The Privacy Act protects "personal information" which means "information [...] whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information".FN1
The Act applies to the collection of personal information only if the information is collected for inclusion in a record or generally available publication; and personal information which has been collected only if that information is held in a record.FN2 A "record" includes a document, database or photograph, but excludes a generally available publication FN3 which is a publication (however published) that is generally available to the public. FN4
Internet Protocol (IP) addresses: Every computer connected to the internet has an IP address (eg 203.41.189.1) which can be resolved to its name (if any) under the Domain Name System (mailserver.randwick.nsw.gov.au in this case). It is no longer true that every computer has a unique IP address. DHCP servers allocate an IP address to a computer when it connects to the network from a pool of addresses. Each time a user dials an ISP, an IP address is allocated from the pool for the duration of that session. NAT programs hide entire networks behind the single IP address of the "gateway" computer. Thus every access of the Internet from those networks appears to come from the single gateway computer.
Transparent web/FTP proxy servers are used by almost all ISPs and large organisations to speed access, preserve bandwidth and save data costs. When a request is made, the proxy server checks if it has already cached the requested object and, if it has, returns it. If the object has not been cached, then the proxy server requests it from another proxy server or the actual server which hosts it. FN5 Thus, web page requests from all UNSW computers appear to come from one of the UNSW proxy servers. While the IP address recorded by web/FTP servers may identify the requesting gateway or proxy server, it is unlikely to identify anyone and therefore unlikely to be personal information.
Email addresses: For information to be "personal information" it would usually need to be more than that person's name. FN6 An email address may constitute personal information because it may reveal not just a person's name, but also how to contact that person. If the identity of an individual is apparent, or can reasonably be ascertained, from a telephone number, FN7 how is an email address any different?
An address of trevor.roydhouse@unsw.edu.au is likely to be personal information because an individual's identity is apparent whereas this is not the case for trevor@unsw.edu.au. If the data collector is aware that UNSW student addresses default to student identity numbers, 4008094@unsw.edu.au may be personal information if the data collector has access to the relevant records. Donald.Duck@unsw.edu.au is unlikely to identify anyone. However, an individual may be ascertainable from that pseudonym where the data collector has access to the relevant records or other publicly available information (eg a searchable message database). FN8
Whether a person's identity is apparent or reasonably ascertainable from an email address, depends on the form of the address, its context and the information resources available. FN9
Cookie data: A cookie is data that is stored on a user's computer by the user's web browser in response to a request by a web page which the user has viewed. The sort of data which may be stored ranges from web site preferences to your name, email, address, telephone number, user name, password, and IP address. After some bad press concerning privacy issues, most cookies no longer contain any obviously identifying information. Instead, they contain a unique identity number.
When visiting web sites which subscribe to certain advertising services, the site's pages request the advertiser's cookie when you view them. If you do not already have one of their cookies, they give you one. If you already have one, then the identity number which it contains is sent back to the advertiser's web site. That site uses your number to retrieve the marketing information FN10 that it holds on you so that advertisements or other content can be tailored for you. Thus, you can be tracked by the advertising service whenever you visit a site which subscribes to it.
The information contained in cookies is therefore unlikely to be personal information because it does not identify you. However, the web sites you visit may have collected additional information from you through your registering to receive "free" newsletters or making purchases. This user-supplied data may be linked back to your cookie identity number and therefore the cookie data may be personal information.
Web bugs: A web bug is simply an invisible graphic file which is placed in a web page. When the page is viewed, the graphic file is fetched from another web server that server records the user's IP address, domain name, date and time of visit, pages accessed, files downloaded, previous web page/site visited, type/version of the web browser, type/version of operating system and protocol used in its log file. That other web server may also retrieve or set a cookie to track the person in future. When a web bug is included in an email, it can be used to determine when or if the email is read. Web server log file information is not personal information because it will usually not identify anyone. However, where a web server requires a username and password, the user would be identifiable from the information in the web server log and that information would be personal information.
