Re: Review of Market and Social Research Privacy Code

Similar documents
Australian Census 2016 and Privacy Impact Assessment (PIA)

It follows previous APF feedback about the Draft Concept of Operations [1] and the addendum [2].

About the Office of the Australian Information Commissioner

24 May Committee Secretariat Justice Committee Parliament Buildings Wellington. Dear Justice Select Committee member,

What does the revision of the OECD Privacy Guidelines mean for businesses?

Castan Centre for Human Rights Law Faculty of Law, Monash University. Submission to Senate Standing Committee on Economics

NCRIS Capability 5.7: Population Health and Clinical Data Linkage

The Australian Privacy Foundation (APF) is the country's leading privacy advocacy organisation. A brief backgrounder is attached.

2

CCTV Policy. Policy reviewed by Academy Transformation Trust on June This policy links to: Safeguarding Policy Data Protection Policy

EXIN Privacy and Data Protection Foundation. Preparation Guide. Edition

Loyola University Maryland Provisional Policies and Procedures for Intellectual Property, Copyrights, and Patents

ABORIGINAL ART ASSOCIATION OF AUSTRALIA LTD ABORIGINAL ART CODE

ARTICLE 29 Data Protection Working Party

ARTS LAW CENTRE OF AUSTRALIA

Broadcasting Services Act 1992

Corporate Services. Yes. Chief Executive Officer. Head of Legal and Compliance. Policy and Compliance Officer

CCTV Policy. Policy reviewed by Academy Transformation Trust on June This policy links to: T:Drive. Safeguarding Policy Data Protection Policy

Before the NATIONAL HIGHWAY TRAFFIC SAFETY ADMINISTRATION Washington, D.C Docket No. NHTSA

IAASB Main Agenda (March, 2015) Auditing Disclosures Issues and Task Force Recommendations

Biometric Data, Deidentification. E. Kindt Cost1206 Training school 2017

Should privacy impact assessments be mandatory? David Wright Trilateral Research & Consulting 17 Sept 2009

Dr Nicholas J. Gervassis University of Plymouth THE EMERGING UK DATA PROTECTION FRAMEWORK AND BEYOND

EXPLANATORY STATEMENT. Issued by the Australian Communications and Media Authority. Australian Radiofrequency Spectrum Plan 2017

Lewis-Clark State College No Date 2/87 Rev. Policy and Procedures Manual Page 1 of 7

Selecting, Developing and Designing the Visual Content for the Polymer Series

This policy sets out how Legacy Foresight and its Associates will seek to ensure compliance with the legislation.

Provided by: Radio Systems, Inc. 601 Heron Drive Bridgeport, NJ

Pro Bono at Work: Report on the Pro Bono Legal Work of 25 Large Australian Law Firms

Policy on Patents (CA)

INTERMODAL PLANNING COMMITTEE TERMS OF REFERENCE

Whatever Happened to the. Fair Information Practices?

RESEARCH DATA MANAGEMENT PROCEDURES 2015

Parliamentary Information and Research Service. Legislative Summary BILL S-18: AN ACT TO AMEND THE STATISTICS ACT

Questionnaire February 2010

Diana Gordick, Ph.D. 150 E Ponce de Leon, Suite 350 Decatur, GA Health Insurance Portability and Accountability Act (HIPAA)

Photography and Videos at School Policy

Protection of Privacy Policy

Session 1, Part 2: Emerging issues in e-commerce Australian experiences of privacy and consumer protection regulation

Privacy Impact Assessments

Broadcasting Services Act 1992

Personal Data Protection Competency Framework for School Students. Intended to help Educators

Submission by Free TV Limited

Seminar on Consultation on. Review of the Personal Data (Privacy) Ordinance. Why the review is being conducted and what this means to you

DESIGN INSTITUTE OF AUSTRALIA ABN GPO Box 355 Melbourne, VIC 3001

UW REGULATION Patents and Copyrights

GZ.:BMWF-8.105/5-II/1/2010

Guidelines for Completion of a Youth Application

June 2014 For any information or queries relating to fundraising for headspace, please contact:

2018 / Photography & Video Bell Lane Primary School & Children s Centre

Submission to the Governance and Administration Committee on the Births, Deaths, Marriages, and Relationships Bill

COMMUNICATIONS POLICY

June 2014 For any information or queries relating to fundraising for headspace, please contact:

Given FELA s specific expertise, FELA s submissions are largely focussed on policy and law issues related to inshore fisheries.

