Free Essay

Law Report

In:

Submitted By JDRASELLE
Words 11809
Pages 48
Contemporary Privacy Issues Report Introduction

Privacy is one of the fundamental human rights, every individual should have full control over their personal information. However due to the continuous evolution of society and technology, the importance of a person's right to privacy has been eroded. This report discusses the contemporary privacy issues on different levels and areas, with specific focus on credit reporting, protection of customer’s private information by businesses, health records, internet data and government intelligence access to information. Sections of the current Privacy Act 1988, the new Australian Privacy Principles 2014, and legislations related to the topic areas mentioned above will also be discussed in detail, and the effectiveness of these laws will be analysed.

A person's credit history contains a vast amount of personally sensitive information which have a high commercial value, therefore it is extremely important to ensure businesses adhere to the privacy act to prevent the unauthorised use of these information. Any misuse of information can cause great personal and financial harm to the victim.

Privacy of health information is fundamental principle in health care. Lack of privacy information might result in people not seeking the health care they need which might be very risky to their own health and the health of others.

The rate of technological development is accelerating too quickly and current laws are becoming irrelevant to the business practices of online service providers. Businesses can collect non sensitive information from a number of sources and combine their result to form a comprehensive profile of an individual.
Intelligence agencies also play a significant role in collection analyzing and storing different types of information all over the world. The reason for their existence is protection of security and interests of their country and citizens. Consequently, agencies are given a special power to legally collect personal information. However, with the growth of such powers the debate on the balance between security and privacy in the modern world is raging.

The report will review the changes to the legislation that comes into effect in March 2014 and its potential influence on privacy issues in the future.

Privacy Act 1998 and Credit reporting privacy

1. BACKGROUND OF PRIVACY ACT 1988:
• Definition of Privacy Act 1988:
Privacy Act 1988 is an Australian law passed at the end of 1988 and commenced in 1989. It sets the detail of how to legally handle the collection, use, storage and disclosure of personal information. Personal information is defined as “… information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.” The personal information is tax file number, health information, sensitive information, and credit information. Currently different states and territories have different regime to regulate how the personal information but the Privacy Act generally regulates agencies and organisations to handle sensitive information with particular care because the sensitive information includes information or opinion about an individual ethnic origin, health or medical information, sexual preferences or practices, genetic information, criminal record, and political opinion.
Based on initial two objectives that were the protection of personal information in the possession of Australian Government departments and agencies, and safeguards for the collection and use of tax file numbers, eleven Information Privacy Principles (IPPs) of the Privacy Act had been set out how Australian, Australian Capital Territory and Norfolk Island public sector agencies handle personal information. These IPPs also allow individuals to request access to their own information and ask for information to be amended or deleted. Afterwards, in December 2000, Parliament passed the Privacy Amendment (Private Sector) Act 2000 with additional ten National Privacy Principles (NPPs) that apply to private sector organisations. These NPPs permit individuals to access information and have it corrected if that information is wrong. On the other hand, the Privacy Act also contains credit-reporting provisions that deal with using credit reports, and other credit worthiness information by credit reporting agencies, credit providers, and the third parties.

Besides two initial objectives above, the Privacy Act also has other concepts such as: confidentiality, secrecy, and intellectual property. Therein confidentiality refers to communications between individuals such as a client and lawyer, patient and medical professional, or source and journalist. Secrecy imposes an obligation of confidentiality in relation to the handling of government information. Intellectual property regards to propriety knowledge, and the creation or property of human being’s mind.
• Brief description about the privacy law reform
On 23 May 2012, the Privacy Amendment (Enhancing Privacy Protection) Act 2012 was introduced to Parliament with significant changes in Privacy Act. Particularly, Australian Privacy Principles (APPs) with new thirteen chapters will replace the existing Information Privacy Principles and National Privacy Principles. Among those new thirteen chapters, chapter 7 on the use and disclosure of personal information for direct marketing, and chapter 8 that is on cross-border disclosure of personal information are considered a significant difference from current principles. Moreover, the privacy law reform has enhanced power for the Australian Information Commissioner. Since then, this Commissioner may accept enforceable undertakings, seek civil penalties in serious cases or repeated breaches of privacy, and conduct assessments of privacy performance for both Australian government agencies and business. Finally, the Privacy Amendment Act 2012 made credit reporting become more comprehensive. Although this Privacy Amendment Act was passed on 29 November 2012, they will not commence until 12 March 2014.
• Brief description about other legislation:
Besides the Privacy Act 1988, there are a number of other Australian laws related to privacy such as medicare, criminal records, personal property securities register, and so on. However this paper studies privacy in health, Internet communications and other technologies, credit and finance, and identity securities. Therefore, the Personal Controlled Electronic Health Records Act 2012, and some others are discussed carefully in each related privacy section.
• In conclusion, even though the Privacy Act has been in force for nearly twenty years combined many supplement other legislations, there is still some law reformation being processed. Consequently there is little case law clearly interpreting this Act.

2. CREDIT REPORTING PRIVACY:
In order to understand content of Credit Reporting Privacy, especially Part IIIA of the Privacy Act 1988, credit reporting should be defined. Credit report is a record containing information about individual’s dealings with credit providers. Those information include: personal details; records of credit applications made by that individual in the past five years; records of some current loans; accounts where individual has been in default over 60 days; court judgments; dishonoured cheques where the amount is over $100 and the cheque was presented twice; a serious credit infringement; and bankruptcy orders.
The credit-report is held by a credit-reporting agency and accessed by the credit providers with that individual’s consent to find out about his/her credit history. This can be considered as a way of warning credit providers about borrowers who had not reliably repaid their past loans.
2.1. Part IIIA of the Privacy Act 1988:
Due to sensitive credit information, Part IIIA of the Privacy Act 1988 provides safeguards for individuals in relation to credit reports consumption by governing credit worthiness used by credit reporting agencies, and credit providers and limiting the number of other recipients. These safeguards are explained clearly through key requirement of Part IIIA of the Privacy Act 1988:
• Strict limits on type and length of the information can be held on a person’s credit information file by a credit reporting agencies. Moreover, there is limit on people who can access to that information. Generally only credit providers may access for only specific purposes while real estate agents, debt collectors, and employers are barred from the access. This is because according to Credit Provider Determination No.2011-2 all corporations who are regarded as credit providers for the purpose belong to following classes:
“… a corporation where, in relation to a transaction, it is considering providing or has provided a loan in respect of the provision of goods or services on terms which allow the deferral f payment, in full or in part, for at least seven days.” Or
“a corporation engaged in the hiring, leasing or renting of goods, where, in relation to a transaction, no amount, or an amount less than the value of the goods, is paid as deposit for return of the goods, and the relevant arrangement is one of at least seven days duration.”
• Furthermore, specific purposes only include assessing an application for consumer credit or commercial credit, assessing whether to accept a person as guarantor for a loan applied by another person, and collecting overdue payments.
• There is a prohibition on disclosure credit worthiness information, including a credit report from a credit-reporting agency, by credit providers. However under some specified circumstances such as disclosure to a mortgage insurer, or a debt collector.
2.2. Credit Reporting Code of Conduct:
Together with Part IIIA of the Privacy Act, the Credit Reporting Code of Conduct that was issued by the Privacy Commissioner in 1991 and fully operational in February 1992 apply information privacy principles to the specialised area of consumer credit reporting. However, this code of conduct supplements the Part IIIA on matters not addressed by the Act. In particular, it requires credit providers and credit reporting agencies to:
• “Deal promptly with individual requests for access and amendment of personal credit information
• Ensure that only permitted and accurate information is included in an individual’s credit information file.
• Keep adequate records in regard to any disclosure of personal credit information
• Adopt specific procedures in settling credit-reporting disputes
• Provide staff training on the requirements of the Privacy Act.” Besides the requirements for both credit reporting agencies and credit providers, the credit reporting code of conduct also exclusively applies special provisions to each body. Those provisions require credit reporting agencies, for examples, to allow individuals to indicate which previous recipients of reports about them should be advised of amendments to their files; to ensure that members who use agencies are aware of their responsibilities under the Act; and to report the Privacy Commissioner on the occurrence of “serious credit infringement” listing prior to notice of default. Meanwhile credit providers are exclusively required to take certain steps before reporting an overdue payment to a credit-reporting agency; and promptly reporting to a credit-reporting agency the cessation of an individual’s credit obligations.

