Cameron, Julie --- "Draft Australian Privacy Charter released" [1994] PrivLawPRpr 106; (1994) 1(7) Privacy Law & Policy Reporter 136

Draft Australian Privacy Charter released

The Australian Privacy Charter Council, chaired by Justice Michael Kirby, has released, for public comment, its draft Australian Privacy Charter. The full text follows. The Charter Council was formed in 1992 and includes representatives of a range of business and governmental interests, consumer groups, professional societies, civil liberties organisations and academia. The Charter Council's function is to develop the Australian Privacy Charter, and (in due course) associated Codes, for use by industry, government and community groups. The Charter's intended audience is these groups, legislators and the Australian public. The purpose of the Charter is to change the practices and processes that provide privacy protection to individuals.

A draft Charter has been under discussion within the Council for some months. On 26 September, the Charter Council resolved to release the draft and request comments by November 15. Comments are invited from any organisations or individuals. Communications should be directed to the Australian Privacy Charter Council c/- Faculty of Law, University of New South Wales, Sydney 2052 Fax +61 2 3137209. The final Charter is scheduled to be launched in December 1994

Julie Cameron, Convener of the Australian Privacy Charter Council.

THE AUSTRALIAN PRIVACY CHARTER (PUBLIC RELEASE DRAFT) OCTOBER 1994

PREAMBLE

Australians value privacy, and recognise that it is under ever-increasing threat. They expect that their rights to privacy be recognised and protected.

Privacy encompasses bodily (physical) privacy, territorial privacy (private space), privacy of communications, information privacy (rights concerning information about a person), and freedom from unwanted surveillance. These categories sometimes overlap.

''Privacy' is a term widely used to refer to an accepted group of related rights. These rights are accepted nationally and internationally. This Charter enumerates those rights as ''privacy principles'.

Privacy Principles comprise both the rights that each person is entitled to protect, and the obligations of organisations and others to respect those rights.

Personal information is information about an identified person, no matter how it is stored (eg: sound, image, data, fingerprints).

A free and democratic society requires respect for the autonomy of individuals, and limits on the power of both State and private organisations to intrude on that autonomy.

Privacy is a value which underpins human dignity and other key values such as freedom of association and freedom of speech.

Even those privacy protections and limitations on surveillance that do exist are being progressively undermined by technological and administrative changes. New forms of protection are therefore required.

Privacy is a basic human right and the reasonable expectation of every person. A desire for privacy does not mean a person has ''something to hide'. People who wish to protect their privacy should not be required to justify their desire to do so.

The maintenance of other social interests (public and private) justifies some interferences with privacy and exceptions to these Principles. The onus is on those who wish to interfere with privacy to justify doing so. The Charter does not attempt to specify where this may occur.

The following Privacy Principles are a general statement of the privacy protection that Australians should expect to see observed by both the public and private sectors. They are intended to act as a benchmark against which the practices of business and government, and the adequacy of legislation and codes, may be measured. They inform Australians of the privacy rights that they are entitled to expect, and should observe.

The Privacy Charter does not attempt to specify the appropriate means of ensuring implementation and observance of the Privacy Principles. It does require that their observance be supported by appropriate means, and that appropriate redress be provided for breaches.

PRIVACY PRINCIPLES

Technologies, administrative systems, commercial services or individual activities with potential to interfere with privacy should not be used or introduced unless the public interest in so doing outweighs any consequent dangers to privacy.

Exceptions to the Principles should be clearly stated, made in accordance with law, proportional to the necessities giving rise to the exception, and compatible with the requirements of a democratic society.

Individual consent justifies exceptions to some Privacy Principles. However, ''consent' is meaningless if people are not given full information or have no option but to consent in order to obtain a benefit or service. People may revoke their consent.

In exceptional situations the use or establishment of a technology or personal data system may be against the public interest even if it is with the consent of the individuals concerned.

An organisation is accountable for its compliance with these Principles. An identifiable person should be responsible for ensuring that the organisation complies with each Principle.

Each Principle should be supported by necessary and sufficient measures (legal, administrative or commercial) to ensure its full observance, and to provide adequate redress for any interferences with privacy resulting from its breach.

5. Openness

There should be a policy of openness about the existence and operation of technologies, administrative systems, services or activities with potential to interfere with privacy.

Openness is needed to facilitate public participation in assessing justifications for technologies, systems or services; to identify purposes of collection; to facilitate access and correction by the individual concerned; and to assist in ensuring the Principles are observed.

People have a right to conduct their affairs free from surveillance or fear of surveillance. ''Surveillance' means the systematic observation or recording of one or more people's behaviour, communications, or personal information.

People who wish to communicate privately, by whatever means, are entitled to respect for privacy, even when communicating in otherwise public places.

People have a right to private space in which to conduct their personal affairs. This right applies not only in a person's home, but also in the workplace, the use of recreational facilities and public places.

Interferences with a person's privacy such as searches of a person, monitoring of a person's characteristics or behaviour through bodily samples, physical or psychological measurement, are repugnant and require a very high degree of justification.

People should have the option of entering transactions which do not require them to identify themselves.

The minimum amount of personal information should be collected, by lawful and fair means, and for a lawful and precise purpose specified at the time of collection. Collection should not be surreptitious. Collection should be from the person concerned, if practicable.

At the time of collection, personal information should be relevant to the purpose of collection, accurate, complete and up-to-date.

Personal information should be relevant to each purpose for which it is used or disclosed, and should be accurate, complete and up-to-date at that time.

People should have a right to access personal information about themselves, and to obtain corrections to ensure its information quality.

Organisations should take reasonable measures to make people aware of the existence of personal information held about them, the purposes for which it is held, any legal authority under which it is held, and how it can be accessed and corrected.

Personal information should be protected by security safeguards commensurate with its sensitivity, and adequate to ensure compliance with these Principles.

Personal information should only be used, or disclosed, for the purposes specified at the time of collection, except if used or disclosed for other purposes authorised by law or with the meaningful consent of the person it is about (if in the public interest).

Personal information should be kept no longer than is necessary for its lawful uses, and should then be destroyed or have identifiers permanently removed.

Where personal information is collected under legislation and public access is allowed, these Principles still apply except to the extent required for the purpose for which public access is allowed.

People should not have to pay in order to exercise their rights of privacy described in this Charter, nor be denied goods or services or offered them on a less preferential basis for wishing to do so. The provision of reasonable facilities for the exercise of privacy rights is part of the normal operating costs of organisations.