30 June 2012

Patent Licensing

The Productivity Commission is to undertake an inquiry into compulsory licensing in the patents system.

The inquiry is promoted by the Assistant Treasurer and the Parliamentary Secretary for Industry & Innovation as examining "whether, and how, to ensure access to patented technology while maintaining the patent incentive to create and protect new technology".

It follows recommendations in Parliamentary Committee reports and the Australian Law Reform Commission Genes & Ingenuity report on gene patents for a review of the operation of compulsory licensing provisions in the Patents Act 1990 (Cth).

The Ministers stated that -
We want to ensure there are no unnecessary delays or impediments to accessing technology. The compulsory licensing provisions are a key protection mechanism to ensure access and an important step in implementing the Government's Response to the Gene Patents Report. 
The Commission will review a range of leading international practices, including the processes under which the current provisions can be used. It will consider any alternative mechanisms, and recommend measures to raise awareness of these safeguard provisions, in particular within the small business and healthcare sector. 
Compulsory licensing is an increasingly sensitive issue internationally, particularly in the context of access to affordable health care. Accurate medical advice relies in part on the identification and use of gene sequences related to human health and disease.
Of concern to government is a perception that patents over genetic technologies, or a perceived lack of licences to use these patents in Australia, unreasonably restricts or delays patient access to medical advice based on the latest diagnostic tests. Other areas of sensitivity include climate change mitigation, food security and alternative energy technologies, and technical standards essential patents (for example, in telecommunication technologies).
The Commission is to provide a final report to the Government in nine months.

Its Terms of Reference are -
The Commission is requested to review the operation of the compulsory licensing provisions in the Patents Act 1990, in particular: 
  • Assess whether the current Australian provisions can be invoked efficiently and effectively to deal with circumstances where reasonable requirements of the public are not being met or where the patentee engages in anti-competitive conduct. This includes, but is not limited to, consideration of concerns that gene patents may hinder access to affordable healthcare, including access to medical advice that relies on the identification and use of gene sequences related to human health and disease. 
  • Advise on the frequency, and impact, of the issue of compulsory licences in comparable markets and the common features in such compulsory licenses. 
  • Recommend any measures that may be required to efficiently and effectively exercise these safeguard provisions and invoke their use in a manner consistent with Australia's international obligations, without limiting access to overseas technologies, technology transfer, research and development investments or substantially reducing the patent incentive for innovation. 
  • Recommend any alternative mechanisms deemed necessary to ensure that the balance between incentives to innovate and access to technology best reflect objectives of ensuring reasonable access to health care solutions, maximising economic growth and growing the Australian manufacturing industry. 
  • Recommend measures to raise awareness of these provisions and their purpose, including the specific challenges of raising awareness among small businesses and the healthcare sector.
The Commission is to have regard to -
  • the importance of incentives for industry and researchers to invest in research and development, and innovation;
  • access to and transfer of technology, including climate change mitigation, food security, healthcare and alternative energy technologies, and standard essential patents in telecommunication technologies, particularly where multiple patentees are involved;
  • affordable and equitable access to healthcare, including medical treatments and diagnostic tests in Australia; 
  • recent changes to the intellectual property system reflected in the Intellectual Property Laws Amendment (Raising the Bar) Act 2012, including the research exemption; 
  • other relevant parts of the intellectual property system, such as crown use provisions; and
  • the range of international approaches.
Interestingly the inquiry is being undertaken by the Productivity Commission rather than by the Australian Law Reform Commission. There may be two reasons for that choice. The first is simply incapacity at the ALRC, following a succession of funding cuts that have been noted elsewhere in this blog. The second is that the Productivity Commission has particular values, although little experience in dealing with questions about intellectual property and little affinity with the rights of IP holders. Along with the Treasury it is a bastion of what Michael Pusey characterised as 'economic rationalism', embracing a philosophy that government intervention distorts the market and necessarily reduces national economic competitiveness. Would compulsory licensing substantially improve national economic performance, indeed so significantly improve performance as to offset problems such as trade sanctions by the US? The answer is unclear, although my sense is that the answer is no.

Therapeutic Homicide?

With the recent Carter v Canada (Attorney General) 2012 BCSC 886 euthanasia decision in mind it is interesting to see 'Choosing when and how to die: Are we ready to perform therapeutic homicide?', an editorial [PDF] by Ken Flegel & John Fletcher in the Canadian Medical Association Journal regarding the Dying With Dignity report from the Quebec legislature earlier this year.

The authors comment that
the report calls for a change in thinking, arguing that there will still be cases where suffering is great, irreversible and unrelievable, such that the only option is actively helping a person to die. 
The recommendation [regarding physician-assisted death] is based on two legal considerations. First, the civil code recognizes the right of adult patients to make medical decisions concerning their care, even if refusing or stopping treatment may result in their death. Second, both the Quebec and Canadian charters of rights and freedoms enshrine the rights to personal dignity and integrity. These rights imply a respect for self-determination and a person’s physical and psychological well-being. These are powerful arguments and suggest that an individual should be able to make life’s important decisions in a free and unconditional way, including deciding when the struggle to stay alive should end. However, this line of reasoning only supports an individual’s right to end his or her own life. 
Proponents of “dying with medical assistance” must argue that a patient’s rights invoke a corresponding medical duty to provide the means if a patient cannot, and it follows that this should be done in a safe and expert way. Hence, the act of assisting death would need to move from the context of being criminal to being part of the continuum of end-of-life care. 
Many physicians and patients will find this a shocking prospect to consider. If their views are to prevail, they will need to argue why there should be limits to a person’s autonomy. Human dignity may imply certain rights and freedoms, but conflicts among people’s rights are hard to resolve. Frail, dependent patients often feel a burden to their families or caregivers, and the unspoken possibility of a quick resolution to their predicament may complicate an already stressful situation. Removing the legal barrier to ending another’s life may ensure the self-dignity of those who wish to die, but may distress and remove the self-dignity of more people who wish to live.
The salient recommendations of the Quebec report are -
12  The Committee recommends that persons diagnosed with an incurable disease be given an information guide on their rights and the available services and resources. 
13 ... that relevant legislation be amended to recognize medical aid in dying as appropriate end-of-life care if the request made by the person meets the following criteria, as assessed by the physician: 
• the person is a Québec resident according to the Health Insurance Act;
• the person is an adult able to consent to treatment under the law;
• the person himself or herself requests medical aid in dying after making a free and informed decision;
• the person is suffering from a serious, incurable disease;
• the person is in an advanced state of weakening capacities, with no chance of improvement;
• the person has constant and unbearable physical or psychological suffering that cannot be eased under conditions he or she deems tolerable. 
14 ... that relevant legislation be amended to include the following guidelines: 
• all requests for medical aid in dying must be made in writing by way of a signed form;
• the request must be repeated within a reasonable period of time, depending on the type of disease;
• the attending physician must consult with another physician on whether the request meets the eligibility criteria;
• the physician consulted must be independent of the patient and the attending physician, and be competent with respect to the disease in question;
• the attending physician must complete a formal declaration of medical aid in dying. 
15 ... that a body be created to control and evaluate medical aid in dying and whose responsibilities would be to: 
• verify whether acts of medical aid in dying were carried out according to the conditions provided by law;
• publish an annual report, including statistics, on acts of medical aid in dying;
• publish, every five years, a report on the implementation of medical aid in dying provisions. 
16 ... that the appropriate National Assembly committee examine the five-year report of the control and evaluation body. 
17 ...  that relevant legislation be amended to recognize that an adult with the capacity to consent is entitled to give an advance directive for medical aid in dying in the event he or she becomes irreversibly unconscious, based on scientific knowledge. This advance directive for medical aid in dying: 
• must be given in a free and informed manner;
• is legally binding;
• must take the form of a notarized act or an instrument signed by two witnesses, including a commissioner of oaths;
• may mention the name of one or more trusted persons who will ensure the directive is known. 
18 ... that relevant legislation be amended to include the following guidelines: 
• the attending physician must consult another physician to confirm the irreversible nature of the unconsciousness;
• the physician consulted must be independent of the patient and the attending physician. 
19 ... that the ministère de la Santé et des Services sociaux: 
• take the necessary measures to ensure the advance directive for medical aid in dying appears in a person’s medical file and is recorded in a register;
• ensure that physicians check for the existence of such a directive in patient medical files or in the register;
• ensure that each establishment’s service quality and complaints commissioner periodically verifies compliance with advance directives for medical aid in dying. 
20 ... that the Attorney General of Québec issue directives (in the form of “guidelines and measures”) to the Director of Criminal and Penal Prosecutions to ensure that a physician who provides medical aid in dying in accordance with the criteria provided by law cannot be prosecuted. 
21 ... that the Collège des médecins du Québec amend its Code of Ethics so that physicians may provide medical aid in dying in accordance with the criteria provided by law while confirming their right to conscientious objection and their obligation, in such a case, to refer their patient to another physician. 
22 ... that the Ordre des infirmières et infirmiers du Québec amend its Code of Ethics to allow its members to help provide medical aid in dying in accordance with the criteria provided by law while, however, confirming their right to conscientious objection.