2.3. Privacy Reforms on Credit Reporting:
As mentioned above, Privacy Amendment Act was passed on 29 November 2012. As part of that reform, credit-reporting in Australia is regulated by a new Part IIIA[1] with following contents:
• “… allow the reporting of information about an individual’s current credit commitments and his/her repayment history information over the previous two years
• a simplified and enhanced correction and complaints process
• a prohibition on the reporting of credit related information about children
• a prohibition on the reporting of defaults of less than $150
• the introduction of specific rules to deal with pre-screening of credit offers
• the introduction of specific provisions that allow an individual to freeze access to their credit related personal information in cases of suspected identity theft or fraud.
• The introduction of civil penalties for breaches of certain credit reporting provisions.”
This new scheme was introduced to facilitate better assessment of consumer credit risk by creating greater transparency. Since then the industry may receive a more comprehensive view of the consumer’s credit position. With consumers, in return for giving their credit information, they will be compensated if they are adversely affected by a contravention of the credit reporting provisions and courts will be given power to order compensation in cases where civil penalty provision has been contravened.
However some opinions concern about committed “serious credit infringement” that can involve a degree of subjective credit files assessment. This is because the serious credit infringement was defined by Privacy Act s6 as “an act done by a person that involves fraudulently obtaining credit, or attempting fraudulently obtaining credit; or that involves fraudulently evading the person’s obligations in relation to credit; or attempting fraudulently to evade those obligations; or that a reasonable person would consider indicates an intention, on the part of the first-mentioned person, no longer to comply with the first-mentioned person’s obligations in relation to credit.” Furthermore, there are some consumers who are being charged hundreds of dollars for having errors in credit files corrected that they could do themselves for nothing. In other cases, the credit repair companies have used aggressive tactics to try to persuade the consumer to enter Part IX insolvency arrangements that they subsequently administer for a fee.

Therefore, according to the co-ordinator of the New South Wales Consumer Credit Legal Centre, Karen Cox, consumers should be wary of dealing with credit repair companies due to those charge large upfront fees to investigate a consumer’s credit file and “clear” the file.
The last concerned point related to the new credit reporting privacy scheme is the staff training. According to Minter Ellison special counsel, Veronica Scott, the staff training is essential because most data breaches are caused by simple human error. And when the new civil penalty regime that will also take effect from March 2014, organizations and individuals could face significant financial penalties for repeated serious data breaches.

Health Information Privacy:

1. Introduction and definition of health information

Privacy of health information is fundamental for a good quality health care. Traditionally, health service providers (such as doctors, dentists, nurses, physiotherapists and pharmacists) owe duty of confidentiality to health consumers. Duty of confidentiality requires that collected health information will be used only for the purpose which they were provided for.

The Privacy Act defines ‘health information’ as follows:

(a) information or an opinion about:
(i) the health or a disability (at any time) of an individual; or
(ii) an individual’s expressed wishes about the future provision of health services to him or her; or
(iii) a health service provided, or to be provided, to an individual; that is also personal information; or
(b) other personal information collected to provide, or in providing, a health service; or
(c) other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances; or
(d) genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual
Health information is regarded as one of the most sensitive types of personal information. Collection of health information also requires the consent of the individual involved.

Privacy legislation regulating the handling of health information
Health information is represented differently in different laws. It is included either in personal information or sensitive information or is defined separately.
Legislative powers in Australia are divided between the Australian Parliament and the six state parliaments. As seen in table 1, the Australian Parliament and number of states and territories has passed legislation relating to privacy and this has resulted in some overlap and duplication. In some states where there is no privacy legislation state government agencies are required to comply with administrative privacy regimes.

Jurisdiction Public Sector Private Sector
Commonwealth Privacy Act 1988 (Cth) Privacy Act 1988 (Cth)
NSW Health Records and Information Privacy Act 2002 (NSW) Health Records and Information Privacy Act 2002 (NSW)
Privacy Act 1988 (Cth)
VIC Health Records Act 2001 (VIC) Health Records Act 2001 (VIC)
QLD Administrative Scheme Privacy Act 1988 (Cth)
WA Information Privacy Bill before the Western Australian Parliament Privacy Act 1988 (Cth)
Information Privacy Bill before the Western Australian Parliament
South Australia Administrative Scheme Privacy Act 1988 (Cth)
TAS Personal Information Protection Act 2004 (TAS) Privacy Act 1988 (Cth)
ACT Health Records (Privacy and Access) Act 1997 (ACT)
Privacy Act 1988 (Cth) Health Records (Privacy and Access) Act 1997 (ACT)
Privacy Act 1988 (Cth)
NT Information Act 2002 (NT) Privacy Act 1988 (Cth)
Table 1 Privacy legislation regulating the handling of health information

The privacy act 1988 contains 11 IPP’s that apply to Australian government agencies and 10 NPP’s for private sector –there is no distinction between protection of personal info and protection health info in the Privacy Act 1988 – it applies to both. The two sets of privacy principles share many similarities but there are sections which are inconsistent and unclear.
The Act applies to the handling of personal information by health service providers and private sector organisations that earn more than $3million annually.
2. E-health - Electronic health records
Traditionally, health information has been collected and stored in paper based form in many locations – GP records, hospital records, medical specialist records. However, now those records are increasingly collected, transferred and stored in electronic form in central databases such as Medicare database and cancer registers. There is also a trend to move and integrate electronic health information systems and create shared electronic records, which allows health service providers, regardless of their location, better access to health information, which on one hand brings better outcomes for customers but it also raises privacy issues.
PCEHR Personally- Controlled Electronic Health Records
PCEHR is a secure electronic summary of people's medical history that is stored and shared in a "network of connected systems". It is currently distributed across a wide range of locations including general practices, hospitals, imaging centres, specialists, and allied health practices.The PCEHR system has a range of security measures to protect patient information during registration and use, and ensure that the correct patient is correctly identified.
It is an opt-in system, with both doctors and patients having a choice to sign up. It was launched on the 1st Oct 2012.
At the 10th July 2013, there were 3723 general and multidisciplinary practices registered in the PCEHR system, which NEHTA (The National E-Health Transition Authority) says covers an estimated 53 per cent of total general practices in Australia.
However, there was some information revealed about a hacking incident while the system was being built by Accenture(because basic security procedures around firewalls and passwords were not followed).
UHI – Unique healthcare identifiers
A Unique healthcare identifier is a unique 16 digit number which makes sure the right health information is matched with the right individual. It is also used for unique identification of healthcare providers.
3. Hacking into health files in QLD
In December 2012 Eastern European cyber criminals demanded $4000 from Gold Coast medical centre in exchange of patient health information. IT experts are warning that medical records being held for ransom and medical information theft are the fastest growing area of cybercrime in Australia. In 2012 alone, there were 11 similar offences in Queensland.
According to experts hackers focus on small business computer servers and encrypt and lock customers’ data, refusing to unlock it until a ransom is paid. And it seems medical practices are the latest target, as their presence in cyberspace grows as a result of e-health.
Records from US reveal about that very high number - almost 21 million (10% of population) Americans have had their electronic records stolen or lost between 2009 and 2012. This causes a lot of concerns. Even though there are no Australian figures available, there are concerns that Australia is following in the footsteps of US.
Cyber-attacks have huge effect on medical centres. It is very costly and time consuming. It involves endless amount of paperwork, faxing reports through, x-rays, pathology and providing information from previous consultations. Medical centres usually have to purchase a new server and every piece of information must be manually processed. Average costs of data breach reported by Australian organisations have steadily risen reaching 2.16 million in 2011.
The ransom is one way for hackers to make money, however the sale of the patients’ personal information is possibly even more valuable. Medical file can sell for $50 on the black market. If you take into account the American compromised data, it’s already $10.5 billion dollar industry. This could have very serious consequences for PCEHR which enables doctors to share patient information with other medical bodies and enables patients to access their own files from their own computers remotely.
There is no doubt that PCEHR databases are completely secure. However what we’ve seen already through ransom ware hacking incidents was that the medical centres were not secure.
Organisations with data need to have security in place. Experts say that not enough work is being done educating medical services to have good technology and IT security practices in place. Some surgeries are still running Microsoft Office 2000 and they are not protected.
The hackers usually attempt to socially engineer staff to gain access to networks. They might send to the individuals Facebook page links that they are likely to open to which they have secreted a key logger (malware designed to capture passwords and login credentials)
This type of cybercrime is largely unreported in Australia, mainly because there is no legislation compelling any organisation to report it. There is no guarantee that the crime does not occur again and that the records are reliable after the hacking attack.
Recommendations for medical centres:
They should conduct a security assessment of their practice, the security of their equipment and to develop a culture within their staff to understand cyber threats.
4. Privacy of genetic information
The trouble with genetic information is it doesn’t just affect the person who is its source; it also provides information about that person’s relatives – past, present, and future. Any decision about the collection, use, and dissemination of an individual’s genetic information may have consequences for relatives who haven’t agreed to share the information and aren’t aware that sharing has taken place.
In December 2010 Public Interest Determination 11A was issued under the national Privacy Act. Under this determination, it became lawful for a doctor to contact a patient’s relatives, without consent, and advise them of the consequences of the patient’s genetic condition. The doctor must reasonably believe the information is necessary to enable reduction or prevention of a “serious threat to the life, health, or safety of the relative”.
This determination erodes the concept of doctor-patient confidentiality. If a patient’s condition has a genetic component, it effectively permits a doctor to ignore the patient’s wishes and advise relatives of the condition. This may (or may not) benefit the relative but it ignores the patient’s right to privacy.
Recreational genetics involves direct-to-consumer (DTC) genetic tests. Consumers send a DNA sample, usually a mouth swab, directly to a laboratory which runs a battery of predictive DNA tests. The consumers pay for that testing and they receive a profile indicating their relative risk of developing certain diseases. The results can be often misunderstood.
The right not to know -has been stated as the right people should have to be protected from information that their own bodies can yield, based on the ethical principle of respect for autonomy.

