D a t a P r o t e c t i o n in A u s t r a l i a

DATA PROTECTION IN AUSTRALIA TURNS AND ROUNDABOUTS: THE NEW DATA PROTECTION ENVIRONMENT IN AUSTRALIA Margaret Jackson

I This article outlines new and proposed legislative developments in data protection in Australia over the last few ]

I years.

INTRODUCTION Since the in t roduc t ion of the Federal Privacy Act in 1988, an Act which applied only to Federal Gove rnmen t agen- cies, Australian governments , both state and federal, have been uncer ta in about whe the r or not to in t roduce data pro tec t ion legislation which would apply to both the pri- vate and non-federa l pub l ic sectors . The pre fe r red approach of most has been a uniform, Australian-wide approach rather than a state by state, sector by sector approach. What began to happen in 1997 and 1998, how- ever, was a piecemeal and incons is ten t approach to ensur- ing the informat ion privacy of individuals. The Federal Gove rnmen t first decided to in t roduce legislation to cover the private sector and then changed its mind and in t roduced voluntary nat ional guidel ines instead. As well, two states proposed to in t roduce their own legislation. By the beg inn ing of 1999, however, the Federal Gove rnmen t had decided again to in t roduce legislation to cover the private sector. This article examines the cur ren t and pro- posed data p ro tec t ion env i ronmen t in Australia.

EXISTING COMMONWEALTH LEGISLATION In 1988, the Australian Government enacted the Privacy Act 1988 (Cth), an Act which granted to individuals certain limit- ed rights to control the use of, and access to, information about themselves. Apart from this Act, Australia does not rec- ognize a legal right to privacy. ~ The model of data protection law adopted in Australia was based on the international regu- latory framework contained in the 1980 OECD Guidelines on the Protection o f Privacy and Transborder Flows o f Personal Data (the OECD Guidelines). The Privacy Act applies to information collected, stored, analyzed and dissem- inated by any means, not just by computer technology. It con- tains 11 Information Privacy Principles (the IPPs) which provide minimum guidelines about how to handle the collec- tion, use and storage of personal information. The Act applies only to Commonwealth Government agencies and to the pri- vate sector in respect of tax file numbers. In 1990, the opera- tion of the Act was extended to apply the IPPs to the activities of credit reporting agencies and credit providers. 2 In July

1994, the Act was also amended to cover public sector agen- cies of the Australian Capital Territory. 3

Since 1990, a number of federal government review bod- ies have called for the PrivacyAct to be changed into a nation- al data protection scheme, covering the private sector and the state and territorial government sectors. Four government reports in particular have recommended that this occur. These reports are the 1992 Australian Telecommunications Authority (AUSTEL) report titled Telecommunications Privacy: Final report of AUSTEL's Inquiry into the Privacy Implications o f Telecommunications Services; 4 a report pre- pared by the National Information Services Council (NISC) in the form of a booklet containing papers writ ten by the vari- ous working parties of the NISC released inAugust 1995; s the 1995 report Open government: a review of the federal Freedom of Information Act 1982 (Cth) prepared by the Australian Law Reform Commission (ALRC), in conjunct ion with the Administrative Review Council (ARC); 6 and the 1995 report by the Commonwealth House of Representatives Standing Committee on Legal and Constitutional Affairs titled: In Confldence: A Report on the Protection o f Confidential Personal and Commercial In format ion held by the Commonwealth. 7 The reasons behind these recommenda- tions to extend the Act included concern that new communi- cation technologies being considered by telecommunication companies in Australia had raised a number of privacy issues when introduced overseas;* concern that the privatization of government business enterprises, particularly in the area of telecommunications, meant that many parts of the new infor- mation environment were not covered by data protection laws; 9 and hope that such an extension of the Privacy Act might stop the unauthorized procurement of confidential government information by the private sector. 10

INTERNATIONAL DEVELOPMENTS In te rna t iona l deve lopment s also led the Federal Government to consider widening the application of the PrivacyAct. On 25 July 1995, the European Union Council of Members adopted the Directive on the protection o f indi- viduals with regard to the processing o f personal data and on the free movement o f such data (the Directive).

