Contemporary Privacy Issues Report Introduction

Privacy is one of the fundamental human rights, every individual should have full control over their personal information. However due to the continuous evolution of society and technology, the importance of a person's right to privacy has been eroded. This report discusses the contemporary privacy issues on different levels and areas, with specific focus on credit reporting, protection of customer’s private information by businesses, health records, internet data and government intelligence access to information. Sections of the current Privacy Act 1988, the new Australian Privacy Principles 2014, and legislations related to the topic areas mentioned above will also be discussed in detail, and the effectiveness of these laws will be analysed.

A person's credit history contains a vast amount of personally sensitive information which have a high commercial value, therefore it is extremely important to ensure businesses adhere to the privacy act to prevent the unauthorised use of these information. Any misuse of information can cause great personal and financial harm to the victim.

Privacy of health information is fundamental principle in health care. Lack of privacy information might result in people not seeking the health care they need which might be very risky to their own health and the health of others.

The rate of technological development is accelerating too quickly and current laws are becoming irrelevant to the business practices of online service providers. Businesses can collect non sensitive information from a number of sources and combine their result to form a comprehensive profile of an individual.
Intelligence agencies also play a significant role in collection analyzing and storing different types of information all over the world. The reason for their existence is protection of security and interests of their country and citizens. Consequently, agencies are given a special power to legally collect personal information. However, with the growth of such powers the debate on the balance between security and privacy in the modern world is raging.

The report will review the changes to the legislation that comes into effect in March 2014 and its potential influence on privacy issues in the future.

Privacy Act 1998 and Credit reporting privacy

1. BACKGROUND OF PRIVACY ACT 1988:
• Definition of Privacy Act 1988:
Privacy Act 1988 is an Australian law passed at the end of 1988 and commenced in 1989. It sets the detail of how to legally handle the collection, use, storage and disclosure of personal information. Personal information is defined as “… information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.” The personal information is tax file number, health information, sensitive information, and credit information. Currently different states and territories have different regime to regulate how the personal information but the Privacy Act generally regulates agencies and organisations to handle sensitive information with particular care because the sensitive information includes information or opinion about an individual ethnic origin, health or medical information, sexual preferences or practices, genetic information, criminal record, and political opinion.
Based on initial two objectives that were the protection of personal information in the possession of Australian Government departments and agencies, and safeguards for the collection and use of tax file numbers, eleven Information Privacy Principles (IPPs) of the Privacy Act had been set out how Australian, Australian Capital Territory and Norfolk Island public sector agencies handle personal information. These IPPs also allow individuals to request access to their own information and ask for information to be amended or deleted. Afterwards, in December 2000, Parliament passed the Privacy Amendment (Private Sector) Act 2000 with additional ten National Privacy Principles (NPPs) that apply to private sector organisations. These NPPs permit individuals to access information and have it corrected if that information is wrong. On the other hand, the Privacy Act also contains credit-reporting provisions that deal with using credit reports, and other credit worthiness information by credit reporting agencies, credit providers, and the third parties.

Besides two initial objectives above, the Privacy Act also has other concepts such as: confidentiality, secrecy, and intellectual property. Therein confidentiality refers to communications between individuals such as a client and lawyer, patient and medical professional, or source and journalist. Secrecy imposes an obligation of confidentiality in relation to the handling of government information. Intellectual property regards to propriety knowledge, and the creation or property of human being’s mind.
• Brief description about the privacy law reform
On 23 May 2012, the Privacy Amendment (Enhancing Privacy Protection) Act 2012 was introduced to Parliament with significant changes in Privacy Act. Particularly, Australian Privacy Principles (APPs) with new thirteen chapters will replace the existing Information Privacy Principles and National Privacy Principles. Among those new thirteen chapters, chapter 7 on the use and disclosure of personal information for direct marketing, and chapter 8 that is on cross-border disclosure of personal information are considered a significant difference from current principles. Moreover, the privacy law reform has enhanced power for the Australian Information Commissioner. Since then, this Commissioner may accept enforceable undertakings, seek civil penalties in serious cases or repeated breaches of privacy, and conduct assessments of privacy performance for both Australian government agencies and business. Finally, the Privacy Amendment Act 2012 made credit reporting become more comprehensive. Although this Privacy Amendment Act was passed on 29 November 2012, they will not commence until 12 March 2014.
• Brief description about other legislation:
Besides the Privacy Act 1988, there are a number of other Australian laws related to privacy such as medicare, criminal records, personal property securities register, and so on. However this paper studies privacy in health, Internet communications and other technologies, credit and finance, and identity securities. Therefore, the Personal Controlled Electronic Health Records Act 2012, and some others are discussed carefully in each related privacy section.
• In conclusion, even though the Privacy Act has been in force for nearly twenty years combined many supplement other legislations, there is still some law reformation being processed. Consequently there is little case law clearly interpreting this Act.

2. CREDIT REPORTING PRIVACY:
In order to understand content of Credit Reporting Privacy, especially Part IIIA of the Privacy Act 1988, credit reporting should be defined. Credit report is a record containing information about individual’s dealings with credit providers. Those information include: personal details; records of credit applications made by that individual in the past five years; records of some current loans; accounts where individual has been in default over 60 days; court judgments; dishonoured cheques where the amount is over $100 and the cheque was presented twice; a serious credit infringement; and bankruptcy orders.
The credit-report is held by a credit-reporting agency and accessed by the credit providers with that individual’s consent to find out about his/her credit history. This can be considered as a way of warning credit providers about borrowers who had not reliably repaid their past loans.
2.1. Part IIIA of the Privacy Act 1988:
Due to sensitive credit information, Part IIIA of the Privacy Act 1988 provides safeguards for individuals in relation to credit reports consumption by governing credit worthiness used by credit reporting agencies, and credit providers and limiting the number of other recipients. These safeguards are explained clearly through key requirement of Part IIIA of the Privacy Act 1988:
• Strict limits on type and length of the information can be held on a person’s credit information file by a credit reporting agencies. Moreover, there is limit on people who can access to that information. Generally only credit providers may access for only specific purposes while real estate agents, debt collectors, and employers are barred from the access. This is because according to Credit Provider Determination No.2011-2 all corporations who are regarded as credit providers for the purpose belong to following classes:
“… a corporation where, in relation to a transaction, it is considering providing or has provided a loan in respect of the provision of goods or services on terms which allow the deferral f payment, in full or in part, for at least seven days.” Or
“a corporation engaged in the hiring, leasing or renting of goods, where, in relation to a transaction, no amount, or an amount less than the value of the goods, is paid as deposit for return of the goods, and the relevant arrangement is one of at least seven days duration.”
• Furthermore, specific purposes only include assessing an application for consumer credit or commercial credit, assessing whether to accept a person as guarantor for a loan applied by another person, and collecting overdue payments.
• There is a prohibition on disclosure credit worthiness information, including a credit report from a credit-reporting agency, by credit providers. However under some specified circumstances such as disclosure to a mortgage insurer, or a debt collector.
2.2. Credit Reporting Code of Conduct:
Together with Part IIIA of the Privacy Act, the Credit Reporting Code of Conduct that was issued by the Privacy Commissioner in 1991 and fully operational in February 1992 apply information privacy principles to the specialised area of consumer credit reporting. However, this code of conduct supplements the Part IIIA on matters not addressed by the Act. In particular, it requires credit providers and credit reporting agencies to:
• “Deal promptly with individual requests for access and amendment of personal credit information
• Ensure that only permitted and accurate information is included in an individual’s credit information file.
• Keep adequate records in regard to any disclosure of personal credit information
• Adopt specific procedures in settling credit-reporting disputes
• Provide staff training on the requirements of the Privacy Act.” Besides the requirements for both credit reporting agencies and credit providers, the credit reporting code of conduct also exclusively applies special provisions to each body. Those provisions require credit reporting agencies, for examples, to allow individuals to indicate which previous recipients of reports about them should be advised of amendments to their files; to ensure that members who use agencies are aware of their responsibilities under the Act; and to report the Privacy Commissioner on the occurrence of “serious credit infringement” listing prior to notice of default. Meanwhile credit providers are exclusively required to take certain steps before reporting an overdue payment to a credit-reporting agency; and promptly reporting to a credit-reporting agency the cessation of an individual’s credit obligations.

