28 February 2017

NSW Workplace Privacy

The Ag NSW Privacy Commissioner has tabled a 48 page report, under Privacy and Personal Information Protection Act 1998 (NSW) s 61C, on 'the legislative scope and interpretation of Employer, Employee, and Agent Responsibilities under privacy legislation'.

The Commissioner's media release states
Section 61C of the Privacy and Personal Information Protection Act 1998 (PPIP Act), enables the Privacy Commissioner to make a special report on any matter relating to the functions of the Privacy Commissioner to the Presiding Officer of each House of Parliament. “NSW privacy legislation has stood the test of time well, but there are gaps in privacy protections.” said Dr Elizabeth Coombs, A/NSW Privacy Commissioner.
“The report addresses two of these gaps – that is, protections available to individuals when public or private sector employees covered by the legislation intentionally breach privacy requirements, and when contractors to the public sector do not handle personal information lawfully”
The recommendations focus on updating legislation to close these gaps and will, if adopted, better secure the privacy rights of individuals in the NSW community.
The Commissioner introduces the report by stating
In discussing the impact of new technologies on privacy, Professor Butler commented:
While in a democratic society the state may have an interest in preserving the autonomy of its citizens from invasions of their privacy, the value of such prohibitions may depend upon the willingness of the relevant authorities to prosecute transgressions. In any event, it is the individual who has his or her dignity or autonomy affronted that has the greater interest in preventing or redressing the wrong. Any appropriate legislative response should therefore make provision for reparation for individuals who have been aggrieved by invasions of their privacy. 
Misuses of personal information and data breaches are not random events; they result from poor organisational governance and practice, and the conduct of employees and contractors. Organisations, whether public or private, generally do the ‘right thing’, as do employees and contractors, but data breach notifications and complaints to my Office are increasing. This is not isolated to NSW. In 2016, the Queensland Crime and Corruption Commission revealed that the misuse of confidential government information was not just one of the most common corruption allegations made, but an increasing percentage having almost doubled from 2014-15.
Members of the public have every right to expect that their personal information is not being placed at risk by poor organisational practices, nor accessed by or disclosed to anyone who does not have legitimate authority to use it. When such incidents occur, it is important that those affected have recourse.
NSW privacy legislation has stood the test of time well overall, but there are gaps, as outlined in my 2015 statutory report on the operation of the Privacy and Personal Information Protection Act 1998 (PPIP Act). The gaps this report focuses on, concern the action that can be taken by individuals when public and private organisations’ employees intentionally breach privacy requirements, and when public sector contractors do not handle personal information according to the legislation.
The proposed improvements entail amendments to the PPIP Act and the Health Records and Information Privacy Act, 2002 (HRIP Act) to increase the accountability of employees and contractors. The amendments are not novel; they are working successfully in other laws, and their adoption will make provision for reparation by individuals who have been aggrieved by incursions into their privacy.
The report is made as a special report to the NSW Parliament under section 61C of the PPIP Act to raise awareness of these issues and to aid the development of appropriate legislative, policy and procedural responses. Public debate and action are needed in this important area given the rapid changes the NSW public and service providers are experiencing as a consequence of the advances in digital technology.
The report is summarised as
Many areas of law regulating the responsibilities of government agencies and private service providers include provisions that require those organisations to have comprehensive systems in place for the protection of the rights of persons with whom they have dealings, for example tort, anti-discrimination, and workplace safety laws. Similarly, and additionally, laws and administrative systems are also in place to protect the property that organisations hold from corrupt exploitation by employees and their agents.
Collecting, handling, and disclosing personal and health information is a major activity in many modern organisations. As with obligations under other laws and community expectations, in order to deal with information in ways that help organisations maintain the trust of the community and avoid liabilities, an information ethics and governance framework needs to have a central place in every organisations’ culture, in prevent privacy breaches and misuse of personal and health information.
NSW privacy legislation provides mechanisms for the enforcement of the informational rights of individuals, and the prosecution of employees and agents for corrupt misuse of personal information held by the organisations that engage them. It also places obligations on the public sector to ensure its agents (such as contractors) handle personal information respectfully. But there are gaps; current NSW privacy legislation does not provide adequate protections when:
  • employees of public or private organisations commit intentional privacy wrongdoings. 
  • public sector contractors do not handle personal information according to the legislation.
This report looks at these issues and proposes legislative solutions that will better secure the privacy rights of individuals by overcoming these two shortcomings by adopting mechanisms already established in other laws.
The Commissioner's recommendations are -
1 : Amend the PPIP Act and the HRIP Act to allow victims of privacy breaches to have a right to complain against both a public sector agency and relevant employees. That is, to request that the Tribunal make employees second respondents in cases where a public sector agency claims that its data security safeguards were adequate and that the agency should not be liable for the alleged conduct of its employees who contravened privacy law.
2 : Amend the HRIPA Act to allow victims of privacy breaches to have a right to complain against both a private sector organisation and relevant employees. That is, to request that the Privacy Commissioner make employees second respondents in cases where a private sector organisation claims that its data security safeguards were adequate and that the organisation should not be liable for the alleged conduct of its employees who contravened privacy law.
3 : Base amendments of both NSW privacy statutes ( PPIP Act and HRIP Act) upon sections 36 and 37 of the Queensland Information Privacy Act 2009 and section 95B of the Federal Privacy Act 1988 to enable the public sector to choose to retain responsibility for any privacy contravening conduct of its contractors and subcontractors, or alternatively, to enter into contracts that make contractors and any subcontractors direct ly liable as if they are public sector agencies.
4: Amend section 12 of the PPIP Act and HPP5 in Schedule 1 of the HRIP Act to require public sector agencies and private organisations, as may be applicable, to have in place both proactive and reactive measures to prevent data breaches in line with section 53 of the NSW Anti-Discrimination Act 1977.