Jedilicious

After radio interviews and a piece on perceptions of the national population & housing census I was delighted to see some of the dissections of data from that survey.

The ABC's Lateline reports that the number of adherents to the belief system known as Scientology has declined, with a mere 2,163 Australians identifying themselves as Scientologists in 2011, a 13.7% from the 2006 census and of course at odds with promo in 2009 where a Hubbard devotee claimed that there were "tens, if not hundreds of thousands" of Scientologists in Australia and hype about support in connection with last year's employment inquiry.

The number of self-identified Rastafarians is up by 30%. 'Pantheists' increased by 35% and self-identified Jedis reached 65,000. There were a miserable 8,000 Wiccans, one of whom is presumably Ms Eilish De Avalon.

Lateline quotes a "Jedi Master" (no indication of whether he can deliver the goods when asked to do telekinesis or other Jedi tricks) as explaining -
It’s less of a stigma now. Right back in 2001 there was that stigma - that it was a joke religion and that it was just a prank played on the census but I'm finding that I declare myself as Jedi everywhere I go and I'm finding less and less heckling or giggling. ... It is a serious religion; it’s a very serious religion. More than half the population in the world believe in a life force energy. We believe in The Force as our life force energy.
The ABS reports that
In the past decade, the proportion of the population reporting an affiliation to a Christian religion decreased from 68% in 2001 to 61% in 2011. This trend was also seen for the two most commonly reported denominations. In 2001, 27% of the population reported an affiliation to Catholicism. This decreased to 25% of the population in 2011. There was a slightly larger decrease for Anglicans from 21% of the population in 2001 to 17% in 2011. Some of the smaller Christian denominations increased over this period - there was an increase for those identifying with Pentecostal from 1.0% of the population in 2001 to 1.1% in 2011.
There were 529,000 Buddhists and 476,300 adherents of Islam. 22% of the population identified as 'No Religion' (up from 15% of the population in 2001). 28% of people aged 15-34 reporting they had no religious affiliation.

It's too early, of course, for stats on the local branch of The Church of Kopimism (ie Pirate Bay At Prayer)

Archives

The Australian National Audit Office has released its report [PDF] on Records Management in the Australian Public Service (Audit Report No.53 2011–12).

The report centres on electronic records management and archiving, concluding that aspects in selected agencies (including the Treasury Department and Department of Immigration & Citizenship) remain inadequate.

The ANAO comments that
In 2008–09, the estimated annual cost of onsite paper storage of records for 138 Australian Government agencies and bodies was $208 million. The increased use of information technology by agencies has placed pressure on the adequacy of paper‐based records management systems to adequately support the capture, maintenance, access, retention and disposal of records. Australian Government agencies create a substantial amount of electronic information and records as part of their normal operations. However, in 2009 less than 30% of these agencies and bodies managed the majority of their records digitally, even though more than half reported having an Electronic Document and Records Management System (EDRMS) and using other electronic business systems to manage records. Establishing effective records management, particularly digital records management, represents a significant business issue for many agencies. 
To provide impetus and direction for digital records management, in July 2011 the Australian Government announced a policy for agencies to move to electronic records management for efficiency purposes. This policy is referred to as the Digital Transition Policy. It involves agencies’ senior management driving a change to digital records management through an increased focus on resource requirements and records management functionality when purchasing new electronic business systems, and reducing paper stockpiles.
In looking at the chosen agencies for a snapshot of national government records management practice the ANAO goes on to note that -
Each agency maintained a core records management system which supported the management and destruction or transfer of records captured in the system, although there was scope to improve the use and performance of these systems. Many other electronic business systems that were not identified and functioning as ‘records management systems’ were also used by the agencies to create, capture and manage records. These systems did not generally meet legal requirements relating to the management, and destruction or transfer of records. The use of such systems also created a risk that inaccurate or incomplete information could be accessed and used when making decisions, and acquitting legal and policy requirements, such as responding to freedom of information requests. 
The agencies had all experienced delays in transitioning to a digital records management environment that adequately supports business, meets legal and policy requirements, and is easy to use. Implementing digital records management systems and practices is complex, resource intensive and requires significant cultural change. Nevertheless, the need to have robust digital records management is becoming more pressing, particularly given the cost of managing paper records, application of new and changing technologies to improve programs and service delivery, 
It offers several findings at 19 through 29 -
 Assessing records management needs and risks 
Assessing records management needs and risks is an important step in developing an appropriate and effective records management approach. A key action that agencies should take is to develop records authorities to determine the retention, destruction and transfer requirements in accordance with the Archives Act. The three agencies had established, or were in the process of establishing, records authorities for their core business to guide proper disposal of records. The agencies had also completed reviews which identified significant issues and business risks in relation to information and records management or, at the very least, acceptance of records management systems and the application of relevant policy and guidance. These reviews identified a range of treatments to address risks presented by the agency arrangements. However, each agency has experienced delays in progressing effective treatments to information and records management risks, reflecting the relative priority of these issues to other business issues, and the complexity of their treatment. 
A key records management need relates to the development of a digital records management environment. Each of the agencies had identified a need to move to digital records management by implementing an EDRMS and incorporating records management functionality in electronic business systems that contain records. However, despite identifying a need for an EDRMS in 1999, and in subsequent years, Customs’ records management remains paper based. In 2000 and 2004 respectively, DIAC and Treasury had implemented an EDRMS to manage a significant proportion of their records. However, these agencies had further work to do to improve the use, acceptance and/or performance of their EDRMS. 
Other electronic business systems may also be used to create, use, maintain and dispose of records for particular business activities if appropriately managed. To provide for sound management of electronic records in business systems, agencies should consider records management needs during the planning, acquisition, development and implementation of electronic business systems. The agencies generally did not consider the need for records management functionality during these phases, although DIAC had recently changed its IT management arrangements to address this issue.  As a result, some agency systems were being used to maintain records even though they had not been designed to do so. Conversely, some systems could have been used to manage records but no consideration had been given to their potential to fulfil this function. 
It is important for agencies to identify vital electronic and paper records and develop contingency arrangements to enable their timely recovery in the event of a disaster, as part of business continuity planning. Treasury’s records management area had a vital records register which it updated on an ad hoc basis. However, none of the agencies had identified vital records in the context of their business continuity planning processes. Instead, these processes focused on disaster recovery arrangements for electronic systems, thereby providing the agency with the ability to recover information held in an electronic system within specified timeframes. Such approaches do not address the recovery of vital paper records in the event of a disaster. The need to have in place contingency arrangements for paper records was demonstrated following the 2011 Queensland floods, when some Australian Government agencies needed to destroy paper records affected by flood waters.   
Support for records management 
Records management policies and guidance outline an agency’s expectations in relation to information and records management for all staff, including the appropriate creation, capture and storage of records in approved records management systems when undertaking their work. Agencies must first determine the information that needs to be created and received in the context of each of their major business activities. In this respect, Customs and DIAC needed to further develop their guidance on records to create for each major business activity, and Treasury needed to promote the use of its existing guidance. 
Agencies should then identify electronic business systems that are records management systems and specify how all electronic business systems that contain records should be used to manage the records that have been created or received. DIAC and Treasury had adopted a policy to manage a significant proportion of their records electronically by implementing an EDRMS. While this has led to an increase in the volume of records held electronically in the core records management system, further significant changes were required to better support the digital management of records. In particular, the agencies need to discourage unnecessary use of paper files and remove electronic systems, such as shared folders, that provide an alternative place to create, edit and keep records. Customs had a ‘print to paper’ policy that recognised a number of electronic systems were used to create records but required information from those systems to be printed and placed on a paper file. Customs intended to move to an EDRMS as it was recognised that existing arrangements for capturing electronic records were inadequate and inconsistent, and that paper records did not capture all business decisions. More generally, the agencies often had not developed sufficient guidance on the use of other electronic business systems that contain records to help ensure that records are appropriately created or captured, and then transferred to or maintained in approved records management systems, including copying records where appropriate to the core records management system. 
To efficiently manage their records and comply with approved records authorities, agencies need to implement sentencing and disposal programs. Of the three agencies, Treasury had established an annual sentencing program and Customs had commenced development of a sentencing program in July 2011. DIAC had undertaken limited sentencing and disposal work because of a Moratorium on the Destruction of Department Files for several types of records, including client records. 
Systems used to manage records need to be able to preserve the integrity of information, including through quality control procedures to ensure the completeness and trustworthiness of records; and system controls over access and security. However, as indicated ... many electronic systems that were not records management systems, such as shared folders, email, and certain electronic business systems, were being used to store and manage records even though they did not have suitable records management functionality. In some of these systems there were insufficient controls in place to ensure the authenticity and integrity of the records they contained. Delays in filing information from shared folders to the core records management system also exposed records to alteration and deletion, ultimately impacting on the integrity and authenticity of the record. 
It is important to minimise data quality issues in information and records holdings so that the information and records can be considered accurate and reliable. DIAC is aware of data quality issues affecting significant migration processing systems, for example, the creation of multiple records where it cannot be reliably determined that the client records relate to the same person. In June 2011 a review of potential duplicate records in relation to one of the migration processing systems identified there were 653,861 multiple records.  These data quality issues have the potential to increase the risks associated with identity resolution, border operations and departmental reputation. From a policy and guidance perspective DIAC is reviewing the nature and source of data quality issues, and has plans, as part of its information management framework, to implement new data management arrangements to address these issues. 
A significant risk to Australian Government agencies in relation to records management is their ability to access complete and comprehensive information when it is required for business or legal purposes, including responding to freedom of information (FOI) requests in a timely manner. For the three agencies, information and records access was impeded by existing information and records management arrangements. For example, information and records for a business activity were often held in a variety of locations and electronic business systems. Staff did not have access to all locations and systems, and generally had limited understanding of information holdings that fell outside of their day‐to‐day responsibilities. Staff often stored information in a variety of places, but did not have consistent rules about the records that needed to be created and where they would be captured. This means information is captured, managed and accessible on a silo basis. The agencies did not have a widespread culture of consistently using approved records management systems, including the EDRMS and electronic business systems, to support efficient and comprehensive searches for information. 
Where electronic business systems are used to manage records, the retention and destruction of information should be undertaken in accordance with relevant records authorities. With the exception of designated records management systems, none of the electronic business systems examined by ANAO sufficiently provided for sentencing, destruction and transfer in accordance with records authorities. For most of the systems, fields could be overwritten. If this occurred, available audit trails would indicate an edit had occurred but generally did not identify the changes.