238 Computer Law & Security Report Vol. 15 no.4 1999 ISSN 0267 3649/99/$20.00 © 1999 Elsevier Science Ltd. All rights reserved

D a t a P r o t e c t i o n in A u s t r a l i a

This Directive established a Europe-wide set of legal princi- ples for privacy protection covering both the public and pri- vate sectors to be enacted in all European Union countries which do not already have 'adequate' data protection laws. The 15 member states of the European Union were required to implement the Directive through domestic legislation by the latter half of 1998.The Directive came into effect on 25 October 1998. Although not all of the members had imple- mented the Directive, it is anticipated that implementation by most of them will occur in the near future. ~ 1

The aspect of the Directive which is likely to have a sub- stantial impact on Australia is the requirement in Article 25 that "member states shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing may take place only if... the third country in question ensures an adequate level of protection". As Australia's PrivacyAct only applies to Federal Government agencies and does not, with the exception of the sections relating toTax File Numbers and credit providers, apply to the private sector or state government agencies, it is likely that it may not be considered to offer adequate protect ion. Australia's trade with the European Union is significant and any barriers to such trade, such as the inability of organiza- tions to transfer information across borders, may adversely affect that trade. 12 The adequacy of data protection available in each country will be considered case by case, and so Australian organizations and governments may need to guar- antee or contract to protect information if the protection is deemed to be inadequate. 13 The implications for Australia of the Directive are that piecemeal solutions to transfers of data may arise. It should be noted, too, that once a decision has been made by one European country to block a transfer, this decision will apply to all European Union members and not just the country from which the information was to be trans- ferred. 14

In September 1996, the Federal Attorney-General, Daryl Williams, released a discussion paper Privacy Protection in the Private Sector. He cited the four reports mentioned above as providing the momentum for the discussion paper, as well as international developments, particularly the European Directive on Data Protection. 15 The Discussion Paper envis- aged that the new regime would apply to all individuals and organizations in Australia, including Federal Government busi- ness enterprises, such as Telstra Corporat ion and the Australian Postal Corporation. 16

PROPOSED DATA PROTECTION REGIME The proposed data pro tec t ion regime would apply Information Privacy Principles, based on, but not necessarily identical to, those contained in the Privacy Act 1988 (Cth) to all records containing personal information in the private sec- tor. 17 As part of the proposed regime, Codes of Practice would be developed to cover specific industry groups or activities. The IPPs were to be accepted as a minimum stan- dard by each Code, although some modification of them would be permitted. 18 If no Code was issued, the IPPs would apply.

It was proposed that the new regime would also intro- duce penalties for the unauthorized disclosure of personal information for profit and for obtaining personal information

by false pretences. 19 There were no penalties suggested for those individuals and organizations that procured the unau- thorized release of personal information, despite the recom- mendations of the 1995 In Confidence: A Report on the Protect ion o f Conf ident ia l Personal a n d Commerc ia l In format ion held by the Commonweal th . 2°

The new data protection regime also addressed the issue of transborder data flows. It was proposed that the transfer of personal information out of Australia to countries with inade- quate levels of privacy protection would only be permitted where the individual concerned had consented in some way, the transfer was in the interests of the individual, it was required by law or it was necessary for law enforcement or other legal purpose. 21 These TBDF guidelines were similar, but not identical, to those contained in the European Union Directive, and the Hong Kong Personal Data (Privacy) Ordinance 1995.

When releasing his Discussion Paper, the Attorney-General had indicated that, after consideration of submissions relating the paper, draft legislation would be introduced in 1997.22 On 14 March 1997, he presented a paper to the Standing Committee of Attorneys-General in which he stated his expectation that legislation would be introduced during 1997. 23 However, on 21 March 1997, the Prime Minister, Mr John Howard, announced the Commonwealth Government had decided not to enact privacy legislation for the private sector, on the ground that it would "further increase compli- ance costs for all Australian businesses, large and small" 24 The preferred approach of the Government was now to be the development of voluntary codes of conduct. The announce- ment appeared to be a surprise to all, including the Attorne D General and his Department, and the Privacy Commissioner. No further statement or report about the grounds upon which this decision to abandon national legislation was based were released although it was apparently based on submis- sions from industry bodies calling for a reduction of ' the reg- ulatory burden' , z5 The Prime Minister also requested State Premiers and Territory Chief Executives not to introduce pri- vacy legislation to cover the private sector. The response of some states and territories is known, as the Prime Minister stated that both the Northern Territory and Queensland have apparently acceded to his request. South Australia has appar- ently done the same.Victoria indicated it would proceed with draft legislation to cover the state public sector and reserved its position concerning legislation for the private sector, while New South Wales appeared likely to proceed with leg- islation covering both sectors in 1998.

