Submission to National Data Security Action Plan Discussion Paper

24 June 2022

Submission by the Office of the Australian Information Commissioner

Introduction

  1. The Office of the Australian Information Commissioner (OAIC) welcomes the opportunity to make a submission to the National Data Security Action Plan Discussion Paper (the Discussion Paper) released by the Department of Home Affairs (Home Affairs) on 6 April 2022.
  2. The OAIC supports the policy objectives outlined in the Discussion Paper, including to set national data security expectations among government, industry and individuals.
  3. The Discussion Paper identifies the link between protecting personal information and improving data security standards across Australia. It also recognises the important role that the Privacy Act plays in delivering this objective.
  4. The OAIC considers that the current review of the Privacy Act can ensure that Australia’s approach to the protection of personal information is fit for purpose in today’s digital world. The protections and obligations set out in the Privacy Act are key building blocks for Australia to implement and deliver the initiatives identified in the Action Plan. The protection of information (including personal information) is a core aspect of uplifting Australia’s data security.
  5. The OAIC is Australia’s federal privacy regulator. We play a critical role in ensuring entities subject to the Privacy Act are meeting the community’s expectations for the secure handling of personal information they hold. The OAIC and the protection of personal information are an essential part of the ring of defence in ensuring Australia’s data security. In particular, the Privacy Act includes well-established security requirements and security of personal information continues to be a central regulatory focus for the OAIC.
  6. In this submission, the OAIC outlines the role that privacy and the OAIC play in the broader initiatives identified in the Action Plan, and sets out our views on mechanisms which will strengthen those frameworks in respect of the protection of personal information and data security.

Data security and Privacy

  1. Data security and the protection of personal information are intrinsically linked.
  2. The Discussion Paper identifies ‘personal information’ as a type of data that is subject to specific protection in the Privacy Act. Data will be considered personal information if it is information or an opinion about an identified individual, or an individual who is reasonably identifiable, in accordance with the definition in s 6 of the Privacy Act 1988 (Privacy Act). This definition is currently being considered as a part of the Privacy Act Review and is discussed further in the OAIC’s submission to that review process.[1] It is important that any data that may contain personal information remains subject to security requirements in Australia, including under the Privacy Act, and that entities are aware of their obligations relating to this data.
  3. The Discussion Paper also acknowledges that privacy and data security are interrelated, and that the protection of personal information is an essential part of data security. In particular, the Privacy Act includes well-established security requirements, particularly through Australian Privacy Principles (APPs) 1 and 11 and the Notifiable Data Breaches (NDB) scheme.
    1. Under APP 1, entities must take steps beyond technical security measures in order to protect and ensure the integrity of personal information throughout the information lifecycle, including by implementing strategies in relation to governance, internal practices, processes and systems, and dealing with third party providers. This ‘privacy by design’ approach under APP 1 supports strong data security amongst regulated entities by establishing measures which prevent the misuse, interference, loss or unauthorised access to, modification or disclosure of personal information. This approach also ensures entities detect privacy breaches promptly and are ready to respond to potential privacy breaches in a timely and appropriate manner.
    2. In complying with APP 11, businesses are required to take reasonable steps to protect the personal information they hold, which includes actively monitoring their risk environment for emerging threats and implementing appropriate mitigation strategies. This is a dynamic responsibility which scales proportionately to the volume and sensitivity of personal information held by an entity, the nature and size of the entity and the threat environment in which it operates.
    3. The NDB scheme requires the mandatory reporting of eligible data breaches to the regulator and affected individuals. This scheme provides visibility of compliance with relevant security standards and allows affected individuals to mitigate personal risk. The NDB scheme incentivises entities to improve security standards in relation to the protection of personal information.
  4. In the OAIC’s view, while the Privacy Act applies specifically to the handling of personal information, in practice, strong privacy compliance is likely to uplift the data security capability of entities generally. This is because most entities collect and hold some personal information and many are likely to have information handling processes or systems that cover all types of information that they hold.
  5. The OAIC considers the Action Plan presents an opportunity to strengthen trust among individuals in how data is managed and stored, and to support the expansion of the digital economy. Trust is fundamental as individuals engage with government and businesses, and Australia’s digital economy grows. Australians want to know that their data and personal information are secure, especially as we conduct more of our lives online and through digital platforms. Australians will have greater confidence in engaging online if they know that their data is being handled and stored securely in accordance with clear and consistent data security standards.
  6. To encourage this trust and to ensure transparency, it is vital that all Australians know how their data is managed, stored and secured. Australians should also be able to rely on entities to secure their personal information appropriately.
  7. The OAIC’s Australian Community Attitudes to Privacy Survey 2020 (ACAPS) report shows there has been a general downward trend in trust since 2007. Trust in businesses in general is down by 13%, with the social media industry being rated the most untrustworthy in how it protects personal information.[2] Between 2007 and 2020, there was a 14% decline in trust in how the Australian Government handles personal information.
  8. The ACAPS report found that privacy is a major concern for the majority of Australians (around 70%).[3] The survey found that Australians are more comfortable with the government using their personal information than businesses.[4] However, most individuals (83%) would like government to do more to protect the privacy of their data.
  9. This study has important findings in the context of the Action Plan. The OAIC’s research demonstrates declining levels of trust among the community and a desire for the government to do more to protect individuals’ personal information.
  10. It is clear that privacy is a critical aspect of uplifting data security in Australia. The current review being undertaken into Australia’s Privacy Act provides an opportunity to ensure that Australia’s privacy protections are working and unlock the corresponding benefit to data security.