Connoisseurship

'Connoisseurship and Its Potential in Matters of Copyright' by Joan Kee in 8(2) Law, Culture and the Humanities (2012) 333-349 comments that -
 Among the most persistent and difficult problems in the field of copyright law is determining whether copying has actually occurred. This article responds to this challenge by proposing that judges and juries consider practices used in disciplines revolving around the close and methodical viewing of visual objects. Of special interest is connoisseurship, long employed by art historians, curators, and collectors to adjudicate the origins, provenance, and authenticity of art. Mindful of law’s emphasis on the spoken and written word, this article focuses especially on the visual analyses of Otto Pächt and Hans Sedlmayr, two art historians whose foundational status in the discipline of art history stems from the extent to which they attempted to systematically translate the experience of looking into words. The article concludes with a brief test case drawn from the high-profile 2005 dispute between architects Thomas Shine and David Childs over the latter’s alleged infringement of the former’s design.

EU Cookies and Transfers

The Article 29 Working Party - the independent advisory body drawn from the EU national data protection authorities, European Data Protection Supervisor and the European Commission - has released a 12 page Opinion (ie formal Guidelines) clarifying exemptions to the Cookie Consent Requirement in the EU 2002 E-Privacy Directive [PDF].

Earlier posts have noted the Working Party's concentration on 'consent' in electronic interactions.

This month's Opinion 04/2012 addresses which types of cookies are exempted from the informed user-consent requirement under the European Parliament Directive 2002/58 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy & electronic communications).

Article 5.3 of that Directive requires website operators to obtain informed consent from users prior to storing cookies on the devices of people visiting those sites -
Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.
There are two exemptions -
  •  when the cookie is used for the sole purpose of carrying out the transmission of a communication over an electronic communications network; and 
  • when the cookie is strictly necessary in order for an "information society service" provider to provide the service  explicitly requested by the user. 
Where a doubt remains as to whether the cookie falls within an exemption, site operators should seek consent from the user.

The Opinion stresses the narrow scope of the first 'sole purpose' exemption. The words “sole purpose” mean that such cookies will be exempted only if they are strictly necessary for communication to take place over a network between two parties. Three elements should be considered -
  • the ability to route information over the network, 
  •  the ability to exchange data items, and 
  •  the ability to detect transmission errors or data loss. 
The Opinion indicates that the second exemption is necessarily broader. It offers several examples -
  • 'user input' cookies (shopping-cart cookies)
  • authentication cookies such as those used to identify the user once that person has logged in to an online banking site
  • security cookies designed to detect failed login attempts on a website, 
  • multimedia player session cookies needed to play audio or video content. 
The Opinion emphasises that storage under the second exemption is restricted to what is strictly necessary for the user rather than the service provider. That has several consequences.

Third-party cookies used for behavioral advertising and third-party tracking cookies used by social network services such as Facebook in the collection of data for behavioral advertising or market research are thus not exempted. The duration of the cookie should reflect the functionality for the user. 'Persistent cookies' - that remain stored in a user’s device after the user closes the browser and potentially linger there for years - are less likely to be exempted.

In emphasising transparency the Opinion notes that "social networks have ample opportunity to collect consent from their members directly on their platform if they wish to conduct such tracking activities, having provided their users with clear and comprehensive information about this activity".

The Working Party has also released guidance [PDF] on Binding Corporate Rules for organisations transferring personal data outside of the European Economic Area on behalf of other bodies. The expectation is that the guidance will allow those data processors to develop internal codes of conduct relating to data privacy and ensure data transfer complies with EU data protection law.

29 June 2012

ALRC

The Australian Law Reform Commission (ALRC) has released the Terms of Reference for its inquiry - headed by Professor Jill McKeough - into 'Copyright and the Digital Economy'.

The ALRC is to consider "whether the exceptions and statutory licences in the Copyright Act 1968 (Cth) are adequate and appropriate in the digital environment", having regard to:
  • the objective of copyright law in providing an incentive to create and disseminate original copyright materials;
  • the general interest of Australians to access, use and interact with content in the advancement of education, research and culture;
  • the importance of the digital economy and the opportunities for innovation leading to national economic and cultural development created by the emergence of new digital technologies; and
  • Australia’s international obligations, international developments and previous copyright reviews.
The ALRC is to consider - "amongst other things" - "whether existing exceptions are appropriate and whether further exceptions should" -
  • recognise fair use of copyright material;
  • allow transformative, innovative and collaborative use of copyright materials to create and deliver new products and services of public benefit; and
  • allow appropriate access, use, interaction and production of copyright material online for social, private or domestic purposes.
The Commission is to -
  • take into account the impact of any proposed legislative solutions on other areas of law and their consistency with Australia’s international obligations;
  • take into account recommendations from related reviews, in particular the Government’s Convergence Review; and
  • not duplicate work being undertaken on: unauthorised distribution of copyright materials using peer to peer networks; the scope of the safe harbour scheme for ISPs; a review of exceptions in relation to technological protection measures; and increased access to copyright works for persons with a print disability.

Telstra Breach

Last year I noted a large-scale data breach involving Telstra, another one of those recurrent instances that lead to scepticism about industry commitment to best practice in data protection.

The national Privacy Commissioner has today released a gentle report on its own motion investigation of the breach under the Privacy Act 1988 (Cth).

The Commissioner found Telstra to be in breach of National Privacy Principles 2.1 (Use and disclosure) and 4.1 (Data security) - characterised as "easily avoided if appropriate planning was undertaken" - but closed the investigation after reviewing the remediation plans Telstra has in place.

That is consistent with the Commissioner's response to previous incidents involving telcos (eg noted here), albeit this time the Commissioner appears to have sought to head off criticism by stating that
The Privacy Act does not give me the power to impose any penalties or seek enforceable undertakings from organisations I have investigated on my own initiative. However, the privacy law reforms that are currently before Parliament will provide me with additional powers and remedies when conducting such investigations. 
No indication of whether the Commissioner will actually use those "powers and remedies". The OAIC's waste of an opportunity to exhort the telco sector to best practice or even shame Telstra (in the absence of a financial penalty) suggests that not much is going to happen.

The Australian Communications & Media Authority found Telstra breached the Telecommunications Consumer Protections Code and was more acerbic in characterising Telstra's conduct.

Last year's breach involved potential online access to the records of some 730,000 Telstra customers, including information such as customer names, phone numbers, order numbers and in a very limited number of cases dates of birth, drivers licence numbers and credit card numbers.

The Commissioner
found the privacy breach occurred because of a series of errors revealing significant weaknesses in Telstra's reporting, monitoring and accountability systems. Of particular concern is that a number of Telstra staff knew about the security issues with the database but did not raise them with management. This incident could have been easily avoided if appropriate planning was undertaken. 
No indication, alas, of whether the Commissioner has consulted with Telstra's competitors to ascertain whether their customers are likely to encounter a similar breach. Nothing substantive regarding the articulation of standards or a strong call to best practice, desirable amid indications this week that Telstra has recently engaged in problematical sharing of information. Telstra does not appear to have a strong privacy culture and there has been no resounding public commitment on the part of its executive to ensure that the cotton wool isn't pulled over senior management eyes in future.

ACMA's acting Chair commented
We are most concerned about the length of time–more than eight months–during which a significant number of Telstra customers’ personal information was publicly available and accessible
ACMA's report [PDF] is less positive than that from the Privacy Commissioner.

It states that -
the chain of events suggests that the Legal and Privacy departments relied on incorrect information provided to them on more than one occasion, and Telstra has provided no evidence to suggest that it prepared a report on this issue or escalated the matter internally once it became aware this had occurred. ...
Telstra has not provided any information on its processes to escalate and action identified privacy risks. Given the absence of this information and the number of times that it was identified and reported that the Visibility Tool could be externally accessed (twice in March 2011, once in July 2011 and once in November 2011), the ACMA does not accept Telstra’s assertion that the incident was caused by a failure of a small number of people to follow its processes and safeguards rather than a failure of its processes and safeguards themselves.
That is at at odds with Telstra's low-key statement that -
As we did at the time, we sincerely apologise to any of our customers impacted. 
An incident like this is unacceptable. We take our privacy obligations very seriously and invest considerable time and resources in ensuring the privacy of our customers’ personal information. 
We conducted a full investigation into why this incident happened, in conjunction with the OAIC and the ACMA. We identified a number of areas where our technology, processes and training have to be improved. We have taken actions to improve all of these areas and will continue to do so.
The Privacy Commissioner indicates that "Telstra has committed to a remediation project to introduce significant measures to protect the security of the personal information it holds and prevent unauthorised access and disclosure in the future".

Telstra has been asked to provide a report  by October 2012 on the progress of its remediation project and a final report by April 2013.

Trafficking

The Australian Institute of Criminology’s second Trafficking in persons Monitoring Report (covering the period January 2009 to June 2011) has been released by the Attorney-General and the Minister for Home Affairs and Justice. People trafficking is criminalised by the Criminal Code Amendment (Slavery and Sexual Servitude) Act 1999 (Cth) - with offences of slavery, sexual servitude and deceptive recruiting - and the Criminal Code Amendment (Trafficking in Persons Offences) Act 2005 (Cth) that identifies offences of trafficking in persons, trafficking in children, domestic trafficking in persons and debt bondage.

The monitoring report, based on statistics from the Australian Government and an online AIC survey, indicates that between January 2004 and June 2011 there were 305 investigations and assessments of trafficking-related offences. 184 victims of trafficking were provided with assistance through the Office for Women’s Support for Trafficked Persons Program. Thirteen people were convicted of trafficking-related offences (9 were convicted of slavery offences, 3 of sexual servitude and 1 of people trafficking), for example The Queen v Wei Tang [2006] VCC 637.

Most victims were women trafficked for sexual exploitation (68% of police investigations and 81.4% of program clients).

The AIC survey of respondents’ understanding of trafficking and their attitude to a range of related issues (including people who are unlawfully in Australia, labour exploitation, sex work and the notion of ‘deserving’ victims) was run nationally in mid-2009. 63% of the 1,617 respondents respondents were female, 46% were aged between 30 and 49, 76% were born in Australia, 75% were living in the eastern states and 50% were in full-time employment.

The AIC concludes that
survey participants were, by and large, reasonably well informed about trafficking and held quite humane attitudes. There was strong support for the notion that the human rights of trafficked persons are paramount and that trafficked persons require support regardless of how they arrive in Australia.
A complementary AIC research paper on People trafficking in Australia recommends that official statistics should be supplemented with data from NGOs working with human trafficking victims to create a national minimum dataset to improve knowledge of trafficking in Australia

28 June 2012

Filtering

The 55 page 'Can a Computer Intercept Your Email?' (Marquette Law School Legal Studies Paper No. 12-05, forthcoming in Cardozo Law Review) by Bruce Boyden looks at the legality of US email filtering schemes.

Boyden comments that
 In recent years it has become feasible for computers to rapidly scan the contents of large amounts of communications traffic to identify certain characteristics of those messages: that they are spam, contain malware, discuss various products or services, are written in a particular dialect, contain copyright-infringing files, or discuss symptoms of particular diseases. There is a wide variety of potential uses for this technology, such as research, filtering, or advertising. But the legal status of automated processing, if it is done without advance consent, is unclear. Where it results in the disclosure of the contents of a message to others, that clearly violates the federal law governing communications privacy, the Electronic Communications Privacy Act (ECPA). But what if no record of the contents of the communication is ever made? Does it violate communications privacy simply to have a computer scan emails? 
I argue that automated processing that leaves no record of the contents of a communication does not violate the ECPA, because it does not “intercept” that communication within the meaning of the Act. The history, purpose, and judicial interpretation of the ECPA all support this reading: interception requires at least the potential for human awareness of the contents. Furthermore, this is not simply an accident of drafting, an omission due to the limited foresight of legislators. Under most theories of privacy, automated processing does not harm privacy. Automated processing may in some cases lead to harm, but those harms are not, in fact, privacy harms, and should be analyzed instead under other legal regimes better adapted to dealing with such issues.
He concludes that
a communications privacy statute protects against one particular form of harm, one that is relatively easy to identify but difficult to measure: the loss that everyone using a particular mode of communication will experience if using that mode results in a loss of privacy. xxx The difficulty is that “privacy” is a capacious concept. Without clear boundaries, there is a danger that a “privacy harm” justifying he invocation of a communications privacy statute could be defined as simply any negative consequence that results from the use of pri- vate, personal information in transit, regardless of its effect on status, reputation, control, or autonomy. Such a definition would have the advantage of making the rule of liability less dependent on context. But it is far too broad, as it would sweep in much activity that is not a privacy violation, as opposed to frustration of some other goal. There are other legal regimes to provide redress for other sorts of harms, but they may more difficult to invoke - they may require proof of actual harm, or objective unreasonableness, or emotional distress, or state action. It may therefore be tempting to take advantage of the nebulousness of the concept of “privacy” by classifying harms resulting from handling of communications as privacy harms, giving rise to a claim under the present or a future amended Wiretap Act. 
But that would be a mistake. Using the unilinear penalties of the Wiretap Act to address highly contextualized harms would be like using a sledgehammer to repair a filigree. Consider a colorful example to illustrate the point: suppose someone sends an email with an attachment and the ISP scans the content for malware. However, in the process and as a result of the scan, the ISP’s email server explodes and all data stored on it is lost, including many of the sender’s emails. The loss those emails is certainly detrimental to the sender, and it resulted from a use of the content of his or her communication. The proper rule for analyzing liability in such a situation is negligence, breach of contract, or product liability. The loss of the emails might fairly be said to be a harm resulting from failure to take proper precautions, or failure to live up to a promise, or manufactur- ing a defective product. But it is not a privacy harm. ... 
to the extent there are other goals impeded by some automated processing of the contents of communications, other legal regulatory schemes are better disposed to achieve those goals. Competitive harms are governed by trademark law, unfair competition law, antitrust law, and advertising law. The Due Process Clauses of the Fifth and Fourteenth Amendments have a large body of doctrine associated with them to adjudicate what constitutes fair procedures. The Wiretap Act’s core competencies lie elsewhere. The Act protects the privacy of communications - the penalties attach to interception, with only limited categorical exceptions, not measured according to the use or potential harm that results. The intrusion itself is the harm the Act prevents. The few instances in which the Wiretap Act requires an examination of the context of an interception - the consent exception, or the ordinary course of business exception, for example - are among the most problematic and most administratively difficult provisions in the Act to apply. Importing contextual determinations into a communications privacy statute reduces the effectiveness of the statute. Using the Wiretap Act as a more general privacy regulation is problematic because the nature of privacy is too amorphous to serve as the clear trigger for liability a communications privacy statute requires. 
We are only now at the advent of the use of computers to assist with tasks that previously were the sole province of human judgement. This development is one that holds considerable promise for assisting humans in coping with some of the consequences of the digital age, namely the flood of information of that has resulted from the increased capacity to collect, store, copy, and transmit data. Automatic processing can help by categorizing, filtering, routing, or identifying patterns in that data and taking appropriate actions, without the need for human input. 
Such automated processing does not pose any threat to privacy. Although there is a tendency to anthropomorphize computers, just like we anthropomorphize cars and toasters, a computer scanning an email is the functional equivalent of a thermostat turning on the heat. A thermostat is not a surveillance device; it does not monitor a house and make a decision about what temperature the house should be at. It mechanically triggers a switch according to its programming. Automated processing of communications is similar. There is therefore no need to erect a legal barrier to such processing in order to protect privacy, and the current Wiretap Act does not impose one. The Act has always required at least the prospect of human review, and not only because it was initially drafted in 1968. Rather, it is because, as the drafters of the ECPA in 1986 understood, computer monitoring is qualitatively different from human monitoring. It is the threat of human use of personal information that reduces privacy, and not simply that one’s information may be used in some way. 
It is too soon to tell exactly how much value there will be in automatically scanning and processing communications in situations that do not fall within an exception to the Wiretap Act - where prior consent cannot be obtained, and where the purpose is something other than operating or maintaining a computer network. But it appears likely that at least some useful applications would be impeded. For example, environmental controls based on detecting whether there is conversation or other sounds within a given room would require obtrusive notices to be placed around the room to ensure implied consent, perhaps detracting from the room’s aesthetics and perhaps leading to some uncertainty as to whether all users of the room will see them. There is no need to bear those costs, however, in the name of privacy.

27 June 2012

Munchies and JS Mill

After reading 'TV Cannibalism, Body Worlds and Trade in Human Body Parts: Legal-Philosophical Reflections on the Rise of Late Modern Cannibalism' by Britta Van Beers in 4(2) Amsterdam Law Forum (2012) 65-75 I was interested to read this week's lip-smacking coverage in the Adelaide Advertiser of a meal involving parts of Japanese artist Mao Sugiyama.

The Advertiser reports that Tokyo police are investigating whether Sugiyama  committed a crime in cooking his own excised genitals and serving them to five paying diners.  Sugiyama kept his penis and testicles frozen after surgical removal in March. He cooked and served them at a public event in May, with diners each paying 20,000 yen (US$250) per a portion.
 The police probe came after the mayor of Suginami ward, the Tokyo district where the event took place, said it had involved the display of obscene objects. "Many residents of Suginami and elsewhere have expressed a sense of discomfort and feeling of apprehension over this," Mayor Ryo Tanaka said. A Tokyo police spokeswoman acknowledged the complaint, but declined to give further details, citing "an ongoing investigation". 
Sugiyama supposedly indicated that the event was meant to raise awareness about "sexual minorities, x-gender, asexual people" and complied with all relevant laws, including a ban on organ sales, processing of medical waste and food sanitation requirements. There's no indication that he's planning to move on to pureed Sugiyama brain or sauteed heart in an effort to epater the Tokyo bourgeoisie and gather the same renown, if that's the word, as Armin Meiwes. Ingestion of non-renewable body parts in Australia in recent decades appears to have been restricted to footballers and participants in bar-room fights and to prisoners with serious psychological problems (the latter typically eating their own ears rather than those of correctional officers and fellow inmates).

Van Beers comments that in December last year
 two Dutch TV presenters ate pieces of each other’s flesh in front of a live television audience. Despite the obscurity of this cannibalistic episode in television history, the matter touches on a series of complex legal and philosophical questions that are discussed in this article, such as the boundaries of criminal law, the legal limits of personal autonomy and law’s changing relation to the biological aspects of life. Moreover, through its analysis of the arguments involved, this article offers legal-philosophical reflection on the role of taboos in legal approaches to the human body and derived materials.
She argues that
The Dutch TV cannibals probably aimed at breaking the last taboo. Yet the ensuing public debate on cannibalism offered illustrations of the way in which the human body and its elements are still surrounded by taboos. Secularisation processes notwithstanding, these taboos and symbolic representations of the human body are to a certain extent also present in contemporary law. This can explain why the victim’s consent is not accepted as a defence to charges of murder or battery, and why the patient’s consent in itself is not enough to justify surgical procedures. These constraints to one’s personal freedom are hard to justify from a traditional liberal perspective. In a way, the recent debate about the TV cannibals thus reveals the shortcomings of a purely Millsian approach to the legal status of the human body and derived materials.
However, even from a liberal perspective it is clear that the show is problematic. Although the cannibals may not have harmed anyone directly by their actions, it is another thing to then also broadcast these cannibalistic activities on public television. Obviously, the cannibalistic activities have the potential to offend many people. Also from a traditional liberal perspective, the prevention of serious forms of offense can be a good reason to prohibit certain kinds of behaviour, as Feinberg has convincingly argued. Thus, to a certainthe case of the Dutch TV cannibals raises the question to what extent taboos should be reflected in law. For several reasons, one has to be careful to translate the cultural prohibitions of taboos into legal prohibitions. Behind the facade of taboos harmful irrationalities, conservative prejudices or repressive stereotypes may be lurking. However, biomedical regulation has shown that taboos can also have a certain value to regulation. The new hybrids of humans, animals, products and persons with which we are increasingly confronted by biomedical developments, have made questions on the status of these new objects inescapable. How should we view human embryonic stem cells, artificial human tissues, brain dead patients or human-animal hybrids for instance? All of these hybrids mingle the foundational categories and distinctions with which most taboos are intertwined, such as the distinctions between life and death, humans and animals and persons and objects. According to Habermas, this involves “a dedifferentiation, through biotechnology, of deep- rooted categorical distinctions which we have as yet, in the description we give of ourselves, assumed to be invariant.” Within the regulation of these transgressive technologies new meanings and understandings of each of these categories are needed. In that process some taboos will perhaps be broken. Yet other taboos may be reinterpreted in the cultural and political process of giving meaning to the new creations of biomedical technology. If we want to apply these technologies with respect for our humanity and dignity, discussion on the founding categories of human civilisation seems indispensable.
She had noted that
One can wonder why the sheer act of eating human flesh provokes such a fierce response. After all, those involved had pieces of their flesh removed, fried and eaten at their own request. Moreover, their physical injuries were kept to a bare minimum. In the future they will only have small scars left to remind them of their cannibalistic outing. It is through this line of thinking that the Dutch Minister of Education, Culture & Science Bijsterveldt-Vliegenthart argued, in answer to parliamentary questions, that none of the individuals involved in the cannibalistic TV performance are guilty of any criminal behaviour. She stressed that both TV hosts fully consented to the surgical removal and subsequent consumption of their flesh. Moreover, she did not see any compelling reason to prohibit such activities in the future. 
Yet, something more appears to be at stake. Eating human flesh seems wrong to many, regardless of the obtained informed consent or the degree of physical harm, as was also argued by two Members of Parliament in their questions to the Minister. Nevertheless, the question why exactly cannibalism would be wrong is very difficult to answer. We can perhaps offer scientific explanations for the disgust that cannibalism provokes in many of us, such as the theory that our instinctive revulsion is a biological mechanism that benefits the prevention of certain diseases. However, this is not the same as offering reasons for it. In a way, most taboos are groundless. Even if we were sure that cannibalism would not result in disease, most of us would still find eating human flesh problematic, without being able to explain exactly why. That is not to say that taboos are also meaningless. On the contrary, many classic taboos are connected with the fundamental distinctions and categories that are at the root of human civilisation, such as the distinctions between man and woman, human and animal, subjects and objects, and life and death. The prohibition of cannibalism is exactly such an ancient taboo. From this perspective it seems useless to attempt to justify our revulsion against cannibalism on solely rational grounds, as for instance Martha Nussbaum has tried. 
Nussbaum seems to agree that cannibalism is problematic, yet she argues that our only truly moral objections go back to either the corpse mutilation or the murder that precedes the cannibalistic act, and not the cannibalism itself. She thereby denies that the revulsion or disgust most feel for cannibalism has any moral, let alone, legal value. This raises the question of how Nussbaum views the existing prohibitions of corpse mutilation. According to her corpse desecration is wrong “because the treatment of the corpse is the perfectly legitimate concern of whoever holds it as property, whether the state or private individuals.” With “private individuals” Nussbaum is primarily referring to the relatives and loved ones of the deceased. In other words, according to her corpse mutilation is wrong to the extent that it violates the property rights that the survivors and the state have on corpses. 
Nussbaum seems relieved that through her approach “we need not take any stand on the metaphysical issues connecting corpse and person”. Yet to speak of the relatives as the ‘owners’ of the deceased person’s corpse seems like a rather reductive understanding of what most of us mean by “respect for the dead”. The human body and human corpse may not have the status of full-fledged persons. Nonetheless, they also represent more than ordinary objects of property rights. Moreover, through her property approach of human corpses she is not able to explain why cannibalism would be wrong when people explicitly request to be eaten post-mortem, or when the family ‘owner’ of the corpse wishes to engage in cannibalistic activities with his deceased ‘property’. Finally, one can wonder whether Nussbaum really evades the metaphysical question. Her perspective seems to reflect a certain metaphysical conception of the relation between body and person after all: a dualistic vision according to which person and body are disconnected in such a way that bodies can be perceived as property. Interestingly, this seems at odds with her own views of human dignity as the dignity of embodied human beings. 
Nussbaum’s struggle reveals that it is hard, if not impossible, to express possible objections against cannibalism in terms of a violation of rights, liberties or the harm principle. The classic liberal vocabulary is ill-suited to express the deeply rooted cultural and symbolic values with which the human body has been vested since long. From a liberal perspective one could argue that individuals should be free to donate their flesh for meat consumption, or even have a right to do so, since they have the last say about what happens to their own bodies. In Mill’s famous words, “over himself, over his own body and mind, the individual is sovereign". 
Should we therefore conclude that there is no basis in law for prohibitions of cannibalism? That conclusion would be too easy. Mill’s viewpoint, though at the heart of liberal political philosophy, does not completely correspond with legal practice, especially where aspects of physical integrity are involved. Similar shortcomings can be detected in the Minister’s approach to the cannibalistic TV programme. In fact, there are grounds to argue that different aspects of the cannibalistic activities amount to criminal behaviour

26 June 2012

Steps Forward

Two US states have strengthened their data breach requirements, currently substantially stronger than the Australian regime.

In Vermont the state's 'security breach notification' law (9 V.S.A. §§ 2430 and 2435 (the Security Breach Notice Act) - has been modified, with notification no longer being triggered by mere “access” to personally identifiable information. Under 2430(8)(A) there is a requirement of actual “acquisition” of the information by an unauthorized person (or a reasonable belief that acquisition has taken place).

Under 2430(8)(C) the amendment adds factors to consider in determining that acquisition (or reasonable belief that acquisition has occurred), including indications that the information -
  • is in the physical possession and control of a person without valid authorization (eg someone illicitly holds a file),
  • has been downloaded or copied, 
  • was used by an unauthorized person, or has been made public.
Enterprises are required under 2435(b)(1)) to notify consumers affected by a breach within 45 days of discovery or notification of the breach. Prior to the amendment, they merely had to notify “in the most expedient time possible and without unreasonable delay”. Importantly, enterprises are required to notify the state Attorney General within 14 business days of the organisation's discovery of the breach or when the enterprise provides notice to consumers, whichever is earlier.

That requirement for a timely response reflects last year's settlement with health service provider Health Net Inc, which had lost a portable hard drive featuring sensitive health information, social security numbers and financial information regarding a mere 1.5 million people (including 525 Vermonters) in 2009 but didn't bother to contact those individuals for six months. Health Net unpersuasively claimed that the risk of harm was “low” because files on the missing drive were not saved in an easily accessible format. The drive was not encrypted; the files were in fact TIFF images and thus easily readable.

The notice to the Attorney General under 2435(b)(3)(A)(i) must now include the date of the breach and of its discovery, along with a preliminary description of the breach.

In addition, after notifying Vermont consumers affected by a breach, enterprises must provide a second notice to the Attorney General. That notice is to include the number of Vermont consumers affected (if known) and a copy of the notice provided to affected consumers. Under 2435(b)(3)(B)(ii) the enterprise should also provide a redacted copy of the letter that the Attorney General’s office can use for public disclosure purposes.

Under 2430(b)(5)(F) the notice letter that must be sent to affected consumers must now include the approximate date of the incident, in addition to the other information that was required by the law before it was amended. Sensibly, a free-call number is no longer required in the notice letter to consumers unless one is available.

A requirement for concurrent reporting to the state Attorney General is also a feature of the amendments to Connecticut’s data breach notification law (Conn. Gen. Stat. § 36a-701b, with 36a being the Banking Law of Connecticut and 36a-701b dealing with "Breach of security re computerized data containing personal information").

In that statute “breach of security” means
unauthorized access to or acquisition of electronic files, media, databases or computerized data containing personal information when access to the personal information has not been secured by encryption or by any other method or technology that renders the personal information unreadable or unusable;.
"Personal information" means
an individual's first name or first initial and last name in combination with any one, or more, of the following data: (1) Social Security number; (2) driver's license number or state identification card number; or (3) account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to an individual's financial account. 
The new subsection 701b(b)(2) requires enterprises to alert the Attorney General no later than the time that notice is provided to the state's residents regarding a breach.

That notice to consumers under the existing subsection (b)(1) must be made without unreasonable delay, subject only to delays resulting from law enforcement investigations and an iternal investigation to -
  • determine the nature and scope of the incident, 
  • identify the individuals affected, or 
  • restore the reasonable integrity of the underlying information system.

Vetting

Previous posts have noted concerns about the timeliness and effectiveness of vetting by the Australian Security Intelligence Organisation (ASIO) and other agencies. 

The Australian National Audit Office (ANAO) has now released its 108 page report [PDF] on Security Assessments of Individuals (Audit Report No. 49 2011–12) by ASIO.

ANAO concludes that -
 The provision of security assessment advice of individuals to Australian Government client agencies is one of ASIO’s key responsibilities. For the past six years ASIO has finalised, on average, nearly 180 000 security assessments annually in relation to people who have applied for visas, Australian Government security clearances, access to sensitive air and maritime port areas, and health security checks. The environment within which ASIO provides this service is dynamic, with demand for security assessments, and the complexity of the caseload, fluctuating substantially. In seeking to meet the changing demand for particular security assessments, and to take into account government and client agencies’ policies and processing priorities, ASIO also applies an approach that gives precedence to Australia’s national security considerations. 
ASIO security assessments can range from a basic check of personal details against intelligence holdings, to a complex, in‐depth investigation to determine the nature and extent of an identified threat to Australia’s national security. Complex investigations can take a considerable time to complete. While any security assessment can be complex, the more complex cases fall predominantly within the visa security assessment caseload, particularly in the IMA component of this caseload. 
ASIO’s capacity to respond to changes in its security assessment operating environment was challenged in 2009–10 and 2010–11 when demand for more complex assessments increased, in line with the increase in IMA cases. A backlog of security assessments ensued and the processing times of certain security assessments, particularly for IMAs who were in mandatory detention, attracted public comment and criticism. The ANAO’s sample included some cases with prolonged processing times (up to 918 days), particularly in the visa security assessments stream. For visa security assessment components that had informal time standards in place, around 51% of sampled cases met expected timeframes. However, personnel security and counter‐terrorism security assessments were generally processed more promptly—75% of personnel security cases were processed within one day, and 90% of counter‐terrorism cases were processed within five days. 
A range of factors have contributed to the time taken to process security assessments. The most influential factors identified by ASIO were the increase in the number and complexity of cases in the visa security assessments stream, and changes in Government policies and client agencies’ priorities, particularly DIAC. While some of these factors were environmental, and beyond ASIO’s direct control, ASIO has sought to inform Government and client agencies of the effects of particular policy approaches on the security assessment caseload. Areas of particular focus in this regard include decisions by Government and DIAC to suspend, and then subsequently, to prioritise elements of the IMA caseload. Assessment data shows that the number of pending cases has fallen from its peaks, as recent management initiatives, discussed below, have taken effect. 
Within this context, the ANAO concluded that ASIO’s arrangements for providing security assessments of individuals to client agencies are robust and, broadly, effective. The agency has a sound governance framework in place, including strategic risk management arrangements that are updated regularly. There is an effective mechanism to report to the ASIO Executive and the Government on risks that affect security assessment processes, including most recently, the emerging area of risk arising from the rapidly increasing number of security checks for immigration community detention cases. However, at an operational level, there are some aspects of the security assessment regime that deserve further focus. These aspects limit assurance that the agency is making sound assessments that result in non‐prejudicial advice, and that the recent initiatives implemented to reduce the IMA security assessment caseload are being managed sustainably. It is also important to address impediments to mutual accountability between ASIO and its client agencies, and that ASIO puts in place workforce planning strategies to respond to future changes in demand for security assessments. 
Assurance that security assessments are soundly based 
ASIO staff are well‐trained and follow clearly defined procedures in conducting security assessments. All 411 cases examined by the ANAO complied fully with ASIO’s processes and procedures. In terms of the quality of the judgements made by ASIO assessors, there are quality assurance processes in place for the small proportion of security assessments that result in prejudicial advice. However, for those assessments that result in non‐prejudicial advice, the quality assurance processes are not as robust and vary across assessment categories. Given that a security assessment may contribute to a client agency’s decision to allow a person entry to Australia or access to sensitive information and/or locations, it would be prudent for ASIO to have in place a consistent quality assurance process to regularly validate, on a sample basis, its non‐prejudicial security assessments. Sustaining successful initiatives to improve IMA processing. 
ASIO and DIAC have worked together to streamline the IMA security assessments caseload. In particular, the introduction of a risk‐based ‘triaging’ approach has successfully reduced the IMA backlog, and eased pressure on the overall security assessment function. However, the approach, which involves an ASIO team conducting an initial security check of IMA cases to decide whether the IMA will be referred to ASIO for a thorough security assessment, or sent back to DIAC for protection visa processing, could have been introduced in a more timely fashion. It would also be strengthened with documented guidance and a more robust IT supporting system. Formalising relationships with key client agencies. ASIO has an ongoing working relationship with three key client agencies (DIAC, AGSVA, and AusCheck), and has in place a formal arrangement with one, AusCheck, which clearly articulates the responsibilities of both agencies. However, the absence of such arrangements with DIAC and AGSVA impedes the accountability of ASIO and the client agencies to each other in relation to the conduct of security assessments. Presently, there are no formally settled processing times, or service standards, for ASIO’s security assessment of non‐complex cases, nor any agreed arrangements for ASIO to proactively provide to client agencies regular updates on the status of complex cases—particularly those that may have lengthy processing times. At the same time, the quality of the data provided by DIAC and AGSVA, upon which ASIO depends, has frequently been poor, and required re‐work, which has delayed processing. Formalising arrangements with client agencies would provide a basis for better managing mutual expectations and responsibilities in relation to these matters. Workforce planning strategies for the security assessment areas. To manage the allocation of staffing resources across the whole organisation, ASIO has developed a strategic workforce plan. However, given its agency‐level focus, this plan does not address the needs of individual operational areas. The security assessment areas have specialised staffing requirements that have historically proved difficult to fill. At the time of the audit, these areas were significantly under‐staffed—by some 30%. The agency has sought to respond to staffing shortfalls through temporary measures such as internal staffing, re‐allocations and overtime. However, going forward the agency’s capacity to respond, at an operational level, to future changes in the security assessment caseload would be strengthened by putting in place more long‐term workforce planning strategies, including for a contingency or ‘surge’ capacity for this function. 
Against this background, the ANAO has made four recommendations aimed at strengthening the effectiveness of ASIO’s arrangements for providing timely and soundly based security assessments of individuals to client agencies. 
The recommendations relate to: implementing quality assurance processes for non‐prejudicial assessments; sustaining the risk‐based ‘triaging’ initiative for IMA cases; formalising agency relationships; and strengthening workforce planning strategies for the security assessment areas. 
 ANAO goes on to comment that -
ASIO has a current Memorandum of Understanding with AusCheck. However, there are no formal arrangements in place between ASIO and its other key client agencies, DIAC and AGSVA. ASIO has expressed a general reluctance to be ‘tied‐down’ to specific service standards or timeframes with DIAC and AGSVA, given the complexities surrounding particular security assessments that can prolong the process. 
The data provided by DIAC and AGSVA to ASIO has frequently been incomplete or of poor quality. For example, in relation to the ANAO’s sample, 38% of permanent visa referrals and 30% of temporary visa referrals had incomplete mandatory information, and/or data quality issues, which required the case to be sent back to DIAC. The time taken to provide the complete information was lengthy in some cases. Similarly, ASIO advised that there have been referrals returned to AGSVA, with error codes that relate to missing mandatory information. 
In addition, ASIO is not able to provide its client agencies with the underlying reasons as to why some complex cases are taking longer to process or specific aspects of a security assessment investigation, as the provision of substantive security information on an individual could constitute ‘security advice’ under the ASIO Act. Such advice is only given at the conclusion of a security assessment. These issues should be taken into account in any steps taken to formalise arrangements between ASIO and its client agencies.
To manage the allocation of staffing resources across the whole organisation, ASIO has developed a strategic workforce plan, which details, among other things: a scan of the current internal and external workforce environment, the challenges facing ASIO over the coming years, and ASIO’s approach to these challenges. The strategic workforce plan is high level and, given its focus, does not address the needs of individual divisions or branches. While systemic workforce shortages have been raised corporately by the security assessment branches, there is no long‐term strategy in place to address these issues or to develop a contingency, or surge capacity, to respond to future changes in demand for security assessments. In practice, ASIO has found it difficult to recruit assessors to perform work on security assessments. The staffing complement of the security assessment areas has been consistently below authorised levels—in early 2012 the shortfall was around 30%. 
ASIO’s security assessments range from relatively straightforward checks of names against data holdings to more complex investigations where an in‐depth knowledge of an applicant (for a visa, for example) is obtained, and this knowledge is used to make more informed investigations, evaluations and determinations. 
The ANAO examined a sample of 411 cases drawn from six security assessment categories. The results of ANAO’s analysis are very positive: all 411 cases complied with the agency’s defined processes and procedures for security assessments.
In 1999 ANAO Audit Report No.7, 1999–2000 on 'Operation of the Classification System for Protecting Sensitive Information' concluded -
  • a high proportion of staff had clearances in excess of work requirements; 
  • some staff had access to information for which they were not cleared, particularly during the long lead time for obtaining initial clearances; and 
  • most organisations did not maintain the currency of their security clearances.
In 2001 an ANAO report [PDF] 'Personnel Security—Management of Security Clearances' centred on negative vetting concluded -
While security clearance policy and procedures of organisations were consistent with the requirements of the PSM, overall the audit found shortcomings in relation to the management, resourcing and operation of personnel security. Among the organisations examined the audit encountered a backlog of initial clearances, poor clearance aftercare processes, inadequate security information management and a failure to establish and enforce appropriate procedures to re-validate initial clearances in an acceptable timeframe. As a result, these organisations were exposed to breakdowns in the operation of their personnel security process which, amongst other things, may lead to inappropriate access to classified information. This problem is compounded when these issues occur in organisations which have not prepared, or which have inadequate risk management plans to appropriately integrate protective security risk management priorities into the organisation’s overall risk management requirements.
In light of this situation, the ANAO suggests that all organisations with a personnel security requirement review their personnel security arrangements as a matter of priority. This review should include, but not necessarily be limited to:
  • carrying out a risk management review of protective security arrangements and integrating the results of the review into organisation-wide risk planning; 
  • developing and implementing a process for clearing any backlog of initial clearances; 
  • actively seeking ways to reduce the processing cycle time for security clearances, in conjunction with vetting service providers and contributors; 
  • implementing appropriate information support systems to effectively support the management of personnel security; and 
  • establishing processes for clearing any backlog of security clearance reviews and ensuring timely reviews in the future.

Gambling

'Proposal for an International Convention on Online Gambling' by Marketa Trimble (to be published as a chapter in a volume from the University of Nevada Internet Gaming Regulation Symposium) offers -
the outline of an international convention that will facilitate cooperation among countries in enforcement of their online gambling regulations while allowing the countries to maintain their individual legal approaches to online gambling. Countries continue to vary in their approaches - some permit and regulate, and others prohibit online gambling, and even countries that permit and regulate online gambling approach the issue differently. Countries cannot enforce their own online gambling regulations without assistance from other countries - specifically, the countries where online gambling operators have their operations and/or their assets. Under the proposed Convention, national online gambling regulators would cooperate in the exchange of necessary information, in the licensing and standardization of technological requirements for online gambling operators, and, most importantly, in assisting with the enforcement of foreign country regulations by imposing geolocation and filtering requirements on online gambling operators. The chapter discusses the challenges that the proposal faces and suggests that the challenges can be overcome. Recent events in the online gambling world, such as 'Black Friday,' demonstrate a pressing need for effective international cooperation among Internet gambling regulators, and the proposed Convention, by providing a solution to the vexing problem of enforcement of online gambling regulation on the Internet, can provide the impetus for national discussions on online gambling.

24 June 2012

Genetic Profiling

'Genome test slammed for assessing 'racial purity'' by Alison Abbott in Nature 486(7402) (14 June 2012) 167 notes that Hungary’s Medical Research Council (ETT) has asked public prosecutors to investigate a genetic-diagnostic company that certified that a parliamentarian from the far-right Jobbik party (which won 17% of the votes in the 2010 general election) did not have Roma or Jewish heritage.

The MP reportedly requested a certificate from Nagy Gén Diagnostic & Research (which rents office space at Budapest's Eötvös Loránd University).

Nagy Gén supposedly scanned 18 positions in the MP’s genome for variants that it claims are characteristic of Roma and Jewish ethnic groups, concluding that Roma and Jewish ancestry can be ruled out.  Nature reports that the certificate adds "For an interpretation of the test result and for genetic consultation relating to the family-tree research, please contact us as soon as convenient".

The ETT characterised the certificate as “professionally wrong, ethically unacceptable - and illegal”, on the basis that the testing violates Hungary's 2008 Law on Genetics that apparently allows genetic testing only for health purposes. We might add that scientifically the test is absurd.

Nature quotes a spokesperson from Human Rights Watch as commenting -
The council’s stand is important. [In Hungary] there have been many violent crimes against Roma and acts of anti-Semitism in the past few years. Politicians who try to use genetic tests to prove they are ‘pure’ Hungarian fan the flames of racial hatred.
Nagy Gén is reported as contesting the claims, arguing that it - quelle surprise - “rejects all forms of discrimination, so it has no right to judge the purpose for which an individual will use his or her test result, and so for ethical reasons it could not have refused to carry out the test”.

Nature unfortunately does not discuss the potential for internet-based direct-to-consumer and cross-border ethnic profiling, likely to be attractive in jurisdictions such as Japan rather than merely in the more atavistic parts of Eastern Europe.

In Australia the provision of such tests would arguably not breach national anti-discrimination law (although conceivably subject to action regarding fraud), in contrast to use of the information to sort applicants for employment or other profiling. Australian concerns regarding genetic discrimination have centred on disability, as highlighted in the 2003 ALRC Essentially Yours: The Protection of Human Genetic Information in Australia (ALRC Report 96).

It would be interesting to see an update of work such as 'Genetic Discrimination in Australia' by Barlow-Stewart and Keays in 8 Journal of Law and Medicine (2001) 250, 'Investigating genetic discrimination in Australia: a large-scale survey of clinical genetics clients' by Taylor, Treloar, Barlow-Stewart, Stranger & Otlowski in 74(1) Clinical Genetics (2008) 20-30 and the Australian Human Rights & Equal Opportunity Commission (2002) note on 'Complaints of Genetic Discrimination under the Disability Discrimination Act: Case Studies'.