FACULTY OF ENGINEERING & INFORMATION TECHNOLOGIES RESEARCH DATA MANAGEMENT PROVISIONS 2015

Building DIGITAL TRUST People s Plan for Digital: A discussion paper

Submission to the Productivity Commission inquiry into Intellectual Property Arrangements

Merton Clinical Commissioning Group Constitution. [29 May] 2012

Privacy Policy. Catalyst.Net Limited. Version 1.0

St. Philip Parish Richmond, ON

Incentive Guidelines. Aid for Research and Development Projects (Tax Credit)

EFRAG s Draft letter to the European Commission regarding endorsement of Definition of Material (Amendments to IAS 1 and IAS 8)

Universal Communications in a Broadband World

CBD Request to WIPO on the Interrelation of Access to Genetic Resources and Disclosure Requirements

Microsoft Submission in response to ALRC Discussion Paper 72, Review of Australian Privacy Law

Establishment of Electrical Safety Regulations Governing Generation, Transmission and Distribution of Electricity in Ontario

March 27, The Information Technology Industry Council (ITI) appreciates this opportunity

ITAC RESPONSE: Modernizing Consent and Privacy in PIPEDA

Ocean Energy Europe Privacy Policy

ABF SYSTEM REGULATIONS

BUREAU OF LAND MANAGEMENT INFORMATION QUALITY GUIDELINES

Fiscal 2007 Environmental Technology Verification Pilot Program Implementation Guidelines

California State University, Northridge Policy Statement on Inventions and Patents

Fact Sheet IP specificities in research for the benefit of SMEs

Herts Valleys Clinical Commissioning Group. Review of NHS Herts Valleys CCG Constitution

Transparency in Negotiations Involving Norms for Knowledge Goods. What Should USTR Do? 21 Specific Recommendations

Staffordshire Police

Establishing a Development Agenda for the World Intellectual Property Organization

PATENT AND LICENSING POLICY SUMMARY

ICC POSITION ON LEGITIMATE INTERESTS

EXPLORATION DEVELOPMENT OPERATION CLOSURE

Bats and the Law An overview for planning, building and maintenance works

IAB Europe Guidance THE DEFINITION OF PERSONAL DATA. IAB Europe GDPR Implementation Working Group WHITE PAPER

Comments of the AMERICAN INTELLECTUAL PROPERTY LAW ASSOCIATION. Regarding

Global Standards Symposium. Security, privacy and trust in standardisation. ICDPPC Chair John Edwards. 24 October 2016

F98-3 Intellectual/Creative Property

THE UNIVERSITY OF AUCKLAND INTELLECTUAL PROPERTY CREATED BY STAFF AND STUDENTS POLICY Organisation & Governance

8th Floor, 125 London Wall, London EC2Y 5AS Tel: +44 (0) Fax: +44 (0)

Our position. ICDPPC declaration on ethics and data protection in artificial intelligence

Violent Intent Modeling System

EUROPEAN COMMISSION Directorate-General for Communications Networks, Content and Technology CONCEPT NOTE

Virtual Mentor American Medical Association Journal of Ethics December 2006, Volume 8, Number 12:

GENEVA WIPO GENERAL ASSEMBLY. Thirty-First (15 th Extraordinary) Session Geneva, September 27 to October 5, 2004

Legal Issues Related to Accountable-eHealth Systems in Australia

ICAEW is pleased to respond to your request for comments on the consultation paper Considerations of Materiality in Financial Reporting.

ITU/ITSO Workshop on Satellite Communications, AFRALTI, Nairobi Kenya, 17-21, July, Policy and Regulatory Guidelines for Satellite Services

Privacy Policy SOP-031

1. WHAT AREAS OF LEARNING DOES THIS ASSESSMENT ADDRESS?

19 and 20 November 2018 RC-4/DG.4 15 November 2018 Original: ENGLISH NOTE BY THE DIRECTOR-GENERAL