5. Biometric information privacy
Biometric information is any data that can be used to biometrically identify an individual. This data includes but it is not limited to, images, sounds, chemical or geometric properties. It also includes any information that is derived from these raw acquired biometrics.
The possible health related nature of biometric information is one thing that makes its use controversial. There is a concern that it might be possible to analyse and extract health information from biometric information. It raises a question whether biometric information should be regarded as health information.
The growing importance of identity management and the spreading use of biometric technology bring a lot of discussion about the legal regulation of personal information and reasonable limits of privacy.
Privacy concerns about biometrics are connected with Australian e-passport, the Smart Gate Scheme, facial recognition at Australian airports and introduction of biometric information in smart cards. E-passport has embedded microchip which stores the holder's digitised photograph, name, gender, date of birth, nationality, passport number, and the passport expiry date. E-passport was introduced in order to expand the Smart Gate Scheme along with the introduction of biometric databases by immigration authorities.

6. Privacy law reform – Impacts on health industry
The recent extortion attempts by hackers against general practices in Queensland have brought into focus the effect that the new privacy laws will have on healthcare sector, with particular consequences of data security.
The Privacy Amendment (Enhancing Privacy Protection) Bill 2012
It will come into effect in March 2014.
The new privacy bring together laws the former IPP’s (which covered public sector) and National Privacy Principles (covering the private sector) into one group of 13 Australian Privacy Principles.
The Australian Privacy commissioner will have substantially enhanced powers to enforce the law ands and exact penalties for any breaches. This includes the penalty up to $1.1 million if a company commits a serious interference with a person’s privacy.
The new amendment will also introduce mandatory data breach notification rules. What this means is that the all organisations should review their privacy policies now, as they will be required to have a privacy written statement. It may also affect some business decisions being made now, such as whether to store personal information offshore. They should also look at boosting their IT security arrangements to ensure privacy breaches do not occur.
The new laws will also require companies to explain to customers how they can complain about a breach of privacy and how the organisation will deal with privacy complaints.
Organisations must also specify if they are likely to disclose personal information to recipients overseas, which has implications for organisations using an offshore data centre or cloud computing provider for data storage. It has also implications for transmission of information within Australia, particularly by email.
The new principles also have ramifications for medical records. An organisation must include in its privacy policy, how customers can seek access to their personal information and how they can correct that information if they wish to do so.
The Queensland hacking cases should be a warning sign to general practices that they need to improve their security. It is a mistake to assume that the data has not been stolen, but only encrypted. This could close down businesses who don’t take this seriously.
Small general practices are the most vulnerable for data breaches and they should take out cyber security insurance. The biggest problem is the transmission of sensitive patient information via email by GP’s and the new privacy legislation forbids doing so. Gmail, for example, is hosted in the cloud but Google’s servers are located throughout the world, not here in Australia.
It’s not just Gmail, any email system server administrator can see the contents of that particular email.
The new civil penalties will motivate the businesses to put together privacy impact assessment. So this coupled with security technology and cyber security insurance give a good coverage for doing enough for privacy of health information.

The use and protection of customers' private information by businesses

Purposes of business collect customer personal information
Businesses frequently collect and analyze personal information in order to maximize profits by building closer relationships between customers and their products.
For examples:
• to tailor their product to meet the specific needs of their customers, this could help to achieve the objective of price discrimination;
• To deliver the product to their customers to the correct address;
• Regularly send marketing materials such as promotion notice, and;
• To ascertain individual preferences in order to engage in more effective marketing.
Personal information about individuals has commercial value as to companies’ business activities.
However, when dealing with an individual’s personal information, the business must comply with its obligation to protect the individual’s privacy.
Small business and small business operators
The Privacy Act 1988 originally applied only to the handling of personal information by Commonwealth government departments. Now under section 6D, dealing with small business and small business operator, it applies to any business if it has an annual turnover of more than $3 million; including non-profit organizations. If a business has an annual turnover of $3 million or less then it is exempted from the Act unless the business satisfies the following conditions:
• The business is related to another business that has an annual turnover of more than $3 million
• The business is able to provide a health service and holds health records;
• Disclose personal information for the purpose of to benefit, service or advantage;
• Provides someone else with a benefit, service or advantage to collect personal information, or
• The business is contracted service provider to the Commonwealth.

Exemptions from the operation of the Privacy Act include (section 7B):
• The journalism activities of media organizations, and;
• An act done by an employer that is directly related to a current or former employment relationship between the employer and the individual, or an employee record held by the organization and relating to the individual.

Under section18BB, if a business is covered by the legislation it must choose to be bound by either a privacy code approved by the Privacy Commissioner, or the National Privacy Principles, i.e. NPPs, which set out in the Privacy Act.
Definition of interferences under privacy Part 3, Division 1, section 13A
General rule of Interferences with privacy by organisations:
For the purposes of this Act, an act or practice of an organisation is an interference with the privacy of an individual if anyone of it has breached:
1.1 The act or practice breaches an approved privacy code that binds the organisation in relation to personal information that relates to the individual;
2. Both of the following apply: 2.1 The act or practice breaches a National Privacy Principle in relation to personal information that relates to the individual; 2.2 The organisation is not bound by an approved privacy code in relation to the personal information; 3. All of the following apply: 3.1 The act or practice relates to personal information that relates to the individual;
3.2 The organisation is a contracted service provider for a Commonwealth contract (whether or not the organisation is a party to the contract) 3.3 Because of a provision of the contract that is inconsistent with an approved privacy code or a National Privacy Principle that applies to the organisation in relation to the personal information, the act or practice does not breach the code or Principle (see subsections 6A(2) and 6B(2));
3.4 The act is done, or the practice is engaged in, in a manner contrary to, or inconsistent with, that provision; 5. the act or practice involves the organisation in a contravention of section 16F (which limits direct marketing using information collected under a Commonwealth contract) involving personal information that relates to the individual.
The consequences OF business failing to comply with privacy policy
As business could choose which legislation to bind with, different corresponded results applies.
Subject to subsection (1A), if a business is complained by an individual of breached the NPPs to the Office of the Privacy Commissioner, in most cases; both individual and business are able to have a chance to resolve the complaint by themselves. If the business and individual cannot resolve the complaint, the office will conciliate the complaint using letters and phone calls, or face to face meeting. As a last resort, the Privacy Commissioner can make a formal determination dismissing the complaint or find the complaint substantiated and make a determination. (section 52). If the business does not comply with the determination, either the Commissioner or individuals can seek to have it enforced by the Federal Court of Australia (section 62(1)).
Referring to section 40 (1)(a), other than the situation that receive information from complaint, the Commissioner can also undertake investigation into business when the business has been found to breach privacy law by an act or practice
If the business has decided to be bound by an approved privacy code, that will be privacy code adjudicator who receive the complain form individual (section 18BI). A privacy code judicator or the individual can seek to have a determination enforced by the Federal Court. According to section 18BH, the commissioner has the power to review a complaint heard by the judicator.
If business is found failing to comply with its own stated privacy police, it wills risks being sued for misleading and deceptive conduct. (Section 55A)

Preventative measurements to avoid unanticipated disclosure
Case Study:
On 9 December 2011, Telstra was being alleged of had breached the Privacy Act by making its web-based customer management tool which contained customer information publicly available on its website. The Australian Privacy Commissioner immediately carried out an investigation into this allegation.
A Visibility Tool is used to track orders for bundled products had been found accessible externally, and was not protected by the firewall, which resulted in 734,999 customers’ detail publicly. Anyone who accessed the Visibility Tool could conduct a search using the customer’s last name, account name, order ID or reference number.
After the investigation undertook by Telstra, the causes of incident are revealed as a number of key events:
A series of errors occurred from the initial deployment of the Telstra Bundles Product to the roll-out of the Visibility Tool;
A software restoration undertook in October 2011 inadvertently restored incorrect software settings, removing the pass through authentic mechanism, resulting in the URL being made publicly available by December 2011.
In response to the incident, Telstra conducted a series action and remedies to protect the security of customers’ personal information and to minimize customer inconvenience. Though, the Commissioner held the opinion of Telstra breached the Privacy Act out of the requirement set out in the law.
The Commissioner’s investigation focused on whether the incident was an ‘unauthorized disclosure’ of personal information and therefore whether the handling of personal information under the Telstra Bundle Project was consistent with the Privacy Act. As a result, the Commissioner’s investigation concluded that the specific errors made by Telstra staff led to the Visibility Tool being publicly accessible. The external accessibility of customers’ personal information was an unauthorized disclosure and therefore a breach of NPP2.1, use and disclose, as the disclosure was not a result of one-off human error but rather a series of errors that revealed significant weakness in Telstra’s reporting and monitoring, as well as accountability systems.
The commissioner also concluded with there was a breach of NPP4.1, data security, by reviewing the overall security safeguards put in place by Telstra prior to and following the incident, as it did not take reasonable steps to protect customers’ personal information from unauthorized access and disclosure.
Apart from complying with requirements of laws and regulations, there are several measurements business could conduct to keep consumers’ privacy information in place and prevent it from interference.
• To conduct an internal audit. Business should conduct an internal audit to understand what data they are going to collect, how they are using the data and with whom they are sharing that data, how that data is being protected and related issues.
• To develop a privacy policy. Once the company’s plans and practices for collecting and using customer information are clarified, these should be communicated through a well built privacy policy. Under which customers are able to be well informed about purposes of using their information, and the third parties are likely to have access to such information.