Reforming Australia’s Privacy Act

  1. The Discussion Paper acknowledges that the current review of Australia’s Privacy Act and consideration of an Online Privacy code are initiatives that are relevant to achieving the stated aims of the Action Plan.
  2. The OAIC submits that the Privacy Act Review presents an opportunity to ensure that Australia’s Privacy Act remains fit for purpose in an increasingly global, digital world. Getting the settings right in the Privacy Act will be central to any Action Plan, and will impact the effective delivery of related data and digital strategies.
  3. The OAIC takes this opportunity to highlight some of our recent recommendations to the Privacy Act Review, which have direct relevance to achieving the Action Plan.

Improving data security practices among SMEs

  1. The Discussion Paper identifies that small and medium-sized businesses (SMEs), due to the increase of digital commerce, are collecting an increasing amount of personal and sensitive information. Small businesses are generally not subject to the Privacy Act. [5] At the same time, small and medium-sized businesses may have less mature security and data management systems and practices, and be the victims of data breaches and ransomware attacks, impacting the overall data security capabilities of Australia’s private sector.
  2. In our submission to the Privacy Act Review, the OAIC expressed support for the removal of the small business exemption in the Privacy Act on the basis it is no longer appropriate, given the increased privacy risks posed by small businesses in the online environment.[6] The Action Plan sought views on the alignment with international data protection standards. The OAIC notes the current small business exemption in Australia’s Privacy Act has historically been one of the major challenges for Australia in seeking adequacy under EU data protection law.[7]
  3. The OAIC reiterates this view in the context of the proposed Action Plan. We note that there may be benefit in SMEs being treated the same way as larger businesses in relation to the national data security regime. Given they hold increasingly large volumes of personal information, the protection of this, and other data relating to Australians, is paramount to securing individuals’ trust in participating in the digital economy.

Higher privacy standards to support individuals

  1. The Discussion Paper notes that individuals have rights, roles and responsibilities when it comes to ensuring their data is secure.
  2. Entities in the digital economy are collecting more information than ever before, and many are basing their business model around the collection, use and disclosure of personal information. Data handling is increasingly complex, making it difficult for individuals to understand and control the ways in which their personal information is being handled. In an environment where there has been an exponential increase in the collection, use and disclosure of personal information as part of standard business models, and where consumer information about those practices is long, complex and difficult to navigate, it is inappropriate for businesses to rely on that asymmetry to place the full responsibility on individuals to protect themselves from harm.
  3. Further, a large proportion of all school, work and social activities are taking place in the online environment, which means that individuals cannot opt out of digital services if they want to continue engaging meaningfully in society.
  4. In our submission to the Privacy Act Review, the OAIC submitted that the burden of understanding and consenting to complicated information handling practices should not fall on individuals.[8]
  5. Instead, the OAIC considers that the general standard of personal information handling across the economy needs to be raised – government and businesses should be required to take proactive steps to ensure their practices are appropriate, fair and proportionate.
  6. This includes making APP entities more proactively accountable for their information handling practices. By raising the standard of data handling, individuals can have greater confidence that they will be treated fairly when they choose to engage with a service. This would prevent consent being used to legitimise handling of personal information in a manner that, objectively, is unfair or unreasonable.
  7. As part of our submission to the Privacy Act Review, the OAIC recommended establishing a positive duty on organisations to handle personal information fairly and reasonably and to require regulated entities to take a proactive approach to meeting their obligations as the parties best equipped to understand their complex information handling flows and practices.[9]
  8. The OAIC views this proposed reform as providing a new keystone for the Privacy Act, which will also have the added benefit of contributing to many of the stated objectives in the Action Plan. The introduction of a central obligation to collect, use and disclose personal information fairly and reasonably would provide a new baseline for privacy practice that meets community expectations, and helps to restore and build trust.
  9. The OAIC also suggested changes to privacy self-management mechanisms like notice and consent. In our view, these reforms will raise the standard of data handling and help prevent harms. These changes will also remove the privacy burden from individuals, by providing the same assurances to people who share their personal data as to those provided through well-established workplace and consumer safeguards. This will allow individuals to engage with products and services with confidence that – like a safety standard – privacy protection is a given. It also provides the flexibility needed by entities to innovate and contribute to a thriving digital economy.