2.3. Privacy Reforms on Credit Reporting:
As mentioned above, Privacy Amendment Act was passed on 29 November 2012. As part of that reform, credit-reporting in Australia is regulated by a new Part IIIA[1] with following contents:
• “… allow the reporting of information about an individual’s current credit commitments and his/her repayment history information over the previous two years
• a simplified and enhanced correction and complaints process
• a prohibition on the reporting of credit related information about children
• a prohibition on the reporting of defaults of less than $150
• the introduction of specific rules to deal with pre-screening of credit offers
• the introduction of specific provisions that allow an individual to freeze access to their credit related personal information in cases of suspected identity theft or fraud.
• The introduction of civil penalties for breaches of certain credit reporting provisions.”
This new scheme was introduced to facilitate better assessment of consumer credit risk by creating greater transparency. Since then the industry may receive a more comprehensive view of the consumer’s credit position. With consumers, in return for giving their credit information, they will be compensated if they are adversely affected by a contravention of the credit reporting provisions and courts will be given power to order compensation in cases where civil penalty provision has been contravened.
However some opinions concern about committed “serious credit infringement” that can involve a degree of subjective credit files assessment. This is because the serious credit infringement was defined by Privacy Act s6 as “an act done by a person that involves fraudulently obtaining credit, or attempting fraudulently obtaining credit; or that involves fraudulently evading the person’s obligations in relation to credit; or attempting fraudulently to evade those obligations; or that a reasonable person would consider indicates an intention, on the part of the first-mentioned person, no longer to comply with the first-mentioned person’s obligations in relation to credit.” Furthermore, there are some consumers who are being charged hundreds of dollars for having errors in credit files corrected that they could do themselves for nothing. In other cases, the credit repair companies have used aggressive tactics to try to persuade the consumer to enter Part IX insolvency arrangements that they subsequently administer for a fee.

Therefore, according to the co-ordinator of the New South Wales Consumer Credit Legal Centre, Karen Cox, consumers should be wary of dealing with credit repair companies due to those charge large upfront fees to investigate a consumer’s credit file and “clear” the file.
The last concerned point related to the new credit reporting privacy scheme is the staff training. According to Minter Ellison special counsel, Veronica Scott, the staff training is essential because most data breaches are caused by simple human error. And when the new civil penalty regime that will also take effect from March 2014, organizations and individuals could face significant financial penalties for repeated serious data breaches.

Health Information Privacy:

1. Introduction and definition of health information

Privacy of health information is fundamental for a good quality health care. Traditionally, health service providers (such as doctors, dentists, nurses, physiotherapists and pharmacists) owe duty of confidentiality to health consumers. Duty of confidentiality requires that collected health information will be used only for the purpose which they were provided for.

The Privacy Act defines ‘health information’ as follows:

(a) information or an opinion about:
(i) the health or a disability (at any time) of an individual; or
(ii) an individual’s expressed wishes about the future provision of health services to him or her; or
(iii) a health service provided, or to be provided, to an individual; that is also personal information; or
(b) other personal information collected to provide, or in providing, a health service; or
(c) other personal information about an individual collected in connection with the donation, or intended donation, by the individual of his or her body parts, organs or body substances; or
(d) genetic information about an individual in a form that is, or could be, predictive of the health of the individual or a genetic relative of the individual
Health information is regarded as one of the most sensitive types of personal information. Collection of health information also requires the consent of the individual involved.

Privacy legislation regulating the handling of health information
Health information is represented differently in different laws. It is included either in personal information or sensitive information or is defined separately.
Legislative powers in Australia are divided between the Australian Parliament and the six state parliaments. As seen in table 1, the Australian Parliament and number of states and territories has passed legislation relating to privacy and this has resulted in some overlap and duplication. In some states where there is no privacy legislation state government agencies are required to comply with administrative privacy regimes.

Jurisdiction Public Sector Private Sector
Commonwealth Privacy Act 1988 (Cth) Privacy Act 1988 (Cth)
NSW Health Records and Information Privacy Act 2002 (NSW) Health Records and Information Privacy Act 2002 (NSW)
Privacy Act 1988 (Cth)
VIC Health Records Act 2001 (VIC) Health Records Act 2001 (VIC)
QLD Administrative Scheme Privacy Act 1988 (Cth)
WA Information Privacy Bill before the Western Australian Parliament Privacy Act 1988 (Cth)
Information Privacy Bill before the Western Australian Parliament
South Australia Administrative Scheme Privacy Act 1988 (Cth)
TAS Personal Information Protection Act 2004 (TAS) Privacy Act 1988 (Cth)
ACT Health Records (Privacy and Access) Act 1997 (ACT)
Privacy Act 1988 (Cth) Health Records (Privacy and Access) Act 1997 (ACT)
Privacy Act 1988 (Cth)
NT Information Act 2002 (NT) Privacy Act 1988 (Cth)
Table 1 Privacy legislation regulating the handling of health information