The Privacy Act broadly applies to organisations which are not small business operators. FN11 A small business operator is an individual, body corporate, partnership, unincorporated association or trust which carries on one or more "small businesses" and does not carry on a non small business. FN12 A business is a small business if its "annual turnover"FN13 in the previous financial year is $3m or less. FN14
A small business operator can lose the exemption if it exceeds the $3m limit, FN15 provides a "health service", FN16 holds any "health information" FN17 except about an employee, FN18 discloses "personal information" FN19 about another individual to anyone else for a benefit, service or advantage, FN20 provides a benefit, service or advantage to collect personal information about another individual from anyone else. FN21 In addition, a small business operator who is otherwise exempt from the Act may choose to opt-in. FN22
The Act also provides an exemption for "media organisations", FN23 political parties and political representatives FN24 in certain circumstances.
A web site operator will be subject to the Act if it does not qualify for any exemption, or has chosen to opt-in. Where the Act applies, the operator must comply with the National Privacy Principles FN25 (NPPs).
NPP 1 prohibits a web site operator from collecting personal information unless it is necessary for its functions and is collected by lawful and fair means. If practicable, the operator must notify the person at or before the time of collection (or as soon as practicable thereafter) of its identity, contact details, the person's ability to gain access to the information, the purposes of collection, the organisations to which it usually discloses the information, any law requiring the collection, and any consequences if the information is not provided. Whenever reasonable and practicable, the operator must collect information about a person from that person. Where information is collected from a third party, the operator must still take steps to inform the person about the collection.
The information recorded in a web log file is arguably not collected since the information is not solicited, FN26 but provided by the user's web browser as part of the HTTP protocol. That it is recorded in a log file should not affect the unsolicited nature of the information. FN27 At the time the information is recorded in the web log, it is unlikely that the web site operator intends to compile information about an identified person. FN28
Even if the information is personal information which has been collected, the question remains whether the information has been collected for inclusion in a record or generally available publication. FN29 Until the web site operator preserves the web log, it is arguable that the Act does not apply. However, if the web log file is backed up and preserved, then the Act would apply.
There is unlikely to be any difficulty in determining that the web log information is necessary for one or more of the web site operator's functions because web log files are essential for auditing system security.
Given the operation of the HTTP protocol, it would be difficult to argue that the information was collected in an unlawful, unfair or unreasonably intrusive way.
The requirement to notify the users of specific matters when collecting information could be fulfilled by including a link on each web page to another page containing a detailed privacy statement. It would be questionable whether only including such a link on the home page is sufficient because a user may bypass that page and arrive at the web site via another link (eg from a search engine). It would also be questionable whether a link on any page which is not obvious constituted sufficient notice. Indeed, the Privacy Commissioner has stated that the details should be so located that the user easily becomes aware of them and that requiring the user to find the details by clicking through a number of pages is not acceptable. FN30
Where the information being collected is personally identifying (eg a registration form), it would be reasonable to expect that the form which the user fills in should include the appropriate disclosures before the information is transmitted to the web site. However, where a username and password are subsequently required from the user, it is arguable that no disclosures need to be made again because the information in this case is not being collected for inclusion in a record (unless it is being logged and periodically backed up).
In the case of cookies, it would seem that only when the information to which the cookie relates is originally collected, does the web site operator need to make the appropriate disclosures. Thereafter, no further information is collected. When the user revisits the site, the HTTP protocol automatically sends the cookie data stored on the user's computer to the web server. Although this cookie data may be used to identify the user by matching a unique user identity number with information already held in a record, it is not logged and so is not collected.
Where a web site operator collects information (eg email addresses) from a third party, and those addresses qualify as personal information, the operator must take reasonable steps to ensure that the owners of those addresses are apprised of the specified matters. Notifying the owners of these matters via email would seem reasonable.
NPP 2 prohibits a web site operator from using or disclosing a user's personal information which it has collected for a purpose other than that for which it was collected (the primary purpose). There are, however, exceptions to this.
