A National Consumer Protection Framework for online wagering – Consultation Regulation Impact Statement — submission to the Department of Social Services

Our reference: D2017/004288

Illegal Offshore Gambling Taskforce
The Department of Social Services
PO Box 9820
CANBERRA ACT 2601

By email: IOWT.Secretariat@dss.gov.au

A National Consumer Protection Framework for online wagering – Consultation Regulation Impact Statement

I welcome the opportunity to comment on A National Consumer Protection Framework for online wagering – Consultation Regulation Impact Statement (the Consultation RIS) [1].

The Consultation RIS considers regulatory and non-regulatory options for a National Consumer Protection Framework for online wagering (National Framework). I acknowledge the important policy objectives behind the National Framework, particularly to ensure that there are nationally consistent and improved consumer protections to empower individuals and to limit the potential harmful effects from online wagering activity.

While I recognise these important objectives, a number of the measures outlined in the Consultation RIS include options that may raise privacy risks, including for example:

• the establishment of new centralised repositories of personal information[2]
• dynamic responsible gambling messaging, tailored according to a customer’s play[3].

As these options would involve changes to existing personal information handling practices, and in some cases the handling of ‘sensitive information’ such as health information, I recommend that a privacy impact assessment (PIA) be conducted in the earliest policy design stage[4]. This will help to identify any impacts on the privacy of individuals and allow for privacy safeguards to be built into the preferred regulatory model.

I have outlined below some potential privacy impacts associated with a number of the options in the Consultation RIS, to illustrate the importance of undertaking a PIA.

Role of the OAIC

The Office of the Australian Information Commissioner (OAIC) is an independent Commonwealth statutory agency, established by the Australian Parliament to bring together three functions:

• privacy functions (protecting the privacy of individuals under the Privacy Act 1988 (Privacy Act) and other Acts)
• freedom of information functions (access to information held by the Commonwealth Government in accordance with the Freedom of Information Act 1982)
• information management functions (as set out in the Information Commissioner Act 2010).

The integration of these three interrelated functions into one agency has made the OAIC well placed to strike an appropriate balance between promoting the right to privacy and broader information policy goals.

In the digital age, more information is being collected than ever before. While technology is allowing organisations to use and analyse data in innovative ways, often to great social and economic benefit, privacy must be integral to the equation. ‘Getting privacy right’ will help to engender public trust and gives individuals choice and confidence that their privacy rights will be respected.

The Privacy Act contains thirteen Australian Privacy Principles (APPs) which outline how Australian Government agencies, private sector organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses must handle, use and manage personal information (APP entities). Health information is regarded as one of the most sensitive types of personal information. For this reason, the Privacy Act provides extra protections around its handling, in acknowledgment of the adverse consequences that inappropriate handling can have on an individual.

Potential privacy impacts

Sensitive information

The options in the Consultation RIS generally appear to involve the collection of information about an individual’s online wagering activities. I understand that in some circumstances this information may indicate whether an individual is considered to be ‘at risk’ and may be experiencing harms such as physical and mental illness caused by gambling activity. This information is therefore likely to be ‘health information’, and as a type of ‘sensitive information’, under the Privacy Act, may be subject to the extra protections that apply to sensitive information[5]. For example, APP entities may only collect sensitive information about an individual with consent and for purposes that are reasonably necessary for or directly related to that entity’s functions unless an exception applies (APP 3.3) [6]. In my experience, proposals that involve the handling of sensitive information are likely to raise increased community concern to ensure that appropriate privacy safeguards are in place, and this would generally warrant conducting a PIA at an early stage.

Centralised register

The options that involve developing a centralised register[7] raise potential privacy risks if access mechanisms and privacy settings are not clearly defined. For example, it appears that the option to issue activity statements through a centralised register[8] would involve all legal wagering operators disclosing transaction data for all of their customers into a centralised repository. However, as the Consultation RIS is intended to canvass options at a relatively high level, it is not clear how the following potential privacy risks associated with centralised registers will be addressed:

• whether the Privacy Act would apply to the entity with responsibility for the centralised repository, as well as to entities that disclose personal information to the repository and collect personal information from the repository
• the extent to which an individual would need to consent to the collection of personal information for inclusion on the register or collection of personal information from the register, which, under APP 3.3, may be required if sensitive information is collected
• the purpose for which personal information from the centralised register may be used and disclosed, which, if not clearly defined could potentially allow for function creep over time through increasingly more organisations obtaining access to the register for different purposes
• APP 11 requires entities to take reasonable steps to protect personal information from misuse, interference and loss and from unauthorised access, modification or disclosure – careful consideration would need to be given to security settings if this option is progressed[9].

I welcome that the Consultation RIS refers, at multiple points, to the importance of ensuring appropriate security and privacy settings are in place for centralised systems[10]. Given the potential privacy risks associated with such systems, my Office would be pleased to engage with you in developing the legislative and policy framework for any such systems.

Dynamic responsible gambling messaging

I understand that the Consultation RIS includes an option[11] that would use predictive algorithms to tailor consumer protection messages according to an individual’s activity data. Using analytics to generate data about a consumer’s online wagering habits may result in the collection of personal, and potentially sensitive, information. As you may be aware, APP 10 generally requires APP entities to take reasonable steps to ensure the quality of personal information they collect, use and disclose. The nature of predictive algorithms potentially increases the risk that the new personal information will not be accurate, up-to-date and complete.

There are a range of other potential privacy risks associated with data analytics outlined in the OAIC’s draft Guide to big data and the Australian Privacy Principles. Given these privacy risks, I would recommend a PIA be conducted in relation to this option.

Small business operator exception under the Privacy Act

While the Privacy Act would apply to many online wagering providers, ‘small business operators’ are generally exempt from the operation of the Privacy Act. Generally, under the Privacy Act organisations with an annual turnover of $3 million or less are a small business (although there are a range of small businesses that are covered) [12]. Where significant privacy impacts are associated with a new proposal that involves small businesses which are not covered by the Privacy Act, it may be appropriate to require entities to comply with the APPs through enabling legislation. This approach has been adopted for instance in relation to reporting entities under Anti-Money laundering and Counter Terrorism Financing legislation, and service providers under the Telecommunications (Interception and Access) Act 1979.

Conclusion

Given that the options outlined in the Consultation RIS appear to raise a range of privacy risks, some of which have been briefly outlined above, I would recommend that the Department of Social Services undertake a PIA at an early stage in the design of the National Framework. A PIA will not only assess compliance risks, but also assess the privacy risks in relation to community expectations and perceptions of how the new measures will impact on the privacy of individuals. It may also help to achieve the intended policy objective of the National Framework while minimising the negative and enhancing the positive privacy impacts.

Once the preferred regulatory model is identified, I recommend that a further PIA is conducted at the next design phase of the agreed proposal. Completing PIAs at various stages in the policy design process will ensure that all privacy risks are proactively identified, and enable them to be effectively managed.

I look forward to an opportunity to engage further on specific measures to achieve the National Framework as these are developed.

If you would like to discuss these comments or have any questions, please contact Sophie Higgins, Director, Regulation & Strategy, on [contact details removed].

Yours Sincerely

Timothy Pilgrim PSM
Australian Information Commissioner
Australian Privacy Commissioner

23 June 2017