• Setting up provisions for contingent disclosure event. Business is expected to plan ahead and be prepared for the inevitable events, in order to ease the inconvenience caused to customers to the largest extent. Furthermore, conditions like being forced by government to hand over data of clients are likely to encounter in the future, by understanding this, organizations could draft its privacy policy more effective and accurate. For example, avoid to make a strongly privacy promise while it conflicts with the government’s demands.

Business use personal information for profits without infringement
As discussed in previous section, businesses collect personal information about potential customers in order to achieve better market position, customers give out their information to business inadvertently if they want to use the product or service as well. However, it is not always safe and secure when company holding those information. To what extent that business could use personal detail will be a notable issue.

Related case
In 2003, Telstra sold customers’ information to a debt collection agency Alliance Factoring, for a small fraction of dollar value, and then Alliance set about finding the people who owed the money and getting it back. Meanwhile, Alliance reported a number of individuals to a credit reporting agency and those who should never have been made. As a result, customers suffered to bad credit record, and ability to apply for loans from banks was limited. And following a spokesman from Alliance stated some of the file that came from Telstra already contained inaccurate information. Although it is common commercial practices that sell bad debts between organizations, personal information involved in the exchange of right to use still need protection. Telstra’s behave breached the privacy of customer in terms of NPP2.1 and NPP3, i.e. data use and disclosure and data quality.
Organizations have an obligation to protect customers’ personal detail against inappropriate uses. When there is a need of making use of customer personal information, the most effective method is always to ask consent of customers before or at any time of collection, as well as when a new use is identified. When the business is obtaining the consent from customers, it is also a good chance to reconfirm with them that the information generated so far is up to date, by doing this, both business and individuals could avoid unnecessary losses.
According to section 6, interpretation, consent can be made in two ways, express or implied. For those information like banking details for a credit check is particularly sensitive, business should explain clearly and get express consent from customer when collecting them and disclosing them to another company.
Implied consent usually happened when customers know obviously what business going to do with their details. For example, when customers make a payment by card, they give their consent to business of recording his/her card number and pass it onto the bank .

Internet Data Privacy

The era of electronic tracking, big data mining and targeted advertising :
Less than 5 years ago, the general population were only connected to the internet when they were at work or at home using their PC. However with the introduction and the rapid take up of smart mobile devices, more people are connected to the internet where ever they go, for the entire day. This has triggered an expediential growth of personal data being generated and collected. According to IBM's research, 90% of the world data are generated within the past two years. SAP has found that over 98% of the data are stored electronically.
A large portion of internet users are either unaware or not concerned about being tracked and monitored electronically as they carry out their daily activities. People are willing to trade their private information for the convenience of using tech services for free, and companies offering these services are taking advantage of Australia's outdated privacy laws. This allow companies such as Google, Facebook, to collect and compile non sensitive information and cross reference the data obtained from its wide range of services to create an extremely comprehensive online profile of its users, without breaching any privacy laws. These companies will then target these users with advertising that is closely matched with their online profile.
Types of non sensitive non personal data being collected:
Website cookies:
Small text files which stores user settings and passwords on every website visited by the user. Browsers such as Chrome, or social media sites such as Facebook use tracking cookies to monitor the user's browsing activities online. This allows advertisers to construct a profile of the users' interests and preferences. This information is then used to display advertisements that target these interests. Cookies can be deleted, and user can opt to disable cookies when they visit a website.
Internet Protocol Address (IP address):
Unique number assigned to computer devices to enable the communication between different devices across the internet. A computer's IP address is publically available, it contains the information of the user's ISP, type of internet connection, to geographic information including the country, state, and suburb. The exact street address of the user will not be disclosed.
Wi Fi MAC address
Media access code, unique code for computer and mobile devices that fixed and cannot be changed.
GPS location:
Particular significant with mobile phone users. Application installed in smart phone can track user location and relay such information back to the application developer.
Web search preferences :
Google stores your search enquires entered in its search engine services and online stores, and create a list of the user's most liked preferences and hobbies
Metadata:
Data about data, for example the date, time, location and the type of devices used to send an email or post a message on twitter are considered as meta data. The actual content of the message is not being recorded. A person's sensitive data can be re-identified if their behaviour pattern has been repeated for a sufficient amount of time.
Social media company Twitter has provided a diagram explaining the meta data generated and collected from each post sent by its user.

Google and its influence on the digital age:
There exist an enormous ocean of non personal information for companies to collect and analyse so that they can create a digital profile of each individual to suit their need. Currently one of the largest data mining company is Google. When Google serves went offline for 2 minutes in August this year, the global internet traffic was reduced by 40%. In addition, Google has a 80% market share of the global smart phone market, with a 65% share of the Australian market.
In an interview with The Atlantic, former Google CEO Eric Schmidt was questioned about the extend the company will go to analysis its user behaviour and profile, he replied " With your permission, you give us more information about you, about your friends, and we can improve the quality of our searches. We don’t need you to type at all. We know where you are. We know where you’ve been. We can more or less know what you’re thinking about."
At the 2010 Techonomy conference, Schmidt told attendees that
"if I look at enough of your messaging and your location, and use artificial intelligence, we can predict where you are going to go."
From the quotes above, Schmidt implied that Google has the programming capability to model a person's behavioural pattern and predict their thoughts by gathering non sensitive information about the user. Currently the Privacy Act do not provide guidelines for companies which collects and analysis these type of information.
Building of a data empire:
At the start of 2012, Google combined the previously separate privacy policies of its various products and services into one privacy policy. Google claimed it is step to simplify their various privacy policies, and not an attempt to increase the collection of information about its users. However this has also removed the data separation between its services and allowed the massive amount of data to be shared and connected to form a more comprehensive profile of the user.

Direct collection of sensitive and personal data:
As mentioned in the previous section, Google has to comply with the Australian Privacy Act. Case study:
Google street view vehicles collected payload data from unsecured wi fi connection. Google argued that since the information is available to the general public it should not be considered as private information, however the OAIC disagreed and found that Google has breached the Australian Privacy Act.
Data transmission:
Data transferred over the internet is broken up into sections or "packets". The packet consist of the control information, and the user data or the payload. The control information contains the necessary source and destination network addresses codes for the user data to be delivered.
Street view data collection:
Google launched their street mapping project in May 2010. The fleet of cars were equipped with cameras capturing photos along their designated route. However the cars were also equipped with devices containing software program that allowed cars to record payload data from unsecured wi fi network connections within its range. Such data may contain usernames, passwords, and other sensitive and personal identifiable information.
The software contains a program called gslite, which works in conjunction with an open source network, data packet sniffing program called Kismet. It detects and captures wireless network traffic. It identifies and store information including MAC addresses, wireless network router's names. The information is given a location tag from the geographical co-ordinates obtained from the GPS unit in the vehicles. Gslite capture and store header information for both encrypted and unencrypted wireless networks, however it does not analyse the payload portion of the data packets. The gslite program scans all network traffic, discard s payload data transmitted over encrypted wireless networks, and automatically stores the payload data packets transmitted from unencrypted networks. According to Google, the company has no intention to analyse these payload data.