The privacy act 1988 contains 11 IPP’s that apply to Australian government agencies and 10 NPP’s for private sector –there is no distinction between protection of personal info and protection health info in the Privacy Act 1988 – it applies to both. The two sets of privacy principles share many similarities but there are sections which are inconsistent and unclear.
The Act applies to the handling of personal information by health service providers and private sector organisations that earn more than $3million annually.
2. E-health - Electronic health records
Traditionally, health information has been collected and stored in paper based form in many locations – GP records, hospital records, medical specialist records. However, now those records are increasingly collected, transferred and stored in electronic form in central databases such as Medicare database and cancer registers. There is also a trend to move and integrate electronic health information systems and create shared electronic records, which allows health service providers, regardless of their location, better access to health information, which on one hand brings better outcomes for customers but it also raises privacy issues.
PCEHR Personally- Controlled Electronic Health Records
PCEHR is a secure electronic summary of people's medical history that is stored and shared in a "network of connected systems". It is currently distributed across a wide range of locations including general practices, hospitals, imaging centres, specialists, and allied health practices.The PCEHR system has a range of security measures to protect patient information during registration and use, and ensure that the correct patient is correctly identified.
It is an opt-in system, with both doctors and patients having a choice to sign up. It was launched on the 1st Oct 2012.
At the 10th July 2013, there were 3723 general and multidisciplinary practices registered in the PCEHR system, which NEHTA (The National E-Health Transition Authority) says covers an estimated 53 per cent of total general practices in Australia.
However, there was some information revealed about a hacking incident while the system was being built by Accenture(because basic security procedures around firewalls and passwords were not followed).
UHI – Unique healthcare identifiers
A Unique healthcare identifier is a unique 16 digit number which makes sure the right health information is matched with the right individual. It is also used for unique identification of healthcare providers.
3. Hacking into health files in QLD
In December 2012 Eastern European cyber criminals demanded $4000 from Gold Coast medical centre in exchange of patient health information. IT experts are warning that medical records being held for ransom and medical information theft are the fastest growing area of cybercrime in Australia. In 2012 alone, there were 11 similar offences in Queensland.
According to experts hackers focus on small business computer servers and encrypt and lock customers’ data, refusing to unlock it until a ransom is paid. And it seems medical practices are the latest target, as their presence in cyberspace grows as a result of e-health.
Records from US reveal about that very high number - almost 21 million (10% of population) Americans have had their electronic records stolen or lost between 2009 and 2012. This causes a lot of concerns. Even though there are no Australian figures available, there are concerns that Australia is following in the footsteps of US.
Cyber-attacks have huge effect on medical centres. It is very costly and time consuming. It involves endless amount of paperwork, faxing reports through, x-rays, pathology and providing information from previous consultations. Medical centres usually have to purchase a new server and every piece of information must be manually processed. Average costs of data breach reported by Australian organisations have steadily risen reaching 2.16 million in 2011.
The ransom is one way for hackers to make money, however the sale of the patients’ personal information is possibly even more valuable. Medical file can sell for $50 on the black market. If you take into account the American compromised data, it’s already $10.5 billion dollar industry. This could have very serious consequences for PCEHR which enables doctors to share patient information with other medical bodies and enables patients to access their own files from their own computers remotely.
There is no doubt that PCEHR databases are completely secure. However what we’ve seen already through ransom ware hacking incidents was that the medical centres were not secure.
Organisations with data need to have security in place. Experts say that not enough work is being done educating medical services to have good technology and IT security practices in place. Some surgeries are still running Microsoft Office 2000 and they are not protected.
The hackers usually attempt to socially engineer staff to gain access to networks. They might send to the individuals Facebook page links that they are likely to open to which they have secreted a key logger (malware designed to capture passwords and login credentials)
This type of cybercrime is largely unreported in Australia, mainly because there is no legislation compelling any organisation to report it. There is no guarantee that the crime does not occur again and that the records are reliable after the hacking attack.
Recommendations for medical centres:
They should conduct a security assessment of their practice, the security of their equipment and to develop a culture within their staff to understand cyber threats.
4. Privacy of genetic information
The trouble with genetic information is it doesn’t just affect the person who is its source; it also provides information about that person’s relatives – past, present, and future. Any decision about the collection, use, and dissemination of an individual’s genetic information may have consequences for relatives who haven’t agreed to share the information and aren’t aware that sharing has taken place.
In December 2010 Public Interest Determination 11A was issued under the national Privacy Act. Under this determination, it became lawful for a doctor to contact a patient’s relatives, without consent, and advise them of the consequences of the patient’s genetic condition. The doctor must reasonably believe the information is necessary to enable reduction or prevention of a “serious threat to the life, health, or safety of the relative”.
This determination erodes the concept of doctor-patient confidentiality. If a patient’s condition has a genetic component, it effectively permits a doctor to ignore the patient’s wishes and advise relatives of the condition. This may (or may not) benefit the relative but it ignores the patient’s right to privacy.
Recreational genetics involves direct-to-consumer (DTC) genetic tests. Consumers send a DNA sample, usually a mouth swab, directly to a laboratory which runs a battery of predictive DNA tests. The consumers pay for that testing and they receive a profile indicating their relative risk of developing certain diseases. The results can be often misunderstood.
The right not to know -has been stated as the right people should have to be protected from information that their own bodies can yield, based on the ethical principle of respect for autonomy.

5. Biometric information privacy
Biometric information is any data that can be used to biometrically identify an individual. This data includes but it is not limited to, images, sounds, chemical or geometric properties. It also includes any information that is derived from these raw acquired biometrics.
The possible health related nature of biometric information is one thing that makes its use controversial. There is a concern that it might be possible to analyse and extract health information from biometric information. It raises a question whether biometric information should be regarded as health information.
The growing importance of identity management and the spreading use of biometric technology bring a lot of discussion about the legal regulation of personal information and reasonable limits of privacy.
Privacy concerns about biometrics are connected with Australian e-passport, the Smart Gate Scheme, facial recognition at Australian airports and introduction of biometric information in smart cards. E-passport has embedded microchip which stores the holder's digitised photograph, name, gender, date of birth, nationality, passport number, and the passport expiry date. E-passport was introduced in order to expand the Smart Gate Scheme along with the introduction of biometric databases by immigration authorities.

6. Privacy law reform – Impacts on health industry
The recent extortion attempts by hackers against general practices in Queensland have brought into focus the effect that the new privacy laws will have on healthcare sector, with particular consequences of data security.
The Privacy Amendment (Enhancing Privacy Protection) Bill 2012
It will come into effect in March 2014.
The new privacy bring together laws the former IPP’s (which covered public sector) and National Privacy Principles (covering the private sector) into one group of 13 Australian Privacy Principles.
The Australian Privacy commissioner will have substantially enhanced powers to enforce the law ands and exact penalties for any breaches. This includes the penalty up to $1.1 million if a company commits a serious interference with a person’s privacy.
The new amendment will also introduce mandatory data breach notification rules. What this means is that the all organisations should review their privacy policies now, as they will be required to have a privacy written statement. It may also affect some business decisions being made now, such as whether to store personal information offshore. They should also look at boosting their IT security arrangements to ensure privacy breaches do not occur.
The new laws will also require companies to explain to customers how they can complain about a breach of privacy and how the organisation will deal with privacy complaints.
Organisations must also specify if they are likely to disclose personal information to recipients overseas, which has implications for organisations using an offshore data centre or cloud computing provider for data storage. It has also implications for transmission of information within Australia, particularly by email.
The new principles also have ramifications for medical records. An organisation must include in its privacy policy, how customers can seek access to their personal information and how they can correct that information if they wish to do so.
The Queensland hacking cases should be a warning sign to general practices that they need to improve their security. It is a mistake to assume that the data has not been stolen, but only encrypted. This could close down businesses who don’t take this seriously.
Small general practices are the most vulnerable for data breaches and they should take out cyber security insurance. The biggest problem is the transmission of sensitive patient information via email by GP’s and the new privacy legislation forbids doing so. Gmail, for example, is hosted in the cloud but Google’s servers are located throughout the world, not here in Australia.
It’s not just Gmail, any email system server administrator can see the contents of that particular email.
The new civil penalties will motivate the businesses to put together privacy impact assessment. So this coupled with security technology and cyber security insurance give a good coverage for doing enough for privacy of health information.