On 25 April 1997, the Minister of Finance, Mr John Fahey announced that the Federal Government would be outsourc- ing government information technology infrastructure, including the processing of tax, health, education and welfare records, to the private sector. Mr Fahey also said that the pri- vacy of the personal data would be guaranteed under the out- sourcing contracts. After adverse media coverage, he announced that the Privacy Act would be extended to cover the outsourcing companies, but apparently not the rest of the private sector.26A Privacy (Amendment) Bill 1998 was passed by the House of Representatives on 1 April 1998 but when it reached the Senate, it was referred to the Senate Legal and Constitutional Committee for review. Instead of a review of the bill, the Committee commenced a review of privacy in

Computer Law & Security Report Vol. 15 no. 4 1999 ISSN 0267 3649/99/$20.00 © 1999 Elsevier Science Ltd. All rights reserved

239

D a t a P r o t e c t i o n in A u s t r a l i a

the private sector generally. It was expected to report in mid- February 1999.

On 18 August 1997, the Australian Privacy Commissioner, Ms Moira Scollay, released a Consultation Paper, Information Privacy in Australia: A National Scheme for Fair Information Practices in the Private Sector. The unified National Scheme proposed in the paper would be compatible with the PrivacyAct and any proposed state laws. It would be voluntary for the private sector.

After extensive consultation with the business sector, the Privacy Commissioner and the Attorney-General released the new voluntary guidelines for the private sector, the National Principles for the Fair Handling of Personal Data (National Principles) on Friday, 20 February 1998.The initial response was not favourable. 27 Consumer groups threatened to boy- cott the scheme, 2s while large businesses with international exposure, such as the National Australia Bank and American Express, called again for legislation. 29 The Law Council of Australia and the Australian Privacy Foundation also called for federal privacy legislation. 3° Support for the new guidelines was given, however, by representative bodies such as the Australian Chamber of Commerce and Industry, the Insurance Council of Australia and the Australian Bankers Association. 31 The Privacy Commissioner indicated that she would review the Principles towards the end of 1998.This review was com- pleted in late 1998 and amended Principles were released in January 1999.The amendments were minor.

The National Principles encapsulate the IPPs contained in the Privacy Act but include a number of new elements.These include: the right of individuals to not identify themselves when entering transactions, 32 restrictions on organizations using government assigned identifiers, such as Medicare num- bers; 33 a preference that organizations will collect personal information directly from the individual concerned; 34 a limi- tation on the collection of highly sensitive information about individuals; 35 and some guidelines on the transfer of informa- tion to third parties. 36 On 15 December 1998, the Attorney- General and the Minister for Communications, Information Technology and the Arts announced that the Federal Government had changed its mind and would now introduce legislation to strengthen self-regulatory privacy protection in the private s e c t o r s The legislation will be based on the Privacy Commissioner's National Principles and will continue the encouragement of industry codes. No reasons for this change in policy were provided in the press release. An expert advisory group is being formed to advise the Attorney- General on the proposed legislation.

VICTORIA

In 1990, the Victorian Legal and Constitutional Committee recommended that privacy legislation should be introduced in Victoria. 3s The then Attorney-General, the Hon J H Kennan QC MLC requested the Law Reform Commission of Victoria to examine this recommendation and, in 1992, it issued a dis- cussion paper on Privacy. The Commission had reached a preliminary conclusion that the simplest and most cost effec- tive method of protecting the privacy of confidential, govern- ment-held information was to amend the Freedom of Information Act 1982 (Vie) (the FOI Act). 39 It considered that to enact legislation similar to the Privacy Act 1988 (Cth) was

too expensive, although it did not discuss its reasoning for this view. 4°

The Commission noted that most of the IPPs contained in the Privacy Act were already met by requirements imposed on government agencies under the FOI Act. It would be nec- essary to add only two privacy protection guidelines to the Act to cover all the IPPs.The first amendment proposed was to require government agencies that solicit and use personal information to take reasonable steps to ensure the data sub- ject knew why the information was being collected and to whom it may be disclosed. The agencies would also need to take care that the information collected was accurate, kept up-to-date and protected from unauthorized use and access. The second amendment proposed was to require agencies to publish particulars of the purpose for which personal infor- mation was collected and to whom it would be disclosed. 41

Shortly after the release of this report, the Law Reform was abolished and it was not until mid-1996 that the Victorian Government took any further action on privacy protection in respect of personal information. InAugust 1996, it established a Data Protection Advisory Council to advise on appropriate draft legislation for data protection. The main incentive for the creation of the Council was acknowledged by the Victorian Treasurer and Minister for Multimedia, Alan Stockdale, to be the introduction of a government database, the Electronic Service Delivery.

