 88 p.8;

USA....................Nay 87 p.2; Aug 87 p.21Feb 88 p.26; Aug 88 p.3, 32

SUBJECT INDEXAanesty In te rn a tio n a l......................Aug 88 p.5

Banking/Finance/Credit.................. ..Feb 87 p.2,p. 13; May 87 p.3 (Jeraey);Aug 87 p .l , 9;May 88 p.12; Aug 88 p.2, 11, 22 - 26 (Japanese and Canadian banks);Nov 88 p.2 (Austria) 3 (Quebec) 4(Denroark) 6(Ireland)16(Neth) 24(Can)

Privacy Laws A BusinessNo vaster 1988

Checklists...............................................Feb 87 p.9 (differences between notions!dete protection lews), p.12 (notional dote protection Manager)Nay 87 p.7 (international data protection Manager), p.9 differences between the Council of Europe Convention and the OECD guidelines)Aug 67 p.13 (direct Marketing)Feb 88 p.23 (data protection roundup) p.27 - 28 (chart of laws & b ills )Aug 88 p.27 (Council of Europe and OECD)

Codes of Data Protection Practice...Aug 87 p.10 (UK);Nov 87 p.10 (Ireland);Nay 88 p.3, A;Aug 88 p.3 (IA T A , Canadian Bankers Assoc. , Japan'8 Financial Industry) p.6 (Ireland),p.8 (IPM), 15 (UK);Nov 88 p.14 (Neth),

Common Approaches to Data Protection

Complaihts procedure.

Council of Europe.

Feb 88 p.7 May 88 p.4 (EEC)Nov 88 p.B - 10;

.May 87 p.20 (Netherlands);Aug 87 p.8 (UK)Nov 87 p.B (Ireland)Feb 88 p.15 (UK);May 88 p.13 (Switzerland);Aug 88 p.4 - 5 (Finland) p.10 (UK); Npv 88 p.21 (Australia)

Feb 87 p .l ;May 87 p.2, 9 (differences between the Council of Europe Convention and the 0E(fD Guidelines), p.13;Aug 87 p.2 ,16, 20;Nov 87 p.2Feb 88 p.2, 7 (Athena conf);

Aug 88 p .2 ! 27 (checklist), 31 (dir)

Credit Information. .Feb 87 p.3 ( May 87 p.15 Aug 87 p.5 (

Data Security.

87 p.3 (Denmark);> (Finland);

. (Norway) 8 (UK);Nov 87 p.3 (Germany) 14 (IN();May 88 p.12Aug 88 p.5, 12, 22 - 26 (see banking)

.May 87 p.10 (Austria) 16 (Finland) p.19 (Netherlands);Aug 87 p.5 (Norway) 17 (Scotland);Nov 87 p.3 (Norway) 8 (Ireland) 14

Privacy Laws ANovember 1988 21

Feb 88 p.19 - 22 (Scotland);May 88 p.3 (EEC),Aug 88 p.13 (UK), 19 (Canada), 21 Nov 88 p.13 (Nath), 20 (Auet)

Direct Marketing...................................May 87 p.13 (Council of Europe)p .16 (Finland)Aug 87 p.5 (Norway) 8 (UK), p.13 (European checkliat), p.17 (Scotland);Nov 87 p.7 (aelf-regulation)May 88 p.12 (Switzerland)Aug 88 p.5 (Finland) 12 (UK)Nov 88 p.2 (Austria) 4 (Denmark)

Directory of International OrganisationsAug 87 p.26 Aug 88 p.31

Directory of National Data Protection CommissionersAug 87 p.23 Aug 88 p.28

European Economic Community..............Feb 88 p.2May 88 p.3

Employment............. ............... .Feb 87 p .l , p.10;May 87 p.5 (Ita ly );Aug 87 p .l (C of E working party)

