[WG-UMA] The Australian Privacy Amendments Bill

Kevin Cox kevin.cox at edentiti.com
Wed Jul 4 13:04:28 EDT 2012


I understand and share your concerns.  However, what is proposed is not at
odds with either of your concerns.  I need to explain in a little more
detail the mechanics of what happens because I am not attempting to specify
all solutions to all problems and all issues but a change in the underlying

When information is stored about a person the party storing the information
should know who it is and should be able to contact the person because the
person has given permission for their data to be stored.  If they have
obtained their permission then they have been "in contact" with the person.
 To retrieve the data they must know how to retrieve it and they will have
used a set of keys (identifiers) to access the data.  What is being asked
is that at the time they store the data they make available to the person
(who they know and with whom they have been in contact) the identifiers for
the person to retrieve the information that has been stored.  They have
also made available how to use the identifiers so that the person can
retrieve the information and check that the data actually stored is what
they have supplied.  This is not unreasonable and should be simple and easy
to do.  If it is isn't then it is almost certain that privacy is at risk.

Having stored information about a person and given them access then when a
third party comes along and wants to look at the data it is a simple
operation to let the person know who made the request because the link with
the person was established when the data was stored and again it is only a
small addition that a computer system can easily and simply accomplish.

That is it.

Let us not complicate the issue with what might happen but are these policy
suggestions reasonable, add to privacy and are practical?

I say the answer is yes.

With respect to your comments about eHealth think of how a doctor finds out
about the patient. They ask them.  If the patient knows where all their
health information is stored the doctor can "ask" the patient to give them
all the stored data and the patient can supply it.

With respect to your second point about anonymity what is proposed does not
change this.  If the shop does not store personal data then you do not need
to be told about it.  If they do then you should be told about it.


On Wed, Jul 4, 2012 at 10:36 PM, j stollman <stollman.j at gmail.com> wrote:

> Kevin,
> While I am generally supportive of the UMA approach, there are certain
> practical concerns that I feel need to be addressed in your recommendation.
> First, since you reference eHealth, I would suggest that in the health
> field, it is not clear what information might not be relevant to diagnosing
> and or prescribing treatment for a patient.  What first presents itself as
> one malady is sometimes properly diagnosed as something quite different.
>  Doctors need to consider the entirety of their patients which causes them
> to want to see all available data on a patient prior to making a diagnosis.
>  Similarly, when prescribing treatment, considerations such as drug
> interactions also prompt the need for full disclosure.  Perhaps the eHealth
> reference should be removed.  Many other interactions certainly present a
> more clear value for UMA's ability to selectively disclose only the
> information a user seeks to disclose.
> Second, limiting disclosure is an important part of maintaining privacy.
>  It covers the input side of the equation.  But it needs to be combined
> with measures to dispose of collected information to prevent the gradual
> accumulation of a full dossier over multiple transactions.  When I go to
> the store and buy a widget with cash, there is no record of my transaction
> attached to my identity.  When I conduct a similar transaction online, a
> trail persists.  If we can't control this persistence, our information can
> continue to collect negating the initial selective disclosure.
> Thank you.
> Jeff
> On Tue, Jul 3, 2012 at 2:41 PM, Kevin Cox <kevin.cox at edentiti.com> wrote:
>> The Australian Government is introducing a Privacy Amendments Bill.  This
>> Bill is to update the existing privacy principles and to put in place
>> recommendations from an enquiry.
>> The government has called for comments to be given to the Parliamentary
>> Committee who is looking at what goes into the bill. Comments need to be in
>> by the 20th July.
>> The attached document is my first draft of changes that if adopted will
>> result in all personal data held in Australia being made accessible to the
>> individual concerned.
>> I would welcome any comments.  If anyone wishes to support or endorse the
>> changes then those expressions of support could be added to the submission.
>>  The changes have been driven, amongst other things, by the need to allow
>> the credit bureaus to provide positive credit checks.  Australia and NZ
>> have negative credit checks but positive credit checks have seen to be too
>> difficult because of the privacy legislation.
>> I believe if we can get these changes into the Bill it will advance the
>> cause of User Managed Access.
>> Kevin
>> --
>> 0413961090
>> Home +61 2 62410647
>> Skype cscoxk or +61 2 61003884
>> Fax +61 2 6103 0144
>> http://www.linkedin.com/in/kevinrosscox
>> _______________________________________________
>> WG-UMA mailing list
>> WG-UMA at kantarainitiative.org
>> http://kantarainitiative.org/mailman/listinfo/wg-uma
> --
> Jeff Stollman
> stollman.j at gmail.com
> 1 202.683.8699
> Truth never triumphs — its opponents just die out.
> Science advances one funeral at a time.
>                                     Max Planck

Home +61 2 62410647
Skype cscoxk or +61 2 61003884
Fax +61 2 6103 0144

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-uma/attachments/20120705/88b8cac5/attachment.html 

More information about the WG-UMA mailing list