The use and protection of customers' private information by businesses

Purposes of business collect customer personal information
Businesses frequently collect and analyze personal information in order to maximize profits by building closer relationships between customers and their products.
For examples:
• to tailor their product to meet the specific needs of their customers, this could help to achieve the objective of price discrimination;
• To deliver the product to their customers to the correct address;
• Regularly send marketing materials such as promotion notice, and;
• To ascertain individual preferences in order to engage in more effective marketing.
Personal information about individuals has commercial value as to companies’ business activities.
However, when dealing with an individual’s personal information, the business must comply with its obligation to protect the individual’s privacy.
Small business and small business operators
The Privacy Act 1988 originally applied only to the handling of personal information by Commonwealth government departments. Now under section 6D, dealing with small business and small business operator, it applies to any business if it has an annual turnover of more than $3 million; including non-profit organizations. If a business has an annual turnover of $3 million or less then it is exempted from the Act unless the business satisfies the following conditions:
• The business is related to another business that has an annual turnover of more than $3 million
• The business is able to provide a health service and holds health records;
• Disclose personal information for the purpose of to benefit, service or advantage;
• Provides someone else with a benefit, service or advantage to collect personal information, or
• The business is contracted service provider to the Commonwealth.

Exemptions from the operation of the Privacy Act include (section 7B):
• The journalism activities of media organizations, and;
• An act done by an employer that is directly related to a current or former employment relationship between the employer and the individual, or an employee record held by the organization and relating to the individual.

Under section18BB, if a business is covered by the legislation it must choose to be bound by either a privacy code approved by the Privacy Commissioner, or the National Privacy Principles, i.e. NPPs, which set out in the Privacy Act.
Definition of interferences under privacy Part 3, Division 1, section 13A
General rule of Interferences with privacy by organisations:
For the purposes of this Act, an act or practice of an organisation is an interference with the privacy of an individual if anyone of it has breached:
1.1 The act or practice breaches an approved privacy code that binds the organisation in relation to personal information that relates to the individual;
2. Both of the following apply: 2.1 The act or practice breaches a National Privacy Principle in relation to personal information that relates to the individual; 2.2 The organisation is not bound by an approved privacy code in relation to the personal information; 3. All of the following apply: 3.1 The act or practice relates to personal information that relates to the individual;
3.2 The organisation is a contracted service provider for a Commonwealth contract (whether or not the organisation is a party to the contract) 3.3 Because of a provision of the contract that is inconsistent with an approved privacy code or a National Privacy Principle that applies to the organisation in relation to the personal information, the act or practice does not breach the code or Principle (see subsections 6A(2) and 6B(2));
3.4 The act is done, or the practice is engaged in, in a manner contrary to, or inconsistent with, that provision; 5. the act or practice involves the organisation in a contravention of section 16F (which limits direct marketing using information collected under a Commonwealth contract) involving personal information that relates to the individual.
The consequences OF business failing to comply with privacy policy
As business could choose which legislation to bind with, different corresponded results applies.
Subject to subsection (1A), if a business is complained by an individual of breached the NPPs to the Office of the Privacy Commissioner, in most cases; both individual and business are able to have a chance to resolve the complaint by themselves. If the business and individual cannot resolve the complaint, the office will conciliate the complaint using letters and phone calls, or face to face meeting. As a last resort, the Privacy Commissioner can make a formal determination dismissing the complaint or find the complaint substantiated and make a determination. (section 52). If the business does not comply with the determination, either the Commissioner or individuals can seek to have it enforced by the Federal Court of Australia (section 62(1)).
Referring to section 40 (1)(a), other than the situation that receive information from complaint, the Commissioner can also undertake investigation into business when the business has been found to breach privacy law by an act or practice
If the business has decided to be bound by an approved privacy code, that will be privacy code adjudicator who receive the complain form individual (section 18BI). A privacy code judicator or the individual can seek to have a determination enforced by the Federal Court. According to section 18BH, the commissioner has the power to review a complaint heard by the judicator.
If business is found failing to comply with its own stated privacy police, it wills risks being sued for misleading and deceptive conduct. (Section 55A)

Preventative measurements to avoid unanticipated disclosure
Case Study:
On 9 December 2011, Telstra was being alleged of had breached the Privacy Act by making its web-based customer management tool which contained customer information publicly available on its website. The Australian Privacy Commissioner immediately carried out an investigation into this allegation.
A Visibility Tool is used to track orders for bundled products had been found accessible externally, and was not protected by the firewall, which resulted in 734,999 customers’ detail publicly. Anyone who accessed the Visibility Tool could conduct a search using the customer’s last name, account name, order ID or reference number.
After the investigation undertook by Telstra, the causes of incident are revealed as a number of key events:
A series of errors occurred from the initial deployment of the Telstra Bundles Product to the roll-out of the Visibility Tool;
A software restoration undertook in October 2011 inadvertently restored incorrect software settings, removing the pass through authentic mechanism, resulting in the URL being made publicly available by December 2011.
In response to the incident, Telstra conducted a series action and remedies to protect the security of customers’ personal information and to minimize customer inconvenience. Though, the Commissioner held the opinion of Telstra breached the Privacy Act out of the requirement set out in the law.
The Commissioner’s investigation focused on whether the incident was an ‘unauthorized disclosure’ of personal information and therefore whether the handling of personal information under the Telstra Bundle Project was consistent with the Privacy Act. As a result, the Commissioner’s investigation concluded that the specific errors made by Telstra staff led to the Visibility Tool being publicly accessible. The external accessibility of customers’ personal information was an unauthorized disclosure and therefore a breach of NPP2.1, use and disclose, as the disclosure was not a result of one-off human error but rather a series of errors that revealed significant weakness in Telstra’s reporting and monitoring, as well as accountability systems.
The commissioner also concluded with there was a breach of NPP4.1, data security, by reviewing the overall security safeguards put in place by Telstra prior to and following the incident, as it did not take reasonable steps to protect customers’ personal information from unauthorized access and disclosure.
Apart from complying with requirements of laws and regulations, there are several measurements business could conduct to keep consumers’ privacy information in place and prevent it from interference.
• To conduct an internal audit. Business should conduct an internal audit to understand what data they are going to collect, how they are using the data and with whom they are sharing that data, how that data is being protected and related issues.
• To develop a privacy policy. Once the company’s plans and practices for collecting and using customer information are clarified, these should be communicated through a well built privacy policy. Under which customers are able to be well informed about purposes of using their information, and the third parties are likely to have access to such information.