The main exceptions include use or disclosure for a secondary purpose where: (1) the user would reasonably expect it; (2) the user consented; or (3) the secondary purpose is direct marketing and it is impracticable to seek the user's consent before that use, there is no charge for allowing the user to opt-out of further communications, the user is given an opportunity opt-out of further communications, and each communication includes the operator's contact information.
Additional rules and exceptions apply to use and disclosure of "sensitive information", FN31 "health information", FN32 and use or disclosure for protection of individual and public health, law enforcement, protection of the public revenue, and judicial proceedings.
Whether it is impractical to seek the user's consent before using the user's email address for direct marketing is somewhat problematical because it involves using the email address for a secondary purpose in seeking consent to use the email address for a secondary purpose!
Web site operators should therefore clearly communicate to users the purpose for which information is collected at the time of collection (NPP 1) because any subsequent non-communicated uses may otherwise breach the Act.
When collecting personal information, web site operators may well be tempted to include a requirement that the user consent to unspecified use of their personal information before engaging in a particular transaction (eg registering for a free email newsletter). However, the Privacy Commissioner has indicated that consent must be specifically about the purpose that is intended for the information, that broad or vaguely worded consent clauses will not satisfy the requirement because they do not inform an individual what they are consenting to, and that consent will not be voluntary and valid if the person is denied some benefit or is disadvantaged because they refuse consent. FN33
NPP 4 requires a web site operator to take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.
Web site operators will have to take special care collecting information on their sites. Any use of the HTTP "GET" method wherein the information is encoded in plain text in the URL may breach the Act because that information may be disclosed to the next web site the user visits which logs the "referer" URL. Such unintended disclosures have become notorious. FN34 Where access to the confidential details of more than 17,000 companies was gained by merely changing the final part of a URL, FN35 the Privacy Commissioner found that the site had breached the public sector equivalent of NPP 4. FN36
NPP 4 also requires a web site operator to take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose for which the information may be used or disclosed under NPP 2. Whether information is no longer needed depends on the continued validity of the purposes for which the information was collected and any permitted secondary purposes.
Where the information is no longer required, the Privacy Commissioner has indicated that, as a minimum, reasonable steps to destroy or permanently de-identify information would require all electronic information to be permanently deleted or de-identified from all systems, including any back ups. FN37 Given the huge volumes of data which many businesses back up on a regular basis, the off-site storage of this data and the expense which would be incurred in retrieving and restoring such data in order to delete or de-identify small amounts of it, before backing it up again and re-storing off site, one wonders how "reasonable" the Privacy Commissioner is being.
NPP 6 requires a web site operator holding personal information about an individual, to provide the individual with access to the information on request subject to certain exceptions. Even where an exception applies, the operator must, if reasonable, consider whether the use of mutually agreed intermediaries would allow sufficient access to meet the needs of both parties. Any charges for providing access to personal information must not be excessive and must not apply to lodging a request for access. Where providing access would reveal evaluative information in connection with a commercially sensitive decision-making process, the web site operator may instead provide an explanation for the decision.
If an individual establishes that information is not accurate, complete and up-to-date, reasonable steps must be taken to correct the information. If there is a disagreement about these attributes, then operator must take reasonable steps to include a statement that the information is not accurate, complete or up-to-date where requested. reasons must be provided for any denial of access or refusal to correct the information.
The Privacy Commissioner notes that where certain services have been contracted out (eg, mail list or other database management) and the contracted service provider is managing holdings of personal information, such arrangements do not diminish the individual's right of access. FN38 Web site operators should therefore develop secure online access and correction facilities to avoid the potentially higher costs of providing the offline access and correction facilities envisaged by the Privacy Commissioner. FN39
NPP 6 applies only to Australian citizens or permanent residents. Thus, web site operators do not have to provide any rights of access or correction to their non- Australian overseas customers. FN40
NPP 8 requires that, wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with the web site operator. This could significantly undermine the business model of many web sites which provide so-called "free" content or services in return for collecting personal information during the registration process. Indeed, the Privacy Commissioner takes the view that this catches any web site that requires the provision of personal details as a condition of use. FN41
Such web sites may have to look at offering some anonymous payment method as an alternative to "free" access. Of course, one would expect that the majority of users would continue to provide their personal information in exchange for "free" access. The fact that no anonymous payment methods are in wide use and that the almost universal Internet payment method remains the ubiquitous credit card, may mean that it is currently impractical to offer an anonymous payment method.