The terms of reference for the Data Protection Advisory Council required it to advise the Minister for Multimedia on the "most appropriate regulatory regime for Victoria govern- ing collection, storage and transfer of information, particularly personal information held by the public sector organiza- tions". 4z The Council reported to the Minister at the end of December 1996.As at that time, the Federal Government had proposed regulating the private sector through an extension of the Privacy Act, it recommended the introduction of legis- lation applicable only to the public sector. Following the Prime Minister's announcement in March 1997 that the Federal Government would not proceed with legislation for the private sector, the Victorian Government decided to pro- ceed with data protection legislation covering both the pri- vate and public sectors. A Data Protection Bill was released for public comment in July 1998 and, after amendment, released again for comment in December 1998. The IPPs in the Bill are based closely on the National Principles released by the Privacy Commissioner in February 1998 but the Government intends to incorporate any changes made to the National Principles prior to the Autumn Victorian parliamen- tary sitting. 43

The aim of the Data Protection Bill is to protect the priva- cy of personal information handled byVictorian-based organi- zations and personal information handled in Victoria by business, state and local government and other organizations. It applies to both the public and private sectors. Organizations are able to develop their own codes of prac- tice, subject to the approval of the Privacy Commissioner. 44

The Information Privacy Principles are contained in Schedule 1 of the Bill. Stronger language has been used than in the National Principles, with 'must ' being used instead of 'shall'. There are slight changes to the wording of the National Principles and a few additional sub-clauses have been added.

240 Computer Law & Security Report Vol. 15 no. 4 1999 ISSN 0267 3649/99/$20.00 © 1999 Elsevier Science Ltd. All rights reserved

D a t a P r o t e c t i o n in A u s t r a l i a

The Bill creates the position of Privacy Commissioner, granting substantial powers to investigate complaints. 4s Failure of organizations or individuals to comply with a com- pliance notice of the Commissioner can result in financial penalties. 46 In the event of the Federal Government legislat- ing to cover the private sector, the Bill provides for the Federal Privacy Commissioner to assume the powers and duties of the Victorian Commissioner in respect of the private s e c t o r . 47

NEW SOUTH WALES

New SouthWales enacted the Privacy CommitteeAct in 1995, creating a statutory body to monitor and investigate privacy concerns. Hampered by a lack of power to sanction those who interfere with the privacy of others, the main role of the Privacy Committee was to investigate complaints from the public and to recommend ways in which privacy can be pro- tected. It released a number of useful reports on aspects of privacy protection, including its 1986 Guidelines for the Operation of Personal Data Systems. 48

Between 1991 and 1998, there were four attempts to introduce data protection legislation. During that time, the New South Wales I n d e p e n d e n t Commission Against Corruption (ICAC) released its Report on Unauthorized Release of Government Information, revealing a wide- spread trade in government confidential information. ICAC recommended in particular that the any state data protection legislation should make the unauthorized disclosure of gov- e rnment information a criminal offence as well as the obtain- ing and selling of government information by third parties.

It was not until 1998 that legislation was passed. In November, the New South Wales Parliament enacted the Privacy and Personal Information Protection Act 1998. The Act applies only to the state public sector, excluding the pri- vate sector and State-owned corporations. It applies to all per- sonal information, whether held manually or on computer and whether held by an outsourcer organization on behalf of a public sector agency. 49 It repeals the Privacy Committee Act 1975.

Sections 8 to 19 contain the principles to be followed by state government agencies when collecting, storing, using and disclosing personal information. Like the principles con- tained in the Victorian Data Protection Bill, the language is stronger than that used in the Privacy Act or the National Principles. 'Must' is used instead of 'shall'. The New South Wales principles are based on the IPPs in the Privacy Act but contain slightly different wording. It also contains additions to those IPPs. For instance, it provides that information must be collected directly from an individual 5° and that informa- tion must not be kept for longer than necessary, 51 and must be disposed of securely. 52 Clause 19(1) forbids the disclosure of personal information to a third party unless its disclosure will prevent a serious or imminent threat to the life or health of the individual concerned or to another person. Clause 19(2) prohibits the disclosure of personal information to peo- ple located outside New South Wales unless a relevant data protection law or a privacy code of conduct exists in that jurisdiction.