• Setting up provisions for contingent disclosure event. Business is expected to plan ahead and be prepared for the inevitable events, in order to ease the inconvenience caused to customers to the largest extent. Furthermore, conditions like being forced by government to hand over data of clients are likely to encounter in the future, by understanding this, organizations could draft its privacy policy more effective and accurate. For example, avoid to make a strongly privacy promise while it conflicts with the government’s demands.

Business use personal information for profits without infringement
As discussed in previous section, businesses collect personal information about potential customers in order to achieve better market position, customers give out their information to business inadvertently if they want to use the product or service as well. However, it is not always safe and secure when company holding those information. To what extent that business could use personal detail will be a notable issue.

Related case
In 2003, Telstra sold customers’ information to a debt collection agency Alliance Factoring, for a small fraction of dollar value, and then Alliance set about finding the people who owed the money and getting it back. Meanwhile, Alliance reported a number of individuals to a credit reporting agency and those who should never have been made. As a result, customers suffered to bad credit record, and ability to apply for loans from banks was limited. And following a spokesman from Alliance stated some of the file that came from Telstra already contained inaccurate information. Although it is common commercial practices that sell bad debts between organizations, personal information involved in the exchange of right to use still need protection. Telstra’s behave breached the privacy of customer in terms of NPP2.1 and NPP3, i.e. data use and disclosure and data quality.
Organizations have an obligation to protect customers’ personal detail against inappropriate uses. When there is a need of making use of customer personal information, the most effective method is always to ask consent of customers before or at any time of collection, as well as when a new use is identified. When the business is obtaining the consent from customers, it is also a good chance to reconfirm with them that the information generated so far is up to date, by doing this, both business and individuals could avoid unnecessary losses.
According to section 6, interpretation, consent can be made in two ways, express or implied. For those information like banking details for a credit check is particularly sensitive, business should explain clearly and get express consent from customer when collecting them and disclosing them to another company.
Implied consent usually happened when customers know obviously what business going to do with their details. For example, when customers make a payment by card, they give their consent to business of recording his/her card number and pass it onto the bank .

Internet Data Privacy

The era of electronic tracking, big data mining and targeted advertising :
Less than 5 years ago, the general population were only connected to the internet when they were at work or at home using their PC. However with the introduction and the rapid take up of smart mobile devices, more people are connected to the internet where ever they go, for the entire day. This has triggered an expediential growth of personal data being generated and collected. According to IBM's research, 90% of the world data are generated within the past two years. SAP has found that over 98% of the data are stored electronically.
A large portion of internet users are either unaware or not concerned about being tracked and monitored electronically as they carry out their daily activities. People are willing to trade their private information for the convenience of using tech services for free, and companies offering these services are taking advantage of Australia's outdated privacy laws. This allow companies such as Google, Facebook, to collect and compile non sensitive information and cross reference the data obtained from its wide range of services to create an extremely comprehensive online profile of its users, without breaching any privacy laws. These companies will then target these users with advertising that is closely matched with their online profile.
Types of non sensitive non personal data being collected:
Website cookies:
Small text files which stores user settings and passwords on every website visited by the user. Browsers such as Chrome, or social media sites such as Facebook use tracking cookies to monitor the user's browsing activities online. This allows advertisers to construct a profile of the users' interests and preferences. This information is then used to display advertisements that target these interests. Cookies can be deleted, and user can opt to disable cookies when they visit a website.
Internet Protocol Address (IP address):
Unique number assigned to computer devices to enable the communication between different devices across the internet. A computer's IP address is publically available, it contains the information of the user's ISP, type of internet connection, to geographic information including the country, state, and suburb. The exact street address of the user will not be disclosed.
Wi Fi MAC address
Media access code, unique code for computer and mobile devices that fixed and cannot be changed.
GPS location:
Particular significant with mobile phone users. Application installed in smart phone can track user location and relay such information back to the application developer.
Web search preferences :
Google stores your search enquires entered in its search engine services and online stores, and create a list of the user's most liked preferences and hobbies
Metadata:
Data about data, for example the date, time, location and the type of devices used to send an email or post a message on twitter are considered as meta data. The actual content of the message is not being recorded. A person's sensitive data can be re-identified if their behaviour pattern has been repeated for a sufficient amount of time.
Social media company Twitter has provided a diagram explaining the meta data generated and collected from each post sent by its user.

Google and its influence on the digital age:
There exist an enormous ocean of non personal information for companies to collect and analyse so that they can create a digital profile of each individual to suit their need. Currently one of the largest data mining company is Google. When Google serves went offline for 2 minutes in August this year, the global internet traffic was reduced by 40%. In addition, Google has a 80% market share of the global smart phone market, with a 65% share of the Australian market.
In an interview with The Atlantic, former Google CEO Eric Schmidt was questioned about the extend the company will go to analysis its user behaviour and profile, he replied " With your permission, you give us more information about you, about your friends, and we can improve the quality of our searches. We don’t need you to type at all. We know where you are. We know where you’ve been. We can more or less know what you’re thinking about."
At the 2010 Techonomy conference, Schmidt told attendees that
"if I look at enough of your messaging and your location, and use artificial intelligence, we can predict where you are going to go."
From the quotes above, Schmidt implied that Google has the programming capability to model a person's behavioural pattern and predict their thoughts by gathering non sensitive information about the user. Currently the Privacy Act do not provide guidelines for companies which collects and analysis these type of information.
Building of a data empire:
At the start of 2012, Google combined the previously separate privacy policies of its various products and services into one privacy policy. Google claimed it is step to simplify their various privacy policies, and not an attempt to increase the collection of information about its users. However this has also removed the data separation between its services and allowed the massive amount of data to be shared and connected to form a more comprehensive profile of the user.

Direct collection of sensitive and personal data:
As mentioned in the previous section, Google has to comply with the Australian Privacy Act. Case study:
Google street view vehicles collected payload data from unsecured wi fi connection. Google argued that since the information is available to the general public it should not be considered as private information, however the OAIC disagreed and found that Google has breached the Australian Privacy Act.
Data transmission:
Data transferred over the internet is broken up into sections or "packets". The packet consist of the control information, and the user data or the payload. The control information contains the necessary source and destination network addresses codes for the user data to be delivered.
Street view data collection:
Google launched their street mapping project in May 2010. The fleet of cars were equipped with cameras capturing photos along their designated route. However the cars were also equipped with devices containing software program that allowed cars to record payload data from unsecured wi fi network connections within its range. Such data may contain usernames, passwords, and other sensitive and personal identifiable information.
The software contains a program called gslite, which works in conjunction with an open source network, data packet sniffing program called Kismet. It detects and captures wireless network traffic. It identifies and store information including MAC addresses, wireless network router's names. The information is given a location tag from the geographical co-ordinates obtained from the GPS unit in the vehicles. Gslite capture and store header information for both encrypted and unencrypted wireless networks, however it does not analyse the payload portion of the data packets. The gslite program scans all network traffic, discard s payload data transmitted over encrypted wireless networks, and automatically stores the payload data packets transmitted from unencrypted networks. According to Google, the company has no intention to analyse these payload data.