27 February 2017

Biometrics

‘Automated Facial Recognition Technology: Recent Developments and Approaches to Oversight’ by Monique Mann and Marcus Smith in (2017) 40(1) University of New South Wales Law Journal comments 
There has been a rapid expansion in the type and volume of information collected for security purposes following the terrorist attacks on the United States of America (‘US’) on 11 September 2001. This event has been described as precipitating a program of ‘globalized surveillance’. New technology, biometric identification and other developments such as metadata retention can provide governments with an increasingly comprehensive picture of citizens’ lives. This has resulted in a rapidly expanding use of human biometric information in law enforcement investigations and other applications.
The first part of this article describes Automated Facial Recognition Technology (‘AFRT’) and its law enforcement and border security applications, as well as integration with image sources such as closed circuit television (‘CCTV’), social media and big data. Recent developments including biometric identification documents (licences and passports) and information sharing arrangements that promote searching between  state, territory and national government databases to facilitate a national facial recognition system will be discussed. These developments are reviewed against the backdrop of tension between individual privacy rights and collective security objectives. The second part of the article examines existing privacy protections, law enforcement exemptions, and regulatory options based on an international review of current oversight models. As is often the case in relation to technological advancements, government regulation and the legal system have lagged behind, and potential regulatory approaches have not been adequately discussed in either public debate or the academic literature.
In the absence of a constitutional bill of rights or a cause of action for serious invasion of privacy in Australia, there are limited protections in relation to biometric information, and those that do exist, such as protections provided by the Privacy Act 1988 (Cth), are subject to exemptions. This has led to a significant governance gap. In order to align with international regulatory practices, the functions and funding of the Office of the Australian Information Commissioner (‘OAIC’) should be strengthened or, alternatively, a Biometrics Commissioner should be introduced.

26 February 2017

FOI

'Freedom of Information Beyond the Freedom of Information Act' by David Pozen in (2017) University of Pennsylvania Law Review comments 
The U.S. Freedom of Information Act (FOIA) allows any person to request any agency record for any reason. This model has been copied worldwide and celebrated as a structural necessity in a real democracy. Yet in practice, this Article argues, FOIA embodies a distinctively “reactionary” form of transparency. FOIA is reactionary in a straightforward, procedural sense in that disclosure responds to ad hoc demands for information. Partly because of this very feature, FOIA can also be seen as reactionary in a more substantive, political sense insofar as it saps regulatory capacity; distributes government goods in an inegalitarian fashion; and contributes to a culture of adversarialism and derision surrounding the domestic policy bureaucracy while insulating the far more secretive national security agencies, as well as corporations, from similar scrutiny. If this Article’s core claims are correct to any significant degree, then open government advocates in general, and progressives in particular, ought to rethink their relationship to this landmark law.