POLICY ON INVENTIONS AND SOFTWARE

Transcription:

http://www.privacy.org.au Secretary@privacy.org.au http://www.privacy.org.au/about/contacts.html 31 August 2012 Dr Terry Beed Chair Independent Code Review Panel AMSRO Dear Terry Re: Review of Market and Social Research Privacy Code I refer to our previous correspondence on the above matter. Thank you for the opportunity to consider the current version of the Code. I attach the APF s Submission. Yours sincerely Roger Clarke Chair, for the Board of the Australian Privacy Foundation (02) 6288 1472 Chair@privacy.org.au

http://www.privacy.org.au Secretary@privacy.org.au http://www.privacy.org.au/about/contacts.html Review of Market and Social Research Privacy Code Submission to the Independent Review of the Code 31 August 2012 The Australian Privacy Foundation (APF) is the country's leading privacy advocacy organisation. A brief backgrounder is attached. Introduction The Market and Social Research Privacy Code (the Code ), developed by the Association of Market and Social Research Organisations (AMSRO), was approved by the Commonwealth Privacy Commissioner on 1 st September 2003. In accordance with Subclause G.1 of the Code, an Independent Code Review Panel has been established to undertake the required three-yearly review, which is to be submitted to the Privacy Commissioner. The APF made a submission to the previous review of the Code on 6 October 2006. This submission identifies continuing weaknesses with the Code, and with the operation of the Code, including weaknesses that were not addressed in the previous review. No timely review of the Code Subclause G.3.1 of the Code requires an independent review of the Code once every three years. The terms of reference for the current review acknowledge that the last review was undertaken in 2007. The APF points out that independent reviews at least once every three years are expected under the Privacy Commissioner s Code Development Guidelines, and that the failure to conduct a review of the Code within the specified time is a serious breach. The APF considers that this breach must be taken into account in any assessment of the adequacy of the Code. Conclusion 1 AMSRO has an obligation to explain the delay in undertaking a timely independent review as required by the Code. Objectives and definition of identified information The objectives of the code include: to facilitate the protection of identified information provided by, or held in relation to, the participants or subjects of market and social research; The use of the term identified information differs from the terminology used in the Privacy Act 1988 (Cth), which uses the term personal information. Personal information is currently defined to mean information or an opinion about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. Although this meaning is captured, to an extent, by the definition of identified information in the Code, the APF considers that the use of the term identified information may be misleading. Moreover, the APF notes that the legislative definition of personal information is proposed to be amended by the Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Cth) to mean information or an opinion about an identified individual or an individual is who is reasonably identifiable. The APF notes that we have been highly critical of this definition, which

derives from the ALRC report, on the basis that a broader definition is required to deal with technological change interactions with individuals without them being identified. Accordingly, the APF has recommended replacing reasonably identifying with potentially identifying. As we consider that the Code should enhance the protection of data subjects, we recommend amending the definition of information that falls within the Code to include potentially identifying information. Conclusion 2 2.1 All instances of identified information should be replaced with identifiable information throughout the document. 2.2 The definition of identified information should be replaced with a definition of identifiable information that incorporates potentially identifying information. Research purpose The privacy principles in the Code are related to the purposes of processing the identified information, which are defined in terms of a research purpose. A research purpose is defined to mean the handling of information in order to carry out any function considered essential to the conduct or communication of the results of a market or social research project. The definition of the purpose for collection by reference to an activity ( handling of information ) is potentially confusing. We therefore recommend amending the definition of research purpose so that it refers to a specific purpose (or purposes), rather than an activity, that is related to market and social research. Conclusion 3 The definition of research purpose should be amended so that it refers to a specific purpose (or purposes) rather than an activity. Collection principle Subclause E.1.1.5 provides that a research organisation must take reasonable steps to ensure that the data subject is aware of certain matters when identified information is collected. The APF considers that there is a significant distinction between social and market research. We therefore recommend that, in addition to the matters identified in E.1.1.5, a research organisation should be required to disclose whether it is engaged in social research or market research. Conclusion 4 When identified information is collected from an individual, a research organization should be required to disclose whether the information is being collected for social research or market research. Use/disclosure of identified information Sub-paragraph E.2.2.4(d) provides that, in the absence of consent for broader research purposes, use of identified information is restricted to research on the same (or substantially the same) topic. Similarly, sub-paragraph E.2.2.5(d) provides that, in the absence of consent for broader research purposes, disclosure of identified information is restricted to research on the same (or substantially the same) topic. The APF considers that the term substantially the same is insufficiently certain, and may allow for function creep. We therefore recommend that use or disclosure of the information be restricted to use on the same topic. We note that this recommendation does not interfere with use or disclosure of information made with the consent of the data subject. Conclusion 5 Use or disclosure of identified information should be restricted to research on the same topic as that for which the information was collected, unless the data subject consents to use or disclosure for other purposes. Transborder data flows (TBDF) Subclause E.9.1 states that transborder transfers of identified information is dealt with in E.2.5. TBDF are only specifically referred to in sub-clause E.2.6. The reference in E.9.1 should therefore be corrected. 2