Google maintained these specific codes were accidentally incorporated into the street view software and the project manager was unaware of its existence, and Google had neither viewed or used these sensitive information. However Google did transfer these data back to their storage facility in the United States.
Under the authority given in section 40 (2) of the Privacy Act, Australian Privacy Commissioner launched an investigation of Google’s conduct . Google was found to have breached the Australian Privacy Act by collecting personal information without consent.
The commissioner did not have the authority to impose penalties on Google under the Privacy act, instead the commissioner's options were limited to making legally enforceable determinations to direct Google to resolve this issue.
• Publish an apology to Australians in Google's official Australia blog.
• Undertake to conduct a Privacy Impact Assessment (PIA) on any new Street View data collection activities in Australia that include personal information.
• Provide a copy of these PIAs to my Office.
• Regularly consult with the Australian Privacy Commissioner about personal data collection activities arising from significant product launches in Australia.
In addition Google was instructed by the commissioner to destroy the data immediately if it is lawful to do so.
Under Privacy Act, schedule 3, National Privacy Principle 4.2
"An organisation must take reasonable steps to destroy or permanently de-identify personal information it it is no longer needed for any purpose for which the information may be used or disclosed under NPP 2. "
On the 4th May 2011, Official Google Blog Australia, Google released its Privacy impact assessment for Street View in Australia, as requested by the OAIC. Google stated
" Our ultimate goal was to delete the payload data. We can report that this was completed in February under independent supervision. "
However, on July 2012, OAIC was informed by Google that the statement made on the privacy impact assessment was inaccurate as Google still has possession of a portion of the sensitive information. Under the instruction from the OAIC, Google hired independent digital forensic firm, Stroz Friedberg, to assist and verify the "irretrievable destruction of all data, including all 802.11 wireless Data Frames, from 21 hard drives that were identified by Google as having been used in Australia by Google Street View vehicles running the gstumbler program." (Correspondence: Stroz Friedberg letter to Google 8/8/2012). OAIC seek further reassurance from Google by requesting the company to conduct an audit to ensure all of the data were deleted and destroyed.
The result of the audit was reported back to the Australian privacy commissioner on the 9/10/2012 . Two additional disks containing wi fi information were discovered. The commissioner expressed his concern with Google's privacy policy and security procedures, after the discoveries of more data collection despite Google's previous two confirmation that all data relating to this issue had been destroyed. On the 19/11/2012, Stroz Friedberg confirmed to Google that the remaining two disks were overwritten in its entirety and were physically destroyed.
Following the investigation of the Street View incident, the OAIC has increased its scrutiny of Google's overall privacy policy for its expanding range of services. On the 23/2/2013, the privacy commissioner made several recommendations to Google in order to improve the transparency and consistency of the following:
• Google Privacy Policy
• Google Play Terms of Service
• Google Wallet terms of service, product disclosure statement, privacy notice.
Under section 2.B of the Google Wallet Product Disclosure Statement, it states that when a customer makes a payment via Google wallet:
• process payment transactions on behalf of a Buyer, avoiding the need for a Seller to have access to your personal and financial details
However Google has admitted to the OAIC that this statement is not accurate because personal information about the purchasers is disclosed to the product seller or service provider.

THE OAIC has found that the wording on the Google Play terms of service and the Google wallet privacy notice were vague and potentially misleading. It recommended Google to amend their policies by use more explicit wordings to inform customers that their personal details are routinely disclosed to third party product providers.

Google Gmail scanning:

Google is currently facing a class action in the USA for breaching privacy laws because the company actively scans incoming and outgoing emails on its Gmail services for keywords to create a more accurate digital profile of the user. Google did not disclose this practice in their consolidated privacy statement. California district Judge Judge Koh noted that Google's privacy policy doesn't specify that Google is scanning Gmail content when it describes the type of information it's collecting. Google attorney Whitty Somvichian replied that the company is attempting to have a single privacy policy for all of its services, it didn't separately reference every single product. He said it's "inconceivable that someone using a Gmail account would not be aware that the information in their email would be known to Google"

This issue was brought to the attention of the current privacy commissioner Timothy Pilgrim on the 7:30 Report, 04/09/2013. The official response was that the OAIC will put in place more stringent requirements for companies and organizations to disclose the data collection method and the type of personal information they acquired from the user.

Google Glasses
It is a new type of gadget which combines camera, GPS unit, internet access into one wearable device. OAIC, along with privacy agencies from Canada, European Union, Mexico submitted a joint letter to Google with regard to their concern of the potential breaches of privacy laws that can arise from Google glasses users. The privacy agencies stated that Google did not consult them during the development stages of this product. Google has already applied for patents which enable the glasses to track the user's eye movement, so it can identify the object the user is looking at. The glasses can gauge the type of emotional responses to objects by monitoring the level of pupil dilation. This has serious implication to the protection of the privacy of individuals because this gadget has the potential to collect and analysis the emotional data of an individual.

Future expansion of the Australian Privacy Act:
The OAIC is aware of the current limitation of the law in this area, and it has planned to replace the current Privacy Principles and National privacy Principles with the Australian Privacy Principles. These new principles are designed to expand on the current set of laws in order to improve on the transparency of how businesses handle the personal information of customers.
Companies are encouraged to have built in privacy protection measures in every stage of the business planning. In recognition of the growing concern over online data tracking and aggregation, APP 7 is created to address direct marketing which was not covered previously. However these new principles do not give user the legal right to request the company to fully disclose the complete details the company has gathered about the user.

Currently Google is still involved in street view court case with the US Federal government for wiretapping, even after the company had agreed to Google agreed to pay $7 million in fine, and destroy all the user information it collected from Street View vehicles. The company also received a 300 000 euro fine from France's CNIL, for the company's lack of transparency when detailing with user data collected from Youtube, Gmail, and from its search engines. Similar court cases are taking place in Spain, Germany, Britain, Italy and Netherlands.
By comparison, the Australian privacy act is relatively lenient. Google received no fines, but a warning and it was given a set of instructions to follow. Even after the company was found to have falsely declared that all personal data was destroyed, the OAIC decided to take no further actions, because of the current limitation of the law. However this will change From March 2014, organisations subject to the amended Privacy Act could face penalties from $340,000 for individuals and $1.7 million for corporations. These fines are the maximum civil penalties that the Privacy Commissioner will be able to hand down to organisations for serious or repeated violations of the Australian Privacy Principles.

Individual privacy vs. National security

The Australian Intelligence Community structure and brief history

The agencies represented on the National Intelligence Coordination Committee (NICC) make up the National Intelligence Community. The Heads of Intelligence Agencies Meeting (HIAM) brings together a sub-group of the national intelligence community comprising ONA, ASIS, ASIO, DSD, DIO and DIGO to consider issues relating specifically to Australia’s foreign intelligence activities. This sub-group forms the Australian Intelligence Community (AIC).

Australia's intelligence effort started in the lead-up to the First World War, when it emphasised counter-espionage. DuringtheSecondWorldWar, thefirstpartsofwhatbecametoday's AIC sigintorganisationwereformedtosupport US andAustralianforcesinthe Pacific. The Defence Signals Bureau (now known as the Defence Signals Directorate - DSD), formally came into existence in 1947. Today DSD has two principal functions: to collect and report on foreign communications in support of Australia's national and defence interests; and as the national authority on the security of information on communications and information systems across government.

Following the Second World War, the sigint focus was on Soviet communications. Concern about own security led to the establishment of the Australian Security Intelligence Organisation (ASIO) in 1949. Its immediate purpose was to pursue Russian spies.

The Australian Secret Intelligence Service (ASIS) was formed in the Department of Defence in 1952. It was modelled on its British counterpart (MI6) and focused on collecting humint and conducting operations in peacetime. It was in 1954 that responsibility for ASIS shifted to what we now call the Foreign Minister, but it wasn't until 1977 that the existence of ASIS was publicly acknowledged.

The AIC includes two assessment agencies. From the time of the Second World War the Department of Defence had an intelligence assessment arm. Following the war, it became the Joint Intelligence Bureau and then the Joint Intelligence Organisation in 1970, today we know it as the Defence Intelligence Organisation (DIO). It is the government's primary source of analytical expertise on weapons of mass destruction, military capabilities, defence economics and global military trends.
The Office of National Assessments (ONA) was established as an independent agency in 1978. It provides all-source assessments on international political, strategic and economic developments to the Prime Minister and senior ministers in the National Security Committee of Cabinet. It draws its information from other intelligence agencies, as well as diplomatic reporting, information and reporting from other government agencies, and open source material. It is also responsible for coordinating and evaluating Australia's foreign intelligence activities. It does this to ensure that the AIC can properly meet the intelligence needs of government.

The newest member of the AIC is the Defence Imagery and Geospatial Organisation (DIGO). Imagery intelligence had existed since 1964as an integrated part of DIO. As the importance of imagery increased, in 2000DIGO was formed. It provides digital and hardcopy maps and tailored imagery and geospatial products for incorporation into Geographic Information Systems. It has also established mapping programs with a range of regional countries.

The ASIO and ASIS comparative description

The primary responsibility of all the members of the AIC is to collect and assess foreign intelligence. ASIS and ASIO have in common the fact they both collect intelligence from human sources and are both members of the Australian Intelligence Community. However, there are substantial differences between the two agencies listed in the table below. ASIO ASIS
Mission Identify and investigate threats to security and provide advice to protect Australia, its people and its interests Protect and promote Australia's vital interests through the provision of unique foreign intelligence services as directed by Government
Main responsibilities • collect, analyse and report intelligence on threats to Australia's security;
• detect the intentions and activities of terrorists, people who seek to act violently for political reasons and people who seek to clandestinely obtain sensitive Australian information;
• provide security assessments and protective security advice. For example, ASIO conducts security assessments on people holding or seeking national security clearances; on some people wanting to enter or stay in Australia; and on people who want access to sensitive areas or goods, such as air and maritime port restricted zones. Protective security advice is provided to government agencies;
• cooperate closely with law enforcement agencies when there is a criminal link. However, ASIO is not a law enforcement body and have no powers of arrest. • collect foreign intelligence, not available by other means, which may impact on Australia's interests;
• distribute that intelligence to the Government, including key policy departments and agencies;
• undertake counter-intelligence activities which protect Australia's interests and initiatives; and,
• engage other intelligence and security services overseas in Australia's national interests.
Geographical limitation Limited by functions not by geography Foreign intelligence
Accountability framework ASIO Act 1979 The Intelligence Services Act 2001
Additional legislation  The Intelligence Services Act 2001
 The Telecommunications (Interception and Access) Act 1979
 The Inspector General of Intelligence and Security Act 1986
 Attorney-GeneralGuidelines  Financial Management and Accountability Act 1997
 Crimes Act 1914
 Archives Act 1983
 Commonwealth Authorities and Companies Act 1997

TheASIO’s balance between personal privacy rights and collective rights to security
As ASIO is the only agency in the Australian intelligence community authorised in the course of its normal duties to undertake investigations into, and collect intelligence on the activities of Australian citizens, it operates within a particularly stringent oversight and accountability framework.
The foundation of this framework is the ASIO Act, which has been crafted to ensure there is an appropriate balance between individual rights and the public’s collective right to security. Specifically, Part III of ASIO Act contains description of functions and powers of organisation.