Google maintained these specific codes were accidentally incorporated into the street view software and the project manager was unaware of its existence, and Google had neither viewed or used these sensitive information. However Google did transfer these data back to their storage facility in the United States.
Under the authority given in section 40 (2) of the Privacy Act, Australian Privacy Commissioner launched an investigation of Google’s conduct . Google was found to have breached the Australian Privacy Act by collecting personal information without consent.
The commissioner did not have the authority to impose penalties on Google under the Privacy act, instead the commissioner's options were limited to making legally enforceable determinations to direct Google to resolve this issue.
• Publish an apology to Australians in Google's official Australia blog.
• Undertake to conduct a Privacy Impact Assessment (PIA) on any new Street View data collection activities in Australia that include personal information.
• Provide a copy of these PIAs to my Office.
• Regularly consult with the Australian Privacy Commissioner about personal data collection activities arising from significant product launches in Australia.
In addition Google was instructed by the commissioner to destroy the data immediately if it is lawful to do so.
Under Privacy Act, schedule 3, National Privacy Principle 4.2
"An organisation must take reasonable steps to destroy or permanently de-identify personal information it it is no longer needed for any purpose for which the information may be used or disclosed under NPP 2. "
On the 4th May 2011, Official Google Blog Australia, Google released its Privacy impact assessment for Street View in Australia, as requested by the OAIC. Google stated
" Our ultimate goal was to delete the payload data. We can report that this was completed in February under independent supervision. "
However, on July 2012, OAIC was informed by Google that the statement made on the privacy impact assessment was inaccurate as Google still has possession of a portion of the sensitive information. Under the instruction from the OAIC, Google hired independent digital forensic firm, Stroz Friedberg, to assist and verify the "irretrievable destruction of all data, including all 802.11 wireless Data Frames, from 21 hard drives that were identified by Google as having been used in Australia by Google Street View vehicles running the gstumbler program." (Correspondence: Stroz Friedberg letter to Google 8/8/2012). OAIC seek further reassurance from Google by requesting the company to conduct an audit to ensure all of the data were deleted and destroyed.
The result of the audit was reported back to the Australian privacy commissioner on the 9/10/2012 . Two additional disks containing wi fi information were discovered. The commissioner expressed his concern with Google's privacy policy and security procedures, after the discoveries of more data collection despite Google's previous two confirmation that all data relating to this issue had been destroyed. On the 19/11/2012, Stroz Friedberg confirmed to Google that the remaining two disks were overwritten in its entirety and were physically destroyed.
Following the investigation of the Street View incident, the OAIC has increased its scrutiny of Google's overall privacy policy for its expanding range of services. On the 23/2/2013, the privacy commissioner made several recommendations to Google in order to improve the transparency and consistency of the following:
• Google Privacy Policy
• Google Play Terms of Service
• Google Wallet terms of service, product disclosure statement, privacy notice.
Under section 2.B of the Google Wallet Product Disclosure Statement, it states that when a customer makes a payment via Google wallet:
• process payment transactions on behalf of a Buyer, avoiding the need for a Seller to have access to your personal and financial details
However Google has admitted to the OAIC that this statement is not accurate because personal information about the purchasers is disclosed to the product seller or service provider.

THE OAIC has found that the wording on the Google Play terms of service and the Google wallet privacy notice were vague and potentially misleading. It recommended Google to amend their policies by use more explicit wordings to inform customers that their personal details are routinely disclosed to third party product providers.

Google Gmail scanning:

Google is currently facing a class action in the USA for breaching privacy laws because the company actively scans incoming and outgoing emails on its Gmail services for keywords to create a more accurate digital profile of the user. Google did not disclose this practice in their consolidated privacy statement. California district Judge Judge Koh noted that Google's privacy policy doesn't specify that Google is scanning Gmail content when it describes the type of information it's collecting. Google attorney Whitty Somvichian replied that the company is attempting to have a single privacy policy for all of its services, it didn't separately reference every single product. He said it's "inconceivable that someone using a Gmail account would not be aware that the information in their email would be known to Google"

This issue was brought to the attention of the current privacy commissioner Timothy Pilgrim on the 7:30 Report, 04/09/2013. The official response was that the OAIC will put in place more stringent requirements for companies and organizations to disclose the data collection method and the type of personal information they acquired from the user.

Google Glasses
It is a new type of gadget which combines camera, GPS unit, internet access into one wearable device. OAIC, along with privacy agencies from Canada, European Union, Mexico submitted a joint letter to Google with regard to their concern of the potential breaches of privacy laws that can arise from Google glasses users. The privacy agencies stated that Google did not consult them during the development stages of this product. Google has already applied for patents which enable the glasses to track the user's eye movement, so it can identify the object the user is looking at. The glasses can gauge the type of emotional responses to objects by monitoring the level of pupil dilation. This has serious implication to the protection of the privacy of individuals because this gadget has the potential to collect and analysis the emotional data of an individual.

Future expansion of the Australian Privacy Act:
The OAIC is aware of the current limitation of the law in this area, and it has planned to replace the current Privacy Principles and National privacy Principles with the Australian Privacy Principles. These new principles are designed to expand on the current set of laws in order to improve on the transparency of how businesses handle the personal information of customers.
Companies are encouraged to have built in privacy protection measures in every stage of the business planning. In recognition of the growing concern over online data tracking and aggregation, APP 7 is created to address direct marketing which was not covered previously. However these new principles do not give user the legal right to request the company to fully disclose the complete details the company has gathered about the user.

Currently Google is still involved in street view court case with the US Federal government for wiretapping, even after the company had agreed to Google agreed to pay $7 million in fine, and destroy all the user information it collected from Street View vehicles. The company also received a 300 000 euro fine from France's CNIL, for the company's lack of transparency when detailing with user data collected from Youtube, Gmail, and from its search engines. Similar court cases are taking place in Spain, Germany, Britain, Italy and Netherlands.
By comparison, the Australian privacy act is relatively lenient. Google received no fines, but a warning and it was given a set of instructions to follow. Even after the company was found to have falsely declared that all personal data was destroyed, the OAIC decided to take no further actions, because of the current limitation of the law. However this will change From March 2014, organisations subject to the amended Privacy Act could face penalties from $340,000 for individuals and $1.7 million for corporations. These fines are the maximum civil penalties that the Privacy Commissioner will be able to hand down to organisations for serious or repeated violations of the Australian Privacy Principles.

Individual privacy vs. National security

The Australian Intelligence Community structure and brief history

The agencies represented on the National Intelligence Coordination Committee (NICC) make up the National Intelligence Community. The Heads of Intelligence Agencies Meeting (HIAM) brings together a sub-group of the national intelligence community comprising ONA, ASIS, ASIO, DSD, DIO and DIGO to consider issues relating specifically to Australia’s foreign intelligence activities. This sub-group forms the Australian Intelligence Community (AIC).