Enforcement .......................... . . . . . . . . .F e b 87 p.3 (Germany) 4 (UK, Sweden) 17(Belgium);May 87 p.13 (se lf- regulation), 16 (Finland) 18, p .20 (Netherlands),Aug 87 p.6 (Finland, Sweden, Switzerland) 7, 12 (UK);Nov 87 p.4 (UK), 8, 12 (Ireland), 15 (ICI Compliance Programme)Feb 88 p.12 (Trade Unions) 18 (Germany) May 88 p.13 (Switzerland)Aug 88 p.13 (Council of Europe) 17 (UK) Nov 88 p 6 (Ireland), 16 (Neth), 20 (Aust);

Fees.........................................................Feb 88 p.13 (UK)May 88 p.17 (Ireland)Aug 88 p. 6-7 (Isle of Man)

International Data F lo w .... . . ..........Feb 87 p.2 (A ustria),18 (Belgium)May 87 p.10 (A ustria),15 (Finland), 21 (Netherlands),Aug 87 p.9 (UK) 21 (USA and Canada);Nov 87 p.9, 11, (Ireland) 14 May 88 p.4 (OECD)


Aug 88 p.4 (OECD)

Medical F i la a . . . ......................... . .Aug 87 p.22 (Sweden and UK) May 88 p.17 (Ireland)Nov 88 p.6(Denmark)

New Technology............................... •Fab 87 p.2 (Council of Europe), 7(Canada)}May 87 p.13 (microcomputing)Nov 87 p.2 (Council of Europe)Fab 88 p.9 (Council of Europe)Nay 88 p.2 (Council of Europe)Aug 88 p.2 (Council of Europe)

Nordic Data Protection Authorities..Aug p.6

OECD............................ .............. .......... .Feb 87 p .l ;May 87 p.2, 3 (Canada), 9 (differences between the Council of Europe Convention and the OECD guidelines), 17 (Finland)Feb 88 p.3 May 88 p.4Aug 88 p.3, 22 (banking) 27 (checklist) p .31 (dir)

Pharmaceutical te s tin g ............. •May 87 p.16 (Finland)

Public/private sector........................ .Feb 87 p.6-7 (Canada)Aug 88 p. 14 (UK)Nov 88 p.3 (Canada) 4 (Denmark) 6 (Ireland) 15 (Australia)

Ratification of Council of Europe Convention........................... .Aug 87 p .l

Nov 88 p.7 (Luxembourg, Ireland)

Registration/Notification/Declaration SystemFeb 87 p.3 (Denmark) 4 (Sweden) 19

Right of A ccess ....................

(Belgium) 20 (Portugal);May 87 p.15 (Finland) 18 (Netherlands); Aug 87 p . l l (UK);Nov 87 p.10 (Ireland) 13 (Austria, France, UK)May 88 p . l l (Switzerland)Aug 88 p.6 (Is le of Man) 13 (UK) 16 (UK) 18 (UK exemptions)Nov 88 p.14 (Australia)

•Feb 87 p.2 (Denmark) 3, 11 (Germany) 17 (Belgium) 21 (Portugal)Nov p.7 (Ireland) 17 (ICI)Feb 88 p . l l , 13, 14 (UK)Aug 88 p.7, 17 (UK)Nov 88 p. 2 (Austria) 15 (Neth)

Privacy Laws A Business November 1988 30Privacy Laws &

Nov 88 p. 2 (Austria) 15 (Noth)Sensitive Data................. . .

May 88 p.17 (Ireland)Aug 88 p.15 (UK)Nov 88 p 5 (Denmark) 16 (Nath)

United Nations.....................

UNCITRAL......... . . . . . . . . .Aug 88 p.31 (address)

UNCTC.......................... ...........Aug 88 p.31 (address)

Unsolicited H a i l . . . ..........

Privacy Laws & BusinessNoveaber 1988 3i

Documents

Merrill Dresner, Editor In this issue: Pa( · Editor: Merrill Dresner ... powers to prepare enforceable Guidlelines applicable to both public aid private sectors. ... the law. I om