First of all, Section 18 states that the communication of intelligence on behalf of the Organisation can be made only by the Director General or by a person acting within the limits of authority conferred on the person by the Director General. If a person makes a communication of any information or matter that has come to the knowledge or into the possession of the person by reason of his or her having entered into any contract, agreement or arrangement with the Organisation, the first mentioned person is guilty of an offencefor unauthorised communication of information and the penalty is imprisonment for 2 years.

ASIO does not collect intelligence on particular groups or individuals unless there is a security related reason to do so. It is behaviour and activity that determines ASIO’s interest.Like other investigative agencies, legislation grants ASIO powers to collect intelligence under warrant. The criteria for warrants are strictly prescribed and complemented by the Attorney-General’s Guidelines.
The Guidelines require investigations to be conducted with as little intrusion into privacy as possible, consistent with the national interest. ASIO’s methods are determined by the gravity and immediacy of the threat to security posed by the subject. Where the threat is assessed as serious, or could emerge quickly, a greater degree of intrusion may be necessary. Use of more intrusive powers — which are governed by strict warrant procedures — requires that the subject’s activities are, or are reasonably suspected to be, prejudicial to security. The warrant can authorize the Organisation to:
• use listening devices (means any instrument, device or equipment capable of being used, whether alone or in conjunction with any other instrument, device or equipment, to record or listen to words, images, sounds or signals)
• use tracking device for the purpose of tracking a person or an object
• access computers equipment or device (including remotely).Inspecting examining converting and copying any data to which access has been obtained. However, certain acts are not authorised such as manipulating or deletingdata
• enter and search premises (includes any land, place, vehicle, vessel or aircraft)
• conducting an ordinary search or a frisk search of a person, excluding a strip search or a search of a person’s body cavities
• examine postal articles. There are also questioning and detention warrants, subject to very stringent criteria, for use in serious counter-terrorism matters. These special powers have been conferred to Organisation by inserting a new Part IIIDivision 3 ‘Special powers relating to terrorism offences’ to ASIO act in 2003 after 9/11 terrorist attack in New York.
Also, amendments to the Australian Security Intelligence Organisation Act in 2010 introduced a new area of focus for the organisation, namely the investigation of people smuggling activities and other serious threats to Australia's territorial and border integrity. ASIO is now able to use its capabilities to support the whole-of-government effort in combating these threats.

Warrants are available, for a limited duration. For example, the warrant to enter the premises must not be more than 90 days and may state that it comes into force on a specified day (after the day of issue) or when a specified event happens. Besides, the day must not begin nor the event happen more than 28 days after the end of the day on which the warrant is issued. The computer access and use of listening and tracking devices warrant must also specify the period during which it is to remain in force but not more than 6 months.
ASIO must seek agreement from the Attorney-General satisfying tests set out in the relevant legislation before a warrant will be issued. The Attorney-General’s approval is also sought before warrants can be renewed. ASIO’s warranted activities are regularly scrutinised by the Inspector-General of Intelligence and Security.

The US Central Intelligence and National Security Agencies

In accordance with the legislation, ASIO may cooperate with the agencies of other countries in order to carry out its functions. In this context, and with the approval of the Attorney-General, ASIO may communicate with the security and intelligence authorities of a range of countries.
One of them is The United States Intelligence Community (IC) which is a federation of 16 separate United States government agencies that work separately and together to conductintelligence activities.

The Central Intelligence Agency (CIA) is the only one independent U.S. intelligence agency which reports to the Director of National Intelligence.The CIA operates around the world, using a series of agents on the ground to relay information back to the central offices in Virginia. So, CIA’s primary mission is to collect, analyse, evaluate, and disseminate foreign intelligence to assist the President and senior US government policymakers in making decisions relating to national security.
The result of this analytic effort is timely and objective assessments, free of any political bias, provided to senior US policymakers in the form of finished intelligence products that include written reports and oral briefings. One of these reports is the President’s Daily Brief (PDB),an Intelligence Community product, which the US president and other senior officials receive each day.
As a separate agency, CIA serves as an independent source of analysis on topics of concern and also works closely with the other organizations in the Intelligence Community, including the NSA/CSS.

The National Security Agency (NSA) is one of the largest of U.S. intelligence organizations in terms of personnel and budget and the main producer and manager of signals intelligence for the United States. It is actually combined with the Central Security Service (CSS), and it is primarily a cryptological organization. The NSAoperates under the jurisdiction of the Department of Defense and reports to the Director of National Intelligence.It is probably the least known and most poorly understood government intelligence agency. The NSA has no authority to conduct human-source intelligence gathering, however, NSA employees decrypt foreign intelligence, generate encryption keys to secure American information, and handle data processing for the United States government. In other words, the mission of the NSA is to break foreign intelligence codes while retaining the security of American information, which is accomplished through encryption, secured computer systems, and access control.

The NSA’s role in revealing private information

NSA is winning its long-running secret war on encryption, using supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the internet age, according to newly disclosed documents by Edward Snowden.
The Washington Post and the Guardian issued that the NSA was obtaining logs of the internet activity and stored data of users of the nine biggest internet companies in the US, including Microsoft, Google, Apple and Facebook.According to the Washington Post, on a single day last year, the NSA's Special Source Operations branch collected 444,743 email address books from Yahoo!, 105,068 from Hotmail, 82,857 from Facebook, 33,697 from Gmail and 22,881 from unspecified other providers.
At Microsoft, spokesman Nicole Miller said the company "does not provide any government with direct or unfettered access to our customers' data", adding that "we would have significant concerns if these allegations about government actions are true".
Facebook spokesman Jodi Seth said "we did not know and did not assist" in the NSA's interception of contact lists.
Also, the documents show that the agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data such as trade secrets and medical records, and automatically secures the emails, web searches, internet chats and phone calls of Americans and others around the world. Additionally, extracting private information enables analysts to track a person’s movements and contacts.
The full extent of the NSA's decoding capabilities is known only to a limited group of top analysts from the so-called Five Eyes (USA, Britain, Canada, Australia and New Zealand).
Australia's spy agency ASIO said it "would be inappropriate" for it to comment on the allegations concerning private companies or the security agency of another nation.

The NSA’s success in defeating many of the privacy protections offered by encryption does not change the rules that prohibit the deliberate targeting of private emails or phone calls without a warrant. But it shows that the agency, which was sharply rebuked by a federal judge in 2011 for violating the rules and misleading the Foreign Intelligence Surveillance Court, cannot necessarily be limited by privacy laws. NSA rules permit the agency to store any encrypted communication, domestic or foreign, for as long as the agency is trying to decrypt it or analyse its technical features.
Report Conclusion

Throughout case study related to privacy issues, it is noticeable that although the Privacy Act has been in force for a long time, there is little case law clearly interpreting this Act. Also the reform of this Act has many effects on the Credit Reporting Privacy. However, individuals should consider strength and weakness of this reform so that they will be able to avoid ravage in using credit information.
Businesses are required by law to protect its customers’ personal information. They have to be more diligent in their efforts to ensure their business practices will not breach any privacy laws.
The traditional way of recording and storing of health data has been changing lately with the technology development. The new systems and software have been developed and incorporated in everyday processes. However, the legislation needs to be more specific in term of regulation and protection the private health information.
It has been proven that online service companies can derive sensitive personal information from general, non sensitive information left behind by a user’s internet activities. The current set and the new set of privacy principles will not make a significant impact on limiting the gathering of this non sensitive information. Also the penalties for any breaches of these principles are still relatively weak compare to other developed countries.
There is a constant debate about the level of compromise between personal privacy and national security. The government allowed intelligence agencies to obtain information outside of the boundaries of the current privacy laws. This has caused great concern among the general public and corporations around the world.
The report has found cases of businesses and health care providers not being fully aware of the obligations they have to protect the private information of their customers, and how will the new reforms in 2014 may help to improve the level of privacy protection in this area. The report also explained the methods used by tech service providers and data mining companies to circumnavigate the current and future laws. Finally, the report also discuss the delicate balance between people's right to privacy and the need to provide national security.