The Act provides for the appointment of a Privacy Commissioner who is given limited powers to investigate

complaints about breaches of the Act. 53 It also allows state public sector agencies to modify the principles through codes of practice, subject to the support for the code from the Privacy Commissioner and the approval of the relevant Minister. 54 In response to the ICAC and In Confidence rec- ommendations about the unauthorized trade in government information, the Act creates three offences relating to the dis- closure of government information by government officials, inciting a government official to disclose information, and selling government information to anybody knowing that the information has been obtained without authority. 55

CONCLUSION

At present, Australia has the Privacy Act 1998 which applies generally to Federal Government agencies and to the Australian Capital Territory public sector; voluntary National Principles for the Handling of Personal data, covering the pri- vate sector Australia-wide; the Privacy and Personal Information Protection Act 1998 (NSW) which applies only to the public sector and to outsourcers who handle personal information for public sector agencies; and South Australian administrative guidelines which apply only to the public sec- tor. In 1999, Victoria is proposing to introduce a Data Protection Act which will cover both the private and public sectors, while the Federal Government is also proposing to introduce legislation to cover the private sector Australia- wide. At this stage, however, it appears that Queensland, Tasmania, Western Australia and the Northern Territory have no plans to introduce any form of data protection although all have explored the possibility in recent years.

While the existence of a n u m b e r of different forms of legislation and guidelines offering data protect ion is not necessarily something to deplore, what is unfor tunate is that there are variations be tween the different schemes. The Information Privacy Principles in the South Australian guidelines, the Privacy Act, the National Principles and the Privacy and Personal Information Protection Act 1998, while all based on the OECD Guidelines, differ in context, phraseology and applicat ion. The Informat ion Privacy Principles in the Victorian Data Protection Bill are similar to those in the National Principles but even so, contain some differences in phraseology and application. Presumably the pr ivate sector legislat ion p roposed by the Federal G o v e r n m e n t will adopt the National Pr inciples but whether the Privacy Act IPPs are to be amended in line with the Guidelines is not known.

Despite the similarity in the various data protection schemes outlined above, it is the differences which may lead to disunity. Different privacy commissioners will be required to react to different government policy approaches in their interpretation and application of the principles, and tri- bunals, courts and administrative boards will be required to make their own judgments based on the specific wording of the principles at issue.

There is no doubt that the about-face of the Federal Government in March 1997 over the extension of the Privacy Act to cover the private sector substantially con- tributed to the actions of New South Wales and Victoria in introducing their own Data Protection Acts. It also led to the creation of the National Principles which differ in a number

Computer Law & Security Report Vol. 15 no. 4 1999 ISSN 0267 3649/99/$20.00 © 1999 Elsevier Science Ltd. All rights reserved

241

D a t a P r o t e c t i o n in A u s t r a l i a

of i m p o r t a n t r e s p e c t s f r o m t h e IPPs in t h e Pr ivacy Act a n d w h i c h r e p r e s e n t e d a c o m p r o m i s e b e t w e e n t he Pr ivacy C o m m i s s i o n e r ' s i n t e n t to p lace Austral ia in a p o s i t i o n to sat- isfy t h e a d e q u a c y c r i t e r i a of t h e E u r o p e a n Di rec t ive a n d t he d e m a n d s of t he va r ious i n d u s t r y l o b b y g roups . T h e Federa l G o v e r n m e n t has n o w a n o t h e r o p p o r t u n i t y to redra f t b o t h t he Pr ivacy Act IPPs a n d t he Na t iona l P r inc ip l e s to a c h i e v e a

u n i f o r m set of IPPs. It wil l b e i n t e r e s t i ng to see t he a p p r o a c h

w h i c h it adopts .

