[LINK] ID theft brings tech to law

Tue Sep 18 08:50:27 AEST 2007

ID theft brings tech to law
Karen Dearne
September 18, 2007
Australian IT
http://www.australianit.news.com.au/story/0,24897,22435327-15306,00.html

Policy makers will have to abandon their technology-neutral approach to privacy laws in order to tackle the epidemic of identity theft, a leading technology industry body warns.

"To date, ministers and bureaucrats have avoided getting into the risky area of picking winners in technology," said Stephen Wilson, chair of the Australian Electrical and Electronic Manufacturer's Association (AEEMA) information security forum.

"This is why we've traditionally had a light-touch regime, but the things we're grappling with now around privacy, identity theft and cybercrime are so difficult we're going to have to take a greater interest in technology.

"That means someone needs to be acknowledging the strengths and weaknesses of different and competing technologies. We're seeing a change of climate around that." The concept of technology neutrality - which meant legislation was drafted to apply to the handling of information in any context - was past its use-by date, Mr Wilson said.

"It's a good legal philosophy, but when it comes down to codes of practice and standards for government and banking services, indifference to the technology at the coalface is really dangerous," he said. Mr Wilson said AEEMA would welcome a "real debate" on the technological implications for privacy and cybercrime as part of the Australian Law Reform Commission's preparation of final recommendations on reform of the federal Privacy Act.

The commission last week released a blueprint of 301 proposed changes to the Privacy Act in a mammoth discussion paper, Review of Australian Privacy Law. Professor Les McCrimmon, the commissioner in charge of the inquiry, says people want to know when their personal information has been compromised because of the heightened risk of identity theft and online fraud.

Here's a brief look at some of the issues raised:

*> Identifiers and data matching. Privacy rules that prevent the use of identifying numbers assigned by other parties should be extended to public-sector agencies.

The planned health and welfare access card would be caught by this provision under the proposed Unified Privacy Principle on identifiers.

The commission says the Privacy Act policy intention of preventing identifiers becoming de facto national identity numbers remains relevant for federal government schemes.

Privacy concerns about data matching include revealing previously unknown information about individuals without their knowledge or consent, profiling of individuals and compiling data sets based on possibly inaccurate information without right of correction, and database security.

The Tax File Number scheme provides an example of the risk of function creep with unique multi-purpose identifiers.

*> Biometrics. Certain types of biometric information are sensitive and should have better protection.

Because a biometric is linked to an individual's characteristics, it can provide a template that allows impersonation or may reveal additional information, such a person's cultural origins.

*> Data breaches and identity theft. Businesses should be obliged to notify customers of any authorised access to personal information where there is a real risk of harm.
Data breaches caused by inadequate security would be mandatory.

The law reform commission suggests identity theft should become a criminal offence under federal law.

Where identity theft occurs, victims should be able to report details to a credit reporting agency as a means of protecting credit ratings.

*> Information sent overseas. The commission suggests businesses should be able to outsource data processing to nations that have comparable data protection laws. Where states do not meet an acceptable standard, companies would remain liable for any breaches of privacy.

Public-sector agencies should also have to comply with rules covering data sent offshore.

*>Small business exemption. Businesses with an annual turnover of $3 million or less have been exempt from the Privacy Act, but the exemption has been criticised, particularly as an estimated 94 per cent of businesses fall below this limit.

*> Political exemption. The commission says "there is no justification" for politicians to be exempt from requirements to collect information by lawful and fair means, to ensure its quality and security, and allow individuals the right to access and correct information.

It proposes abolishing the exemption so political parties are subject to the same rules as businesses and agencies.

*> Media exemption. Journalists and media companies are generally exempt from the Privacy Act, and this will remain the case.

*> Employee records. The employee records exemption should go. Private-sector organisations must handle workers' information with the same care required for other personal data.

However, the commission will allow protection for information such as references.

*> Personal information on the web. The internet creates greater opportunities for personal information to be published, sometimes anonymously and sometimes without the person's knowledge or consent.

Popular social sites such as MySpace and Facebook may be open to exploitation, especially if young people are involved.

The commission is canvassing a take-down notice scheme that would require a website operator to remove information that may constitute an invasion of someone's privacy.

This could be similar to the scheme run by the Classification Board, which can order the removal of prohibited content.

The commission also proposes designating email and internet protocol addresses as private information under certain circumstances.

Submissions are due by December 7. The law reform commission is required to present its recommendations to the federal Attorney-General by March 31, 2008.

-- 
Regards
brd

Bernard Robertson-Dunn
Sydney Australia
brd at iimetro.com.au