Straussian

From ‘Kurt Riezler (1882-1955)’ by Leo Strauss in What Is Political Philosophy? And Other Studies (University of Chicago Press, 1959) 236, 260
Human dignity, Riezler suggests among other things, stands and falls by shame and awe because man's greatness is co-present in his littleness and his littleness is co-present in his greatness. It was ultimately because he grasped the meaning of shame and awe that Riezler was a liberal, a lover of privacy. By invading men's privacy one does not come to know them better - one merely ceases to see them. For man's being is revealed by the broad character of his life, his deeds, his works, by what he esteems and reveres not in word but in deed - by the stars for which his soul longs if it longs for any stars.

25 February 2017

Health Regulation

The Australian Health Practitioner Regulation Agency (AHPRA) has reported the landmark conviction of a New South Wales chiropractor for false advertising involving a claimed to be able to prevent, treat and cure cancer.

The practitioner, Dr Hance Limboro, pleaded guilty to 13 charges filed by AHPRA in August 2016 under the Health Practitioner Regulation National Law. Section 133(1)(a) of the National Law provides that a health practitioner and/or provider of a regulated health service cannot advertise in a way that is false, misleading or deceptive, or is likely to be misleading or deceptive.

Limboro was fined $29,500 by the Downing Centre Local Court in Sydney and ordered to pay AHPRA’s legal costs. His advertising featured testimonials, not permitted when advertising regulated health services. He was convicted of unlawfully advertising a regulated health service and using testimonials.

The AHPRA media release states -
Chiropractic Board of Australia Chair, Dr Wayne Minter AM, said the Board welcomed today’s decision by the court.
‘Today’s conviction is a win for public protection and a warning to anyone advertising health services in a way that contravenes the National Law,’ Dr Minter said.
‘Most chiropractors are doing the right thing. However, the Board has been up front with the profession that if their advertising is not compliant with the law, they will be held to account.’
AHPRA CEO Martin Fletcher said today’s outcome sent an important message to anyone who advertises a regulated health service that the regulator will take action if they break the law.
‘Today’s conviction is a landmark ruling. Our purpose, working closely with the Chiropractic Board of Australia, is to protect the public. This shows that we will take action and that people breaking the law will be held to account,’ Mr Fletcher said.
‘Making false claims to treat serious illnesses through unproven methods is both unethical and illegal. In her ruling Magistrate Viney said that while the practitioner personally may not have loaded the advertising onto the website in question, he could not deny responsibility. This is an important lesson for others who are advertising regulated health services.
‘Today’s outcome is a reminder to all of us as health consumers and patients that if an advertisement seems too good to be true, it probably is. Make sure you ask your health practitioner what evidence they have to make these claims and if you’re still unsure, seek a second opinion,’ Mr Fletcher said.

Trumpocalyse

QUT Intellectual Property and Innovation Law (Queensland University of Technology) ran an excellent symposium earlier this month on Access To Essential Medicines in following up the UN High Level Panel report noted here.

Presentations by Matthew Rimmer and Charles Lawson were of particular cogency.

The abstract for my presentation on 'Access To Essential Medicines After The Trumpocalypse: Regulatory Incoherence, Incapacity and Resistance' is
Recent statements by US President Trump embody a regulatory incoherence regarding the development, marketing and pricing of essential medicines in the United States. That incoherence is likely to be reinforced by regulatory incapacity through cuts to the US Food & Drug Administration, the Department of Health and Human Services and the Federal Trade Commission.
The presentation suggests that the White House’s objectives in the US market – cheaper drugs for US consumers, lower costs for health service providers, increased return on investment for major and emerging US drug companies – are unachievable in the next four years. Erosion of the institutional capacity of regulators is likely to affect public health within the US and elsewhere beyond Trump’s time in office. Resistance at the national and international level over the coming decade offers a basis for building a more just global pharmaceutical access regime.

23 February 2017

Data Fumes

'What Is Data Justice? The Case for Connecting Digital Rights and Freedoms on the Global Level' by Linnet Taylor argues 
The increasing availability of ‘data fumes’ (Thatcher, 2014) – data produced as a byproduct of people’s use of technological devices and services – has both political and practical implications for the way people are seen and treated by the state and by the private sector. Yet the data revolution is so far primarily a technical one: the power of data to sort, categorise and intervene has not yet been explicitly connected to a social justice agenda. In fact, while data-driven discrimination is advancing at exactly the same pace as data processing technologies, awareness and mechanisms for combating it are not. This paper posits that just as an idea of justice is needed in order to establish the rule of law, an idea of data justice is necessary to determine ethical paths through a datafying world. The paper will analyse the existing work on data justice and argue for a framework in which it can be brought together into a single framing for further research and debate.