Need for harmonisation across states and territories

  1. The Discussion Paper notes that privacy legislation across state, territory and municipal governments, where applicable, is not entirely harmonised resulting in inconsistent data security practices, which in turn poses a challenge for industry. We note that currently, some states and territories do not have privacy laws at all while other states and territories might have privacy laws, but have different requirements.[10]
  2. As part of our submission to the Privacy Act Review, the OAIC recommended that the harmonisation of privacy protections should constitute a key goal in the design of any federal, state or territory laws that concern privacy issues.
  3. One of the objects of the Privacy Act is to provide the basis for nationally consistent regulation of privacy and the handling of personal information. Alignment of rights and obligations with the Privacy Act would ensure that Australians’ personal information is subject to similar requirements whether that personal information is handled by an Australian Government agency, a state or territory government agency, or private sector organisations. Consistency in regulation across domestic jurisdictions will not only reduce compliance burdens and cost but also provide clarity and simplicity for regulated entities and the community. National consistency, therefore, should be a key goal in the design of any state or territory laws that purport to address privacy issues.[11]
  4. To assist in achieving this, the OAIC has suggested that any state or territory laws that concern privacy issues should be commensurate with those under the Privacy Act. Establishing a Commonwealth, state and territory working group to harmonise privacy laws might assist in delivering this outcome.
  5. The NDB scheme provides a clear example of the intersection of data breaches affecting multiple entities, including state and territory government agencies and entities covered by the Privacy Act. The fragmentation of responsibilities and rights occurs when data breaches transcend borders under the current regime.
  6. The OAIC’s general position is that when a new state or territory data breach reporting scheme is created, to the extent possible, the tests and obligations on entities should align with requirements of the NDB scheme under the Privacy Act.
  7. A harmonised approach to data security standards across state and territory jurisdictions would have clear benefits for individuals, government and industry and would resolve inconsistency in the security of personal and sensitive information. This would, in turn, help to ensure consistently high practices in relation to how data is handled and stored.

Biometrics

  1. The Discussion Paper references biometric information and identifies the discrepancies that currently exist where this data is subject to different data security standards. For example, the paper mentions driver licences which span multiple jurisdictions and are stored and secured inconsistently.
  2. As noted above, the OAIC is supportive of harmonising privacy protections across Commonwealth, state and territory laws.
  3. It is important to recognise that biometric information is a special subset of data that warrants particular protection on the basis that it is sensitive, pervasive and enduring.[12]
  4. The OAIC’s ACAPS report found that two-thirds (66%) of Australians are reluctant to provide biometric information to a business, organisation or government agency. In relation to the collection and use of biometric information, half of Australians (48%) consider government trustworthy while under a quarter (23%) consider businesses trustworthy.[13]
  5. The appropriate regulation of biometric data and information is an area of increased focus in Australia and around the world. As the OAIC noted in our submission to the Privacy Act Review, the use of automated biometric identification and verification systems has been an important focus for the OAIC.[14] In 2021, the Commissioner issued two significant determinations against Clearview AI Inc. and 7-Eleven Stores Pty Ltd, which concerned the use of facial recognition tools.[15]
  6. The 42nd Global Privacy Assembly (GPA) in 2020 saw the OAIC join with privacy regulators around the world as a signatory to a resolution on facial recognition technology, which among other things noted the importance of:

    "Transparency and accountability about the use of personal data and its governance in facial recognition applications, and applicable rights for individuals, including in provision of the technology to and their use by law enforcement agencies".[16]

  1. The OAIC is supportive of biometric information being considered outside the Action Plan and in consultation with the OAIC, given its unique nature.
  2. Further, given the OAIC’s expertise and the sensitive nature of biometric information and facial recognition technology, we recommend that Home Affairs consult with the OAIC regarding the development of any data security standards which apply to this type of data.