Margare t J a c k s o n Assoc ia te Professor in C o m p u t e r Law School of A c c o u n t i n g a n d Law RMIT Universi ty, M e l b o u r n e

FOOTNOTES 1Victoria Park Racing and Recreation Grounds Co Ltd v Taylor (1937) 58 CLR 479. 2Privacy Amendment Act 1990, which came into effect on 25 February 1992. 3Australian Capital Territory Government Service (Consequential Provisions) Act 1994 (ACT) s 23, schedule 3. 4AUSTEL, Telecommunications Privacy: Final report of AUSTEL's Inquiry into the Privacy Implications of Telecommunications Services (1992). 5National Information Services Council (NISC), Department of the Prime Minister and Cabinet,Agenda papers from the first meeting of the Council (1995) iv. 6Australian Law Reform Commission and the Administrative Review Council (ALRC & ARC), Open government: a review of the federal Freedom of InformationAct 1982 (Cth) (1995) 206. 7Commonwealth House of Representatives Standing Committee on Legal and Constitutional Affairs, In Confidence: A Report on the Protection of Confidential Personal and Commercial Information held by the Commonwealth (1995), 171-172. 8AUSTEL, above n 4, 9-10. 9NISC, above n 5, iv;ALRC &ARC, above n 6, 206. 1°In Confidence, above n 7, 122 & 127. 11OECD Press Release, Directive on personal data protection enters into effect, IP/98/925, 23 October 1998, 1. 12For example, in 1995/96, the European Union was Australia's largest economic partner with total current account transactions amounting to 20% of total t ransactions with all countries. Australia's second largest economic partners,Japan and the United States, each accounted for about 15 % of total transactions. Editor, Background - - EU-Australia Relations September 1997. 13OECD Press Release, above n 11,2. 14Ibid 3. 15Attorney-General's Department, Commonwealth Government, Discussion Paper: Privacy Protection in the Private Sector (1996) 1- 3. 16Ibid. 17Ibid 6. 18Ibid 13. !9Ibid 28. 2°In Confidence, above n 7, 171-2. 21Attorney-General's Department, above n 15, 21. 221bid 84. 23Graham Greenleaf, 'International privacy standards - - Their con- tinuing relevance to Australia' paper presented at the Data Protection and Privacy Conference (1997) 2. 24prime Minister, Press Release 'Privacy Legislation', 21 March 1997.

25Ibid. 26Greenleaf, above n 23, 3. 27See generally, Graham Greenleaf and Nigel Waters, 'Putting the "National Principles' in context ' (1998) 4 Privacy Law & Policy Reporter 161 and Roger Clarke, 'Serious Flaws in the National Privacy Principles' (1998) 4 Privacy Law & Policy Reporter 176. 2SCarolyn Milburn, 'Boycott on Canberra's privacy bid', The Age (Melbourne), 21 February 1998, 1. 29Stan Beer, 'Privacy code gets cold shoulder', The Australian Financial Review, 21-22 February 1998, 4. 30Ibid. 31 Ibid. 32National Principles, clause 8. 33Ibid clause 7. 34Ibid clause 1.4. 35Ibid clause 10. 361bid clause 9. 37Attorney-General, Daryl Williams, and the Minister for Communications, Information Technology and the Arts, Senator Richard Alston, 'Government to Strengthen Privacy Protection', 15 December 1998. 38One of six recommendat ions contained in the Legal and Constitutional Committee, Fortieth Report to the Parliament, Report upon Privacy and Breach of Confidence (1990). 39Law Reform Commission of Victoria, Discussion Paper No 29, Privacy (1992), para 45. 4°Ibid para 44. 41Ibid paras 46-48. 4eVictorian Government (Alan Stockdale, Minister for Multimedia), Press Release, Data Protection Advisory Council, 3 August 1996. 43Victorian Government, Data Protection Bill Discussion Paper, <http://www.mmv.gov.au/publications> 15 February 1999, v. 44Data Protection Bill 1998 (Vic) s 4(3). 4SIbid, ss 51-64. 46Ibid, s 39 47Ibid, s 8. 48Victorian Government, Legal and Constitutional Committee, note 37, 40. 49privacy and Personal Information Protection Act 1998 (NSW) ss 3-4. 5°Ibid s 9. 511bid s 12(a). 52Ibid s 12(b). 53Ibid s 45. 541bid ss 220(2), 29 & 31. 55Ibid ss 62 & 63.

242 Computer Law & Security Report Vol. 15 no. 4 1999 ISSN 0267 3649/99/$20.00 © 1999 Elsevier Science Ltd. All rights reserved