Given the dangers to individual privacy posed by unrestricted cross-border disclosure, the APF considers that the Code should be both more specific and more stringent in the way in which it addresses TBDF. In this respect, the APF notes its past criticisms of the current NPP 9, which in effect allows personal data to be exported provided reasonable steps are taken to ensure the data is used consistently with the NPPs. The APF further notes the significant weaknesses with the proposed new TBDF principle in APP 8 which, together with proposed s 16A, provides at least nine grounds on which a data exporter may be exempt. The APF therefore considers that the Code should include a specific clause that specifically deals with TBDF, such as the following: A research organisation may transfer identified information to someone who is in a foreign country only if the organisation enters into a binding contract which effectively upholds principles for fair handling of the information that are at least equivalent to the principles in this Code. Conclusion 6 The Privacy Principles should be amended to include express reference to a TBDF principle that incorporates a requirement for AMSRO members to enter a binding contract which ensures protection of personal data transferred out of Australia. Deletion principle The APF notes that proposed APP 11.2 provides for personal information to be destroyed or deidentified when it is not longer needed for a purpose for which it may be used or disclosed. The APF further notes that this principle accords with applicable international standards. The Code incorporates a version of this principle in 4.1, which provides that: A research organisation may retain identified information only while the details of the identity of the individual whom the information is about continue to be necessary for research purposes. The difficulty with this form of the principle is the breadth of the definition to a research purpose. To ensure that identifiable personal data is not retained by AMSRO members when it is no longer needed, but merely on the chance that it may be used, the APF recommends that the Code specifically adopts a form of the deletion principle, such as the following: A research organisation must take reasonable steps to de-identify or destroy identifying information when it no longer needs the information for the research purpose for which it was collected, or for a directly related research purpose. Conclusion 7 The Privacy Principles should be amended to include an express deletion principle that requires identifying information to be de-identified or destroyed when it is no longer needed for the research purpose for which it was collected, or for a directly related purpose. For further information please contact: David Lindsay david.lindsay@monash.edu.au Board Member Australian Privacy Foundation 3

Australian Privacy Foundation Background Information The Australian Privacy Foundation (APF) is the primary national association dedicated to protecting the privacy rights of Australians. The Foundation aims to focus public attention on emerging issues that pose a threat to the freedom and privacy of Australians. The Foundation has led the fight to defend the right of individuals to control their personal information and to be free of excessive intrusions. The APF s primary activity is analysis of the privacy impact of systems and proposals for new systems. It makes frequent submissions to parliamentary committees and government agencies. It publishes information on privacy laws and privacy issues. It provides continual background briefings to the media on privacy-related matters. Where possible, the APF cooperates with and supports privacy oversight agencies, but it is entirely independent of the agencies that administer privacy legislation, and regrettably often finds it necessary to be critical of their performance. When necessary, the APF conducts campaigns for or against specific proposals. It works with civil liberties councils, consumer organisations, professional associations and other community groups as appropriate to the circumstances. The Privacy Foundation is also an active participant in Privacy International, the world-wide privacy protection network. The APF is open to membership by individuals and organisations who support the APF's Objects. Funding that is provided by members and donors is used to run the Foundation and to support its activities including research, campaigns and awards events. The APF does not claim any right to formally represent the public as a whole, nor to formally represent any particular population segment, and it accordingly makes no public declarations about its membership-base. The APF's contributions to policy are based on the expertise of the members of its Board, SubCommittees and Reference Groups, and its impact reflects the quality of the evidence, analysis and arguments that its contributions contain. The APF s Board, SubCommittees and Reference Groups comprise professionals who bring to their work deep experience in privacy, information technology and the law. The Board is supported by Patrons The Hon Michael Kirby AC CMG and The Hon Elizabeth Evatt AC, and an Advisory Panel of eminent citizens, including former judges, former Ministers of the Crown, and a former Prime Minister. The following pages provide access to information about the APF: Policies http://www.privacy.org.au/papers/ Resources http://www.privacy.org.au/resources/ Media http://www.privacy.org.au/media/ Current Board Members http://www.privacy.org.au/about/contacts.html Patron and Advisory Panel http://www.privacy.org.au/about/advisorypanel.html The following pages provide outlines of several campaigns the APF has conducted: The Australia Card (1985-87) http://www.privacy.org.au/about/formation.html Credit Reporting (1988-90) http://www.privacy.org.au/campaigns/creditrpting/ The Access Card (2006-07) http://www.privacy.org.au/campaigns/id_cards/hsac.html The Media (2007-) http://www.privacy.org.au/campaigns/media/

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback