Privacy experts from afar afield as the United Kingdom met with the Australian government this week to examine weaknesses in the Privacy Act which is currently under review.
Government representatives met with Hewlett-Packard Co. (HP) scientist and co-author of the TrustGuide, Stephen Crane, and Australia’s former privacy commissioner, Malcolm Crompton.
The TrustGuide is a joint venture with British Telecom which was sponsored by the United Kingdom Department of Trade Industries’ research facility Science Wise.
Research undertaken for the TrustGuide recommends privacy policy should be amended so that it is based on public demand for individual control of personal information.
A second study is now underway called TrustGuide 2 which examines risk associated with technology and law. Crompton said functionality is a big problem when it is imposed on the user.
“Companies used to use CRMs to see how much data they can get behind [customer’s] backs before they scream,” Crompton said.
Labelling Australia’s Privacy Act as weak, he said privacy infringements occur through ‘functionality creep’, where companies add information-distribution features to services without customer consent, such as the Facebook fiasco. “The hypocrisy of one-way authentication is destroying user confidence in privacy because institutions are demanding more authentication yet are providing very little to satisfy the consumer,” he said.
Crompton said while privacy legislation needs to be built to Australian requirements, the most effective policy will eventually become a global standard.
For example, the International Chamber of Commerce (ICC) is working to develop standards for international data transfers.
At the Asia Pacific Economic Cooperation (APEC) conference in 2004, the ICC was involved in the adoption of the APEC Privacy Framework.
The framework was developed for APEC member economies and aims to protect personal information and cross-border data transfers.
ICC, in cooperation with the APEC Business Advisory Council, has been promoting this framework throughout its development and implementation, including the upcoming rollout of a pilot project.
Stephen Crane said a working solution lies in user-controlled release of information.
“At the moment, under the current legislative environment, we release too much information and just hope for the best,” Crane said.
“In TrustGuide 2, we gave respondents a virtual smart card which allowed them to allocate sharing and deletion of their information [and] we found most users were willing to have their information stored.
“Because current ID management has a habit of migrating risk rather than resolving it, the user will suffer if they fail to authenticate themselves for any reason.”
Federal privacy commissioner Karen Curtis, support a review of Australian privacy legislation, claiming the Act is becoming irrelevant.
“Principle-based law [in the Privacy Act] remains the best way to regulate information handling, but there appears to be no rationale for the existing situation of a set of privacy principles for Australian and ACT government agencies and a different set for the private sector,” Curtis said.
“Having two sets of principles can create confusion in situations where public sector agencies undertake commercial activities or private sector organizations are contracted to Australian government agencies.
“A single set of privacy principles would encourage greater regulatory consistency and simplicity, as well as maximizing privacy protection.”
The European Commission is also sponsoring a privacy reform project, called PRIME, which involves the development of an Identity Management System prototype as part of a global revision of privacy legislation to address new threats to privacy.
Countries involved in the project include Australia, Russia, Japan, the United States and Europe.
(Sandra Rossi of Computerworld Australia contributed to this report.)