It may also be arguable that the reference to "entering transactions" refers only to transactions in which money changes hands, thereby excluding web sites which provide access in return for personal information.
NPP 9 prohibits a web site operator from transferring personal information overseas unless it reasonably believes that the foreign recipient is subject to a law, binding scheme or contract that places substantially similar obligations on the recipient as if the recipient were bound by the NPPs.
There are exceptions to the prohibition where: the individual gives consent to the transfer; the transfer is necessary for certain contract matters; the transfer is for the benefit of the individual; it is impracticable to obtain the consent of the individual to that transfer; and, if it were practicable to obtain such consent, the individual would be likely to give it; or the organisation has taken reasonable steps to ensure that the transferred information will not be held, used or disclosed by the recipient inconsistently with the NPPs. Transfers of personal information outside Australia to another part of the same organisation, or to the individual concerned, are also permitted.
Where there is an overseas transfer to another part of the same organisation, the NPPs continue to apply to that information overseas. However, this extra-territorial application is only for information about Australian citizens and permanent residents FN42 where the organisation has (1) an organisational link with Australia (ie is an Australian citizen, resident, company or trust formed here, or unincorporated association managed or controlled here); FN43 or (2) an operational link with Australia (ie carries on business here, or collected or held the information here). FN44
This potentially subjects overseas web site operators to the NPPs for the personal information of Australian users where the operator can be regarded as carrying on business or collecting information here. As to what "carries on business" means, the Act provides no guidance. The question is ultimately one of fact and degree and will no doubt be litigated. Equally problematical is what amounts to collection in Australia. Where an Australian fills in a web page displayed in a web browser on a computer in Australia, and then transmits that information to an overseas computer, the collecting device is in Australia, but the repository is overseas. Arguably, the information was collected in Australia, but is held overseas.
In the case of overseas, non-Australian customers dealing with Australian web site operators, they will have the same privacy protection as their Australian counterparts because the Act does not require Australian citizenship or residency as a precondition for an interference with privacy FN45 or for making a complaint. FN46 The access and correction rights under NPP 6 are the exception.
While Australian Internet users now have laws to safeguard their privacy in the private sector, those individual users must enforce these new privacy rights by pursuing complaints against the privacy-unfriendly practices of businesses. The majority of Internet users do not understand the technology, let alone the array of online privacy-invasive practices, yet their right to privacy depends on their ability to complain about them. Leaving to one side this self-help philosophy, the Act should be changed to remedy the following deficiencies:
Footnotes
FN1 Sec 6(1).
FN2 Privacy Act, sec 16B(1).
FN3 Privacy Act, sec 6(1).
FN4 Privacy Act, sec 6(1).
FN5 Proxy servers may be chained so that requests which are unfulfilled by the local proxy server (eg at the user's company) are then made to a proxy server which is higher up the chain (eg at the user's ISP).
FN6 Clare Strang v Department of Immigration and Ethnic Affairs and Siddha Yoga Foundation Ltd, No. V93/1180 AAT No. 9904; http://www.austlii.edu.au/au/cases/cth/aat/unrep5643.html, at para 49.
FN7 Pfizer Pty Limited v Department of Health, Housing and Community Services (1993) 30 ALD 647; http://www.austlii.edu.au/au/cases/cth/aat/unrep5067.html, at para 80.
FN8 See, for example, http://groups.google.com/googlegroups/deja_announcement.html which allows the search of 650 million message postings from 1995 to date.