References:
1. Privacy Act ‐ Australian Government – Office of the Australian Information Commissioner.
2. http://www.oaic.gov.au/privacy/privacy‐act/the‐privacy‐act

3. John Kavangah , “Tougher stand take on credit files”, 30/June/2012. http://www.smh.com.au/money/borrowing/tougher‐stand‐taken‐on‐credit‐files‐20120629‐217q4.html

4. Credit Reporting Code of Conduct ‐ Australian Government – Office of the Australian Information Commissioner.
5. http://www.oaic.gov.au/privacy/applying‐privacy‐law/legally‐binding‐
6. privacy‐guidelines‐and‐rules/credit‐reporting‐code‐of‐condu

1. James, Nickolas,(2010), Australia, Business Law, 1st edition, John Wiley& Sons Australia
2. Klosek Jacqueline,2007, How Business Can Protect Their Customers’ Privacy, viewed 29 September2013,
3. Horniak Virginia, 2004, Privacy of Communication-Ethics and Technology, Malardalen University,viewed29September2013,
4. Knight Ben, 2003, Telstra debts affect consumer credit ratings, ABC, viewed 29 September2013 < http://www.abc.net.au/pm/content/2003/s875586.htm>
5. MrFairGo, 2010, Protect Yourself from Information Predators, Meta, viewed 29 September2013,
6. < http://communicationprivacy.com/protect-yourself-from-information-predators>
7. Timothy pilgrim, 2012, Telstra Corporation Limited: Own motive investigation report, Australian Government,viewedon01October2013,
8. Privacy Act 1988, Australian Government, viewed on 02 october,2013,

Similar Documents

Free Essay

Law Report

...Criminal law report REGINA V. SORRELL [2003] NSWSC 30 (7TH February 2003) 1.0 Introduction This report is about Michael Furlong who was shopping for an electronic part at a shop in Smithfield. As he left the store, Sorrell approached him and fatally stabbed Michael Furlong with a hunting knife. Sorrell was found to be not guilty of murder on the grounds that he was mentally ill when he committed the crime. Sorrell suffered from paranoid schizophrenia. 2.0 Procedures of the case This Act is the Crimes Act 1900. PARTIES INVOLVED: Regina v. Sorrell, Michael Peter At about 4pm on 3rd June 2002, Michael Furlong, the victim and his brother Glen went to R.S. Components, an electrical retailer, at Smithfield to purchase electrical components. The accused was then present. He left the store shortly after. The victim and his brother had left the store and went to another electrical store in Smithfield. They were followed by the accused. When they returned to their vehicle having entered the store, the accused approached them, and, after speaking to the victim, killed the victim with a knife and chased the victim’s brother. The following day at about 3:20am the accused was apprehended asleep in his vehicle with a large hunting knife present with him, presumably the knife with which the offence was committed. He was in possession of the victim’s wallet which enabled the police to link the accused to the offence. 3.0 Court Proceedings In the R...

Words: 1592 - Pages: 7

Free Essay

Employment Law Report

...The purpose of this report is to describe three employment laws and the consequences of non-compliance. The three employment laws covered are Title VII of the 1964 Civil Rights Act, The Civil Rights Act of 1991, and The Americans with Disabilities Act; all three employment laws written about are an explanation of non-compliance. There is also an assessment on how an organization can ensure compliance with employment laws. Title VII of the 1964 Civil Rights Act Title VII of the 1964 Civil Rights Act was one law instated to ensure equal employment opportunities for all people no matter his or her race, religion, color, national origin, or gender. The 1972 Equal Employment Opportunity, Title VII states that showing any discrimination towards an employee by an employer bases on the applicants or employees race, color, religion, sex, or national origin is discrimination and will be viewed as unlawful. There are two major functions of the Act regarding discrimination: 1. Showing failure to hire an individual or refusing to hire an individual based on the terms outlined in the act are discrimination. In addition to the hiring process, relieving an individual from his or her duties within an organization, refusing benefits or compensation, changing one’s terms of employment or privileges of employment including any employment conditions of said employee based on race, color, religion, sex, or national origin is viewed as a company practicing discrimination. 2. Practicing...

Words: 1206 - Pages: 5

Free Essay

Law Report

...Case #2 Offences and Facts * An 18 year old sexual sadist has been charged and convicted of threatening bodily harm. * He had also been expelled from another school for sexual assault. * Judge De Filippis has forbidden the teen from accessing websites containing any bondage, necrophilia, sadism and masochism. * The judge also includes a prohibition against any websites wherein content’s “dominant characteristic is undue exploitation if sex, or sex and crime or cruelty and violence * Teen previously sought help through similar program for sexual offenders. The sadist was deemed ineligible because he hadn’t committed an offence. * The conviction of threatening bodily injury carries a sentence of a 3 year probationary period. He also will be required to receive 18 months of counseling, via an Intensive Support and Supervision program. * History of attempted suicide * Described as depressed, lonely, and harboring sick tendencies * Unhealthy obsessions that put both him and the public at risk Actus Reus and Mens Rea * The Mens Rea began when the teenager, wrote and drew images of sexual sadism into his notebook (defecated faces, broken limbs, dead bodies) these images suggest the intent and knowledge to commit such an act * Mens Rea is also found throughout his personal webpage, and throughout the various smut websites the teen visited. * The Actus Reus of threatening bodily injury happened when the teen went to Facebook...

Words: 506 - Pages: 3

Premium Essay

Law Court Report

...Law Report – Appendix Court | Date | Name | Case | Stage | Noted as | Supreme | 25/03/09 | Anthony Farell V R | Criminal | Appeal | C1 | | | Mohammed Ali V South Eastern Sydney Area Health Service | Civil | Trial | C2 | | | Gerard Michael Mcguirk V UNSW | Civil | Trial | C3 | District | 27/03/09 | R V Liam Paul Irwin | Criminal | Appeal (severity) | C4 | | | R V Warren James Ure | Criminal | Trial (adjourned for sentence – part heard) | C5 | Court Report Note: Refer to appendix for the case denoted by C1-5] The court is the medium in which judges and magistrates interpret the constitution as it applies today to administer justice; their judgements ultimately contribute to the doctrine of precedents. Australia has mainly adopted an adversarial system within a hierarchical court system in which the courts have specific jurisdictions. Two such examples witnessed are the District and the Supreme Courts – proceedings may be similar but their severity may differ but both seek to serve justice. At the district court cases C4 and C5 were seen first-hand with the former being a criminal appeal and the latter a criminal trial. In C4 the defendant had become a nuisance and acted violently. Subsequently he was placed under a bond, this was breached which led to the magistrate sentencing an imprisonment term but was appealed successfully against. Additionally, in C5 the defendant was prosecuted for carrying illicit drugs but argument focused on whether...

Words: 797 - Pages: 4

Premium Essay

Business Law Report

...Part A: Question 1 Step 1: The legal issue of this case is to establish if there are legal intentions and also consideration that is required for contract. Step 2: An agreement is a compilation of acceptance and offer that both parties are able to agree on. An agreement is not able to form without the two components. An offer must be concise to the extent where it may be easily be approached to the other party to contract, which make the offer a legally binding document. An offer must be completed thoroughly and promissory, only then it can be considered an offer. A completed offer is defined as both party had come to an agreement and both parties understand the term and condition of the offer. The other feature of a completed offer is that the offer must be promissory, which is to say that if one of the both parties are unwilling to live up to the promise the promise is said to be illusory because it does not show that there are any changes in the context of the contract. In addition illusory promise cannot be enforced if there are no changes in the context of the contract(Lambiris 2010 pg 38). In the case of Placer Development Ltd v Commonwealth(1969)121 CLR 353, a subsidy would be paid to companies who imported timber into the country which is Australia by the commonwealth government. The Government did pay the importers the subsidy for a period of time but stopped for an unknown reason. Placer had imported a sum of timber and wants the government to pay...

Words: 3252 - Pages: 14

Premium Essay

Kirchhoff's Law Lab Report

...EXPERIMENT 9: KIRCHOFF’S RULES Introduction Kirchhoff’s Law is defined through two separate components which are Kirchhoff’s Current Law and Kirchhoff’s Voltage Law. These two laws are collinearly related through its total summation being which is equal to 0, except that for Kirchhoff’s Current Law having its variables to be of currents flowing into and outward a node (fig.1), and for Kirchhoff’s Voltage Law having its variables in terms of the drops and rises of its voltages in a closed loop (fig. 2). ∑▒I_in +∑▒I_out =0 Figure 1: Kirchhoff’s Current Law ∑▒V=0 Figure 2: Kirchhoff’s Voltage Law For experiment 9 entitled Kirchhoff’s Rules, the activity hoped to exemplify and prove Kirchhoff’s Law in mainly one aspect of his law which...

