Galexia
             home
       about us
        services
        projects
       research
          contact
» home » research » assets » benchmarks for global privacy 2009  

Subscribe to Galexia news and announcements.
More information »

Privacy Impact Assessment (PIA): This tool identifies privacy issues in specific sectors or applications. By using the PIA tool at the design stage of an implementation organisations can avoid privacy errors and the costs of rectification at later stages. Find out more »

[2015 APAC Cybersecurity Dashboard]

2015 Asia Pacific Cybersecurity Dashboard
Find out more »

Benchmarks for Global Privacy Standards (November 2009)

[« previous] [next »] [up] [title page] [full contents]

4.1. Benchmark 1 – Comprehensive Coverage

Protection of privacy rights should be comprehensive, with as few gaps and exceptions as possible.

A Global Privacy Standard should promote privacy protection that meets the following criteria:

1. Privacy protection should cover all organisations, rather than just those who register or sign up to self regulatory initiatives (codes, trustmarks etc.). Consumers find it difficult to tell who is ‘in’ or ‘out’ of most self regulatory regimes, and organisations change their status at will and without notice. Many organisations simply forget to renew registrations, and none of the current self regulatory initiatives maintain accurate and up to date lists of members.[4] Also, registration in voluntary schemes is extremely low, and falls even lower during difficult economic periods.

2. Privacy protection should cover all sectors, rather than distinguishing between the Government and the public sector, or being limited to particular industry sectors. There are significant difficulties for consumers in identifying current coverage in privacy law.[5]

3. Privacy protection should apply to all consumers – there should be no distinction between data regarding local citizens and data regarding overseas citizens.[6] Equally, there should be no distinction between individuals acting as consumers / citizens or individuals acting as employees.[7]

4. Privacy protection should minimise exemptions. It is recognised that some exemptions may be necessary for law enforcement, emergencies, and freedom of expression. However, there are several ways in which these exemptions can be minimised. For example, exemptions should be limited to the specific Privacy Principles which conflict with other public interests in specific contexts, rather than providing a blanket exemption for particular types of organisations or activities. Also, exemptions can, where they are justified, be subject to additional oversight requirements, such as a requirement for warrants. Some exemptions should be subject to a case-by-case public interest test, such as exemptions for journalists and media organisations.

5. Privacy protection should cover all data formats and all forms of communication. It is important to avoid arbitrary distinctions between online and offline data,[8] or restricting privacy protection to information that has been processed in a particular way.

[4] See Connolly C, Privacy Trustmarks – don’t be fooled, (2009) Privacy Laws and Business International 98, pages 9-12.

[5] For example, in Australia only businesses with revenue of over $3 million are covered. How can a consumer identify this gap in protection? In Japan, only data sets with greater than 5,000 entries are covered. How can a consumer know how big the data set is?

[6] For example, some privacy and security laws in regions in China only cover data held on overseas citizens, held by local outsourcing companies. Conversely, some privacy laws do not adequately protect information on foreign citizens being processed or hosted in the jurisdiction.

[7] For example, employees are excluded from some parts of the Australian privacy law, and can also be excluded on a case-by-case basis from the EU US Safe Harbor Agreement.

[8] For example, the EU US Safe Harbor Agreement allows organisations to restrict their self-certification to either online or offline data – but this restriction is not made known to consumers, and does not appear sensible in a modern business environment. A high proportion of Safe Harbor members have made distinctions of this type, without any notice to consumers.

[« previous] [next »] [up] [title page] [full contents]

[full document] [download PDF version]

[up to research]

 

Search for:

HERE

PrintVersionprint this page

Sitemapsitemap

Subcribe to RSS newsrss news feed

Manage email subscriptionsmanage email subscriptions

Latest News

September 2019
Register of Public Galexia PIAs. Read more »

September 2019
Updates to Galexia Website. Read more »

September 2019
PM&C / Office of the National Data Commissioner (ONDC) releases Discussion Paper and accepts recommendations from Galexia’s PIA on the proposed Data Sharing and Release legislative framework. Read more »

August 2019
Galexia providing privacy advice and an independent public Privacy Impact Assessment (PIA) on 2021 Census for ABS. Read more »

June 2019
Galexia completes privacy advice and an independent Privacy Impact Assessment (PIA) on the Naval Shipbuilding College Workforce Register. Read more »

view all news items »

[Home] [Sitemap] [Print this page] [Privacy statement]

© Galexia Pty Ltd
Telephone: +61 (02) 9660 1111
Email: [email protected]