Australia's intelligence effort started in the lead-up to the First World War, when it emphasised counter-espionage. DuringtheSecondWorldWar, thefirstpartsofwhatbecametoday's AIC sigintorganisationwereformedtosupport US andAustralianforcesinthe Pacific. The Defence Signals Bureau (now known as the Defence Signals Directorate - DSD), formally came into existence in 1947. Today DSD has two principal functions: to collect and report on foreign communications in support of Australia's national and defence interests; and as the national authority on the security of information on communications and information systems across government.

Following the Second World War, the sigint focus was on Soviet communications. Concern about own security led to the establishment of the Australian Security Intelligence Organisation (ASIO) in 1949. Its immediate purpose was to pursue Russian spies.

The Australian Secret Intelligence Service (ASIS) was formed in the Department of Defence in 1952. It was modelled on its British counterpart (MI6) and focused on collecting humint and conducting operations in peacetime. It was in 1954 that responsibility for ASIS shifted to what we now call the Foreign Minister, but it wasn't until 1977 that the existence of ASIS was publicly acknowledged.

The AIC includes two assessment agencies. From the time of the Second World War the Department of Defence had an intelligence assessment arm. Following the war, it became the Joint Intelligence Bureau and then the Joint Intelligence Organisation in 1970, today we know it as the Defence Intelligence Organisation (DIO). It is the government's primary source of analytical expertise on weapons of mass destruction, military capabilities, defence economics and global military trends.
The Office of National Assessments (ONA) was established as an independent agency in 1978. It provides all-source assessments on international political, strategic and economic developments to the Prime Minister and senior ministers in the National Security Committee of Cabinet. It draws its information from other intelligence agencies, as well as diplomatic reporting, information and reporting from other government agencies, and open source material. It is also responsible for coordinating and evaluating Australia's foreign intelligence activities. It does this to ensure that the AIC can properly meet the intelligence needs of government.

The newest member of the AIC is the Defence Imagery and Geospatial Organisation (DIGO). Imagery intelligence had existed since 1964as an integrated part of DIO. As the importance of imagery increased, in 2000DIGO was formed. It provides digital and hardcopy maps and tailored imagery and geospatial products for incorporation into Geographic Information Systems. It has also established mapping programs with a range of regional countries.

The ASIO and ASIS comparative description

The primary responsibility of all the members of the AIC is to collect and assess foreign intelligence. ASIS and ASIO have in common the fact they both collect intelligence from human sources and are both members of the Australian Intelligence Community. However, there are substantial differences between the two agencies listed in the table below. ASIO ASIS
Mission Identify and investigate threats to security and provide advice to protect Australia, its people and its interests Protect and promote Australia's vital interests through the provision of unique foreign intelligence services as directed by Government
Main responsibilities • collect, analyse and report intelligence on threats to Australia's security;
• detect the intentions and activities of terrorists, people who seek to act violently for political reasons and people who seek to clandestinely obtain sensitive Australian information;
• provide security assessments and protective security advice. For example, ASIO conducts security assessments on people holding or seeking national security clearances; on some people wanting to enter or stay in Australia; and on people who want access to sensitive areas or goods, such as air and maritime port restricted zones. Protective security advice is provided to government agencies;
• cooperate closely with law enforcement agencies when there is a criminal link. However, ASIO is not a law enforcement body and have no powers of arrest. • collect foreign intelligence, not available by other means, which may impact on Australia's interests;
• distribute that intelligence to the Government, including key policy departments and agencies;
• undertake counter-intelligence activities which protect Australia's interests and initiatives; and,
• engage other intelligence and security services overseas in Australia's national interests.
Geographical limitation Limited by functions not by geography Foreign intelligence
Accountability framework ASIO Act 1979 The Intelligence Services Act 2001
Additional legislation  The Intelligence Services Act 2001
 The Telecommunications (Interception and Access) Act 1979
 The Inspector General of Intelligence and Security Act 1986
 Attorney-GeneralGuidelines  Financial Management and Accountability Act 1997
 Crimes Act 1914
 Archives Act 1983
 Commonwealth Authorities and Companies Act 1997

TheASIO’s balance between personal privacy rights and collective rights to security
As ASIO is the only agency in the Australian intelligence community authorised in the course of its normal duties to undertake investigations into, and collect intelligence on the activities of Australian citizens, it operates within a particularly stringent oversight and accountability framework.
The foundation of this framework is the ASIO Act, which has been crafted to ensure there is an appropriate balance between individual rights and the public’s collective right to security. Specifically, Part III of ASIO Act contains description of functions and powers of organisation.

First of all, Section 18 states that the communication of intelligence on behalf of the Organisation can be made only by the Director General or by a person acting within the limits of authority conferred on the person by the Director General. If a person makes a communication of any information or matter that has come to the knowledge or into the possession of the person by reason of his or her having entered into any contract, agreement or arrangement with the Organisation, the first mentioned person is guilty of an offencefor unauthorised communication of information and the penalty is imprisonment for 2 years.

ASIO does not collect intelligence on particular groups or individuals unless there is a security related reason to do so. It is behaviour and activity that determines ASIO’s interest.Like other investigative agencies, legislation grants ASIO powers to collect intelligence under warrant. The criteria for warrants are strictly prescribed and complemented by the Attorney-General’s Guidelines.
The Guidelines require investigations to be conducted with as little intrusion into privacy as possible, consistent with the national interest. ASIO’s methods are determined by the gravity and immediacy of the threat to security posed by the subject. Where the threat is assessed as serious, or could emerge quickly, a greater degree of intrusion may be necessary. Use of more intrusive powers — which are governed by strict warrant procedures — requires that the subject’s activities are, or are reasonably suspected to be, prejudicial to security. The warrant can authorize the Organisation to:
• use listening devices (means any instrument, device or equipment capable of being used, whether alone or in conjunction with any other instrument, device or equipment, to record or listen to words, images, sounds or signals)
• use tracking device for the purpose of tracking a person or an object
• access computers equipment or device (including remotely).Inspecting examining converting and copying any data to which access has been obtained. However, certain acts are not authorised such as manipulating or deletingdata
• enter and search premises (includes any land, place, vehicle, vessel or aircraft)
• conducting an ordinary search or a frisk search of a person, excluding a strip search or a search of a person’s body cavities
• examine postal articles. There are also questioning and detention warrants, subject to very stringent criteria, for use in serious counter-terrorism matters. These special powers have been conferred to Organisation by inserting a new Part IIIDivision 3 ‘Special powers relating to terrorism offences’ to ASIO act in 2003 after 9/11 terrorist attack in New York.
Also, amendments to the Australian Security Intelligence Organisation Act in 2010 introduced a new area of focus for the organisation, namely the investigation of people smuggling activities and other serious threats to Australia's territorial and border integrity. ASIO is now able to use its capabilities to support the whole-of-government effort in combating these threats.

Warrants are available, for a limited duration. For example, the warrant to enter the premises must not be more than 90 days and may state that it comes into force on a specified day (after the day of issue) or when a specified event happens. Besides, the day must not begin nor the event happen more than 28 days after the end of the day on which the warrant is issued. The computer access and use of listening and tracking devices warrant must also specify the period during which it is to remain in force but not more than 6 months.
ASIO must seek agreement from the Attorney-General satisfying tests set out in the relevant legislation before a warrant will be issued. The Attorney-General’s approval is also sought before warrants can be renewed. ASIO’s warranted activities are regularly scrutinised by the Inspector-General of Intelligence and Security.