Words: 707 - Pages: 3

Premium Essay

Coulomb's Law Lab Report

...This problem emphasizes the fact that even if we have two different charges, mutual electrostatic force between them will be same. 1.8 Coulomb’s Law in Vector Form As force is a vector quantity, it has some magnitude as well as direction. We will write coulomb’s law in vector form so that it will represent magnitude as well as direction of electrostatic force. Consider two charges q1 and q2 separated by distance r. First of all we will define . It is the vector joining charge q1 and q2. Unit vector along Where From Coulomb’s law As direction of force is along  Quiz-5 If two charges of magnitude + q1 and – q2 are separated by a distance r, then find out force acting on the charge –q2. Sol. First define ....

Words: 1644 - Pages: 7

Free Essay

Oscola

...OSCOLA Oxford Standard for the Citation of Legal Authorities Fourth Edition Faculty of Law, University of Oxford www.law.ox.ac.uk/oscola Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1 1 General notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 1 .1 Citations and footnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 1 .1 .1 1 .1 .2 1 .1 .3 1 .1 .4 Citing cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Citing legislation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Citing secondary sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Order of sources in footnotes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 1 .2 Subsequent citations, cross-references and Latin ‘gadgets’ . . . . . . . . . . . . .5 1 .2 .1 Subsequent citations . . . . . . . . . . . . . . . . . . . . . . ....

Words: 18564 - Pages: 75

Premium Essay

Good

...AGLC Deakin University guide to referencing Before using this referencing guide you should always consult your unit guide to determine the required style. If you are still unsure, please check with your unit chair, lecturer or tutor. This resource is based on the Australian Guide to Legal Citation (AGLC). For further details and examples of citations refer to: Australian Guide to Legal Citation (Melbourne University Law Review Association Inc, 3rd ed, 2010). deakin.edu.au/referencing deakin.edu.au/referencing Last updated 28 April 2014 Table of Contents General principles ...........................................................................................................................3 Footnotes ........................................................................................................................................... 3 Quotation style .................................................................................................................................. 4 Bibliography ....................................................................................................................................... 4 Repeat citations ................................................................................................................................. 6 Square and round brackets in citations ............................................................................................. 7 Group author ...................................

Words: 4437 - Pages: 18

Premium Essay

Manhunt

...Seal and former LAPD officer. Christopher Dorner had been fired from the LAPD nearly four years ago after reporting unnecessary conduct by another officer and in those four years he was planning something no one saw coming. Dorner posted a manifesto on his social network page and on February 3, 2013 it all began! His first 2 victims had been shot and killed and there were more deaths to follow. Dorner was after any and all law enforcement and anyone involved with them and LAPD had no idea what else was in store. The manhunt lasted for a little over a week and authorities had no idea where he was or what his next move could have been. Somehow, they caught up with him finally and it all ended with a cabin on fire and Dorner allegedly dead. ABC 7 was not subjective, they reported the information they had, and the reporters did not seem to make subjective comments in the first report. Some information I found odd to be reported was the preschool Dorner attended. Has the reports continued, it started to seem like all the stations were being subjective in their reports. Fox 11 news was the most subjective; the reporters shared how terrible they thought the events were and hoped for Dorner’s capture. In both stations the information that was omitted or never spoken of in detail was how good of a person everyone knew Christopher Dorner as. There were people who wanted to share their experiences with him and who have known him for years and never thought of him as a killer, but apparently...

Words: 1257 - Pages: 6

Premium Essay

Manhunt

...Seal and former LAPD officer. Christopher Dorner had been fired from the LAPD nearly four years ago after reporting unnecessary conduct by another officer and in those four years he was planning something no one saw coming. Dorner posted a manifesto on his social network page and on February 3, 2013 it all began! His first 2 victims had been shot and killed and there were more deaths to follow. Dorner was after any and all law enforcement and anyone involved with them and LAPD had no idea what else was in store. The manhunt lasted for a little over a week and authorities had no idea where he was or what his next move could have been. Somehow, they caught up with him finally and it all ended with a cabin on fire and Dorner allegedly dead. ABC 7 was not subjective, they reported the information they had, and the reporters did not seem to make subjective comments in the first report. Some information I found odd to be reported was the preschool Dorner attended. Has the reports continued, it started to seem like all the stations were being subjective in their reports. Fox 11 news was the most subjective; the reporters shared how terrible they thought the events were and hoped for Dorner’s capture. In both stations the information that was omitted or never spoken of in detail was how good of a person everyone knew Christopher Dorner as. There were people who wanted to share their experiences with him and who have known him for years and never thought of him as a killer, but apparently...

Words: 1256 - Pages: 6

Free Essay

Circuit Design

...Laboratory Report Format 1. Title Page: The following is an example of the proper lab report title page format. Of course, you must substitute information pertinent to the specific lab and course. The title page will be a single, whole page. Laboratory Exercise #1 Verification of Ohm's Law by Fred Derf Lab Partner: Jonathan Dough EETH 1811 Electronic Circuit Technology Lecture Section 001 Lab Section 101 Performed on: February 31, 1994 Submitted on: March 1, 1994 To: Dr. Pepper 2. Objective(s) Describe in formal language (third person impersonal) the objective(s) of the lab. State the rules or theories to be investigated in the lab. Rule of thumb: someone else, using the same knowledge you have, should be able to complete the task given this information alone. In some cases, lab objectives may be given to you. You should expand these supplied objectives whenever appropriate. List all components (including values) and major equipment required to perform the exercise. Be sure to include make, model, and serial numbers of all equipment used. This listing should not include items such as meter leads or jumper wires, which are required for the use of the laboratory equipment. By listing the equipment itself it is implied that the necessary meter leads or other connecting apparatus is included. Provide all detailed schematics which, when implemented, will produce the results desired. Do not include developmental schematics here. Computer drawn schematics are preferable...

Words: 772 - Pages: 4

Premium Essay

Accountability in Reporting Memo

...types of entities. The not-for –profit sector receives money from the government, pledges, contributions and donations. The government receives money from taxpaying citizens and may be financed through bills or laws passed through Congress and the Senate. In order to maintain integrity with these entities, the people that the money comes from need to know where their hard -earned money is going. There have been at least two boards set up: the Governmental Accounting Standards board and the Financial Accounting Stand Board. These boards have installed several statements of standards that tell what type of items needs to be reported. They also set the standard on how to report these financial statements. These recommendations have come down from audiences such as the one reading this memorandum, the nonfinancial audience. The boards mentioned above are reviewing audit reports that receive federal grants and donations. This is to make sure independent audit firms are in compliance with all regulations. Another thing that has come down from the nonfinancial audience is the change in the reports has made it easier and simpler to understand for people that have a complete grasp on numbers. Each person that reads a financial report will be able to easily understand where the funds came from, how much money came in, and when and where the funds were spent. This simplicity in reporting makes it very easy not to take items out of proportion...

Words: 617 - Pages: 3

Premium Essay

Ethics and Tarvydas Model

...Ethics and Tarvydas Model Laura Garcia PSYC 410 Dr. Lane October 26, 2014 Ethics and Tarvydas Model 1. The counselor receives an intake for an attending physician, whom has worked with the agency in the past. This intake call is inquiring on a personal matter regarding his 17 year old daughter with an eating disorder / exhibited symptoms of Borderline Personality Disorder. It is relayed during the call; the physician will continue the medication management portion of treatment, while the agency provides counseling services. It was presented during the intake he was concern with being well-known doctor that would like to keep this information private from others and would like to pay cash for service. Phase 1: The counselor is aware of the physician’s rights to keep his daughters condition private, however providing medication to a family member is cause for concern when there may not have been a proper assessment completed or if it is not being documented properly. The influence the medication can influence the process of therapy; especially when there may be no medical documentation of initial symptoms can cause various problems with treatment. It is important in determining if there is medical documentation supporting the diagnosis/medication and what types of tools were used in determining those findings. Determine why she was not referred to an agency earlier, and why is it in the best interest for the physician to continue medication when the counselor would...

Words: 1785 - Pages: 8

Free Essay

Ethical Behavior

...Sarbares Oxley Act of 2002 (SOX). The Sarbanes Oxley Law was approved as a consequence of lots of corporate scams, this corporates intend to provide fake statements for potential investors, Recent articles write and posted on numerous websites are reviewing how to identify potential factors leading to unethical behavior or practices. But the most recent and trustful article is called “Becoming a More Relational Firm in the Post-Sarbans-Oxley Era”. As expressed by the article, the effects of SOX Law has influenced fiscal reports in a lot of ways. The law has required that impartial companies must audit the fiscal reports in which positions of the auditors must be rotated frequently, to ensure that scam cannot be made by the same auditor from year to year, and it’s apply in different sections: * Section 303: This section needs senior management to approve the accuracy and dependability of fiscal reports, meaning that the fiscal reports must be sign for the CEO or CFO of the organization they need to certify that they analize the reports and assure that the reports are accurate. The executives will be held accountable for any mistakes or irregularities by signing authentic records being aware that they will be held responsible for any intend to commit fraud * Section 302: Management needs to submit all material in detail to the SEC( securities & exchange commission) * Section 401: The publisher if the fiscal report is accountable for the accuracy and precision for...

Words: 472 - Pages: 2