Privacy Commissioner lists gripes with Microsoft data-privacy report
The Office of the Australian Information Commissioner (OAIC) has expressed concerns with some of the data-privacy changes that were proposed by a recent Microsoft report.
The Microsoft Global Privacy Summit Report (PDF), entitled "Notice and Consent in a World of Big Data" and released in November 2012, lists the topics that came out of numerous global discussions held by the vendor on data privacy.
"Generally, people agreed that new approaches to privacy protection must shift responsibility away from individuals to organisations which use data, driving a focus on what uses of that data are permitted, as well as [have] accountability for responsible data stewardship, rather than mere compliance," Microsoft chief privacy strategist Peter Cullen wrote in a blog post.
While the OAIC was supportive of more responsible data-collection processes, it disagreed with some of the changes that the Microsoft report suggested about how collected data could be used.
The Organisation for Economic Co-operation and Development (OECD) Privacy guidelines stipulate that personal data cannot be used unless an individual's consent is given. The Microsoft report suggested that this rule should be changed, so that organisations can use any data so long as it is not "fraudulent, unlawful, deceptive, or discriminatory."
"In our view, this would allow a considerably broader re-use of data than that allowed by the original OECD version, and indeed by Australia's [Privacy Act]," Privacy Commissioner Timothy Pilgrim said in an open letter.
The Microsoft report also wanted to change the Individual Participation Principle in the OECD guidelines, which gives individuals the right to request data from organisations that collect information, and the opportunity to request that their data be removed. If a request is denied, an individual can challenge the organisation holding the data, and, if the challenge is successful, the data would have to be erased.
The Microsoft report's version, called the Fairness Principle, would see that individuals have the right to choose what personal data is collected, and is more lax when it comes to the need for organisations to respond to data-deletion requests.
The OAIC believes that the Fairness Principle narrows "the ability of an individual to seek deletion, rectification, or amendment to the information held about them to circumstances affecting only employment, healthcare, financial matters, or legally protected rights."
The commission would like to see the criteria be broadened to include other circumstances, as well such as cultural or religious information.
The OAIC also wants Microsoft to make future reports more gender neutral by removing male and female pronouns.