The US Central Intelligence and National Security Agencies

In accordance with the legislation, ASIO may cooperate with the agencies of other countries in order to carry out its functions. In this context, and with the approval of the Attorney-General, ASIO may communicate with the security and intelligence authorities of a range of countries.
One of them is The United States Intelligence Community (IC) which is a federation of 16 separate United States government agencies that work separately and together to conductintelligence activities.

The Central Intelligence Agency (CIA) is the only one independent U.S. intelligence agency which reports to the Director of National Intelligence.The CIA operates around the world, using a series of agents on the ground to relay information back to the central offices in Virginia. So, CIA’s primary mission is to collect, analyse, evaluate, and disseminate foreign intelligence to assist the President and senior US government policymakers in making decisions relating to national security.
The result of this analytic effort is timely and objective assessments, free of any political bias, provided to senior US policymakers in the form of finished intelligence products that include written reports and oral briefings. One of these reports is the President’s Daily Brief (PDB),an Intelligence Community product, which the US president and other senior officials receive each day.
As a separate agency, CIA serves as an independent source of analysis on topics of concern and also works closely with the other organizations in the Intelligence Community, including the NSA/CSS.

The National Security Agency (NSA) is one of the largest of U.S. intelligence organizations in terms of personnel and budget and the main producer and manager of signals intelligence for the United States. It is actually combined with the Central Security Service (CSS), and it is primarily a cryptological organization. The NSAoperates under the jurisdiction of the Department of Defense and reports to the Director of National Intelligence.It is probably the least known and most poorly understood government intelligence agency. The NSA has no authority to conduct human-source intelligence gathering, however, NSA employees decrypt foreign intelligence, generate encryption keys to secure American information, and handle data processing for the United States government. In other words, the mission of the NSA is to break foreign intelligence codes while retaining the security of American information, which is accomplished through encryption, secured computer systems, and access control.

The NSA’s role in revealing private information

NSA is winning its long-running secret war on encryption, using supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the internet age, according to newly disclosed documents by Edward Snowden.
The Washington Post and the Guardian issued that the NSA was obtaining logs of the internet activity and stored data of users of the nine biggest internet companies in the US, including Microsoft, Google, Apple and Facebook.According to the Washington Post, on a single day last year, the NSA's Special Source Operations branch collected 444,743 email address books from Yahoo!, 105,068 from Hotmail, 82,857 from Facebook, 33,697 from Gmail and 22,881 from unspecified other providers.
At Microsoft, spokesman Nicole Miller said the company "does not provide any government with direct or unfettered access to our customers' data", adding that "we would have significant concerns if these allegations about government actions are true".
Facebook spokesman Jodi Seth said "we did not know and did not assist" in the NSA's interception of contact lists.
Also, the documents show that the agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data such as trade secrets and medical records, and automatically secures the emails, web searches, internet chats and phone calls of Americans and others around the world. Additionally, extracting private information enables analysts to track a person’s movements and contacts.
The full extent of the NSA's decoding capabilities is known only to a limited group of top analysts from the so-called Five Eyes (USA, Britain, Canada, Australia and New Zealand).
Australia's spy agency ASIO said it "would be inappropriate" for it to comment on the allegations concerning private companies or the security agency of another nation.

The NSA’s success in defeating many of the privacy protections offered by encryption does not change the rules that prohibit the deliberate targeting of private emails or phone calls without a warrant. But it shows that the agency, which was sharply rebuked by a federal judge in 2011 for violating the rules and misleading the Foreign Intelligence Surveillance Court, cannot necessarily be limited by privacy laws. NSA rules permit the agency to store any encrypted communication, domestic or foreign, for as long as the agency is trying to decrypt it or analyse its technical features.
Report Conclusion

Throughout case study related to privacy issues, it is noticeable that although the Privacy Act has been in force for a long time, there is little case law clearly interpreting this Act. Also the reform of this Act has many effects on the Credit Reporting Privacy. However, individuals should consider strength and weakness of this reform so that they will be able to avoid ravage in using credit information.
Businesses are required by law to protect its customers’ personal information. They have to be more diligent in their efforts to ensure their business practices will not breach any privacy laws.
The traditional way of recording and storing of health data has been changing lately with the technology development. The new systems and software have been developed and incorporated in everyday processes. However, the legislation needs to be more specific in term of regulation and protection the private health information.
It has been proven that online service companies can derive sensitive personal information from general, non sensitive information left behind by a user’s internet activities. The current set and the new set of privacy principles will not make a significant impact on limiting the gathering of this non sensitive information. Also the penalties for any breaches of these principles are still relatively weak compare to other developed countries.
There is a constant debate about the level of compromise between personal privacy and national security. The government allowed intelligence agencies to obtain information outside of the boundaries of the current privacy laws. This has caused great concern among the general public and corporations around the world.
The report has found cases of businesses and health care providers not being fully aware of the obligations they have to protect the private information of their customers, and how will the new reforms in 2014 may help to improve the level of privacy protection in this area. The report also explained the methods used by tech service providers and data mining companies to circumnavigate the current and future laws. Finally, the report also discuss the delicate balance between people's right to privacy and the need to provide national security.

References:
1. Privacy Act ‐ Australian Government – Office of the Australian Information Commissioner.
2. http://www.oaic.gov.au/privacy/privacy‐act/the‐privacy‐act

3. John Kavangah , “Tougher stand take on credit files”, 30/June/2012. http://www.smh.com.au/money/borrowing/tougher‐stand‐taken‐on‐credit‐files‐20120629‐217q4.html

4. Credit Reporting Code of Conduct ‐ Australian Government – Office of the Australian Information Commissioner.
5. http://www.oaic.gov.au/privacy/applying‐privacy‐law/legally‐binding‐
6. privacy‐guidelines‐and‐rules/credit‐reporting‐code‐of‐condu

1. James, Nickolas,(2010), Australia, Business Law, 1st edition, John Wiley& Sons Australia
2. Klosek Jacqueline,2007, How Business Can Protect Their Customers’ Privacy, viewed 29 September2013,
3. Horniak Virginia, 2004, Privacy of Communication-Ethics and Technology, Malardalen University,viewed29September2013,
4. Knight Ben, 2003, Telstra debts affect consumer credit ratings, ABC, viewed 29 September2013 < http://www.abc.net.au/pm/content/2003/s875586.htm>
5. MrFairGo, 2010, Protect Yourself from Information Predators, Meta, viewed 29 September2013,
6. < http://communicationprivacy.com/protect-yourself-from-information-predators>
7. Timothy pilgrim, 2012, Telstra Corporation Limited: Own motive investigation report, Australian Government,viewedon01October2013,
8. Privacy Act 1988, Australian Government, viewed on 02 october,2013,