FN9 The Privacy Commissioner concurs with this view, see the Draft National Privacy Principle Guidelines, May 2001 at http://www.privacy.gov.au/publications/dnppg.html#2.
FN10 The information which one service, DoubleClick, holds includes: user's name, address, retail, catalogue and online purchase history, and demographic data as well as non-personally identifying information. See: http://www.doubleclick.net.
FN11 Privacy Act, sec 6C(1).
FN12 Privacy Act, sec 6D(3).
FN13 Privacy Act, sec 6DA.
FN14 Privacy Act, sec 6D(1), (2).
FN15 Privacy Act, sec 6D(4)(a).
FN16 Privacy Act, sec 6(1).
FN17 Privacy Act, sec 6(1).
FN18 Privacy Act, sec 6D(4)(b).
FN19 Privacy Act, sec 6(1).
FN20 Privacy Act, sec 6D(4)(c).
FN21 Privacy Act, sec 6D(4)(d).
FN22 Privacy Act, sec 6EA.
FN23 Privacy Act, sec 6(1), 7B(4).
FN24 Privacy Act, sec 7C.
FN25 Privacy Act, sch 3.
FN26 Harder v The Proceedings Commissioner [2000] NZCA 129; http://www.austlii.edu.au/nz/cases/NZCA/2000/129.html, at para 25.
FN27 Harder v The Proceedings Commissioner [2000] NZCA 129; http://www.austlii.edu.au/nz/cases/NZCA/2000/129.html, at para 25.
FN28 Eastweek Publisher Ltd v Privacy Commissioner for Personal Data [2000] 1 HKC 692 at p 700.
FN29 Privacy Act, sec 16B(1).
FN30 Draft National Privacy Principle Guidelines, Chapter 8, May 2001 at: http://www.privacy.gov.au/publications/dnppg.html.
FN31 Privacy Act, sec 6(1).
FN32 Privacy Act, sec 6(1).
FN33 Draft National Privacy Principle Guidelines, Chapter 3, May 2001 at: http://www.privacy.gov.au/publications/dnppg.html.
FN34 See, for example: Intuit plugs leaks to DoubleClick by Sandeep Junnarkar, CNET News.com, March 2, 2000 at: http://news.cnet.com/news/0-1007-200-1562341.html.
FN35 Angus Kidman, GST site row shows security risks, 29 June 2000 at: http://www.newswire.com.au/apcweb/news.nsf/HTML/Category/35796BFF6CA62766CA25690D001A313A.
FN36 Toni O'Loughlin, Treasury's Web site 'breached privacy laws', 18 October 2000 at: http://www.smh.com.au/news/0010/18/text/national6.html.
FN37 Draft National Privacy Principle Guidelines, Chapter 7, May 2001 at: http://www.privacy.gov.au/publications/dnppg.html.
FN38 Draft National Privacy Principle Guidelines, Chapter 9, May 2001 at: http://www.privacy.gov.au/publications/dnppg.html.
FN39 Draft National Privacy Principle Guidelines, Chapter 9, May 2001 at: http://www.privacy.gov.au/publications/dnppg.html.
FN40 Privacy Act, sec 41(4).
FN41 Draft National Privacy Principle Guidelines, Chapter 11, May 2001 at: http://www.privacy.gov.au/publications/dnppg.html.
FN42 Privacy Act, sec 5B(1).
FN43 Privacy Act, sec 5B(2).
FN44 Privacy Act, sec 5B(3).
FN45 Privacy Act, sec 13A.
FN46 Privacy Act, sec 36.
FN47 APCC Submission to an Inquiry by the Senate Legal and Constitutional Affairs Committee Re: Privacy Amendment (Private Sector) Bill 2000, 20 August 2000 at: http://www.apcc.org.au/Submns/Sen0008.html.
FN48 Privacy Act, sec 6EA.
FN49 CNET Enterprise, Collecting Customer Data, at: http://enterprise.cnet.com/enterprise/0-9562-7-5861170.html.
FN50 Privacy Act, sec 13B.