Alignment with international data security frameworks and cross-border data flows

  1. The Discussion Paper invites stakeholder feedback on how Australian Government guidance can be aligned with international data protection and security frameworks, and whether the European Union’s GDPR could apply to Australia’s practices.
  2. Data increasingly flows across borders as the digital economy develops. It is important for privacy regulation to create appropriate and interoperable frameworks that enable the efficient movement of data across borders, while providing strong protections for individual’s personal information. This alignment can facilitate engagement of multinational businesses in the Australian economy by creating predictable, globally aligned privacy requirements. Interoperable frameworks will also support effective cross-border regulation.
  3. However, interoperability does not necessarily mean adopting other laws in totality in Australia. Instead, it is important to consider how to create consistently high privacy standards globally, and how to determine what elements may suit the Australian economy to support global consistency.
  4. As outlined in our submission to the Privacy Act Review, the OAIC encourages consideration of international frameworks to ensure that Australia’s framework is comparable, whilst also ensuring it reflects the unique circumstances and expectations of Australians.  The OAIC has referenced in our submission to the Privacy Act Review where there are aspects of other legal frameworks, including the GDPR, which are appropriate to be adopted or adapted in the Australian context. Incorporating these elements into domestic law through the Privacy Act Review will facilitate appropriate global consistency, ensure high privacy standards and that the protections afforded in Australia follow the data wherever it flows.
  5. The OAIC can provide details related to global privacy frameworks and seeks to be consulted further on these issues, including where Australia may benefit from closer alignment as the Action Plan is developed.

Conclusion

  1. We consider that a strong national data security regime and consistent data security standards for all Australians support, and are supported by, the Privacy Act.
  2. The development of a National Data Security Action Plan presents an opportunity to build public trust by ensuring Australians are aware of how data will be managed and stored at all levels of government and by industry. Privacy is an integral part of data security and can be used to strengthen a national uplift in data security practices.
  3. The proposals in the Action Plan should be considered in the context of the Privacy Act Review in order to ensure consistency in how Australians’ data – including personal information – is used, disclosed, handled and stored. The recommendations in our submission to that review strongly support the objectives of the Action Plan, including improving data security among SMEs and providing higher privacy standards to support individuals.
  4. In addition to this, sensitive information, including biometric information, needs to be considered in the broader context of these reforms.
  5. We look forward to contributing to the development of the Action Plan over coming months in conjunction with the OAIC’s participation in future Australian Government security initiatives.[17]
  6. We welcome further engagement with the Department of Home Affairs as they give consideration to the implementation of the Action Plan and undertake the harmonisation of data security standards.

Footnotes

[1] OAIC, Privacy Act Review Discussion Paper submission, OAIC, 2021, accessed 26 May 2022.

[2] 70% consider the social media industry to be untrustworthy.

[3] Lonergan Research, Australian Community Attitudes to Privacy Survey 2020, OAIC, 2020, accessed 26 May 2022.

[4] Lonergan Research, Australian Community Attitudes to Privacy Survey 2020, OAIC, 2020, pp 32–33, accessed 20 May 2022.

[5] See Privacy Act, s 6D(2).

[6] OAIC, Privacy Act Review Discussion Paper submission, OAIC, 2021, p 49, accessed 26 May 2022.

[7] See Opinion 3/2001 on the level of protection of the Australian Privacy Amendment (Private Sector) Act 2000 of Article 29 Data Protection Working Party and Article 45 GDRP.

[8] OAIC, Privacy Act Review Discussion Paper submission, OAIC, 2021, p 80, accessed 26 May 2022.

[9] OAIC, Privacy Act Review Discussion Paper submission, OAIC, 2021, p 10, accessed 26 May 2022.

[10] Western Australia and South Australia do not have specific privacy legislation.

[11] OAIC, Privacy Act Review Discussion Paper submission, OAIC, 2021, p 228, accessed 20 June 2022.

[12] Section 6 of the Privacy Act defines biometric information that is to be used for the purpose of automated biometric verification or biometric identification or biometric templates as sensitive personal information.

[13] Lonergan Research, Australian Community Attitudes to Privacy Survey 2020, OAIC, 2020, pp 81-83, accessed 20 May 2022.

[14] OAIC, Privacy Act Review Discussion Paper submission, OAIC, 2021, p 108, accessed 26 May 2022.

[15] The Clearview AI, Inc. determination came after a joint investigation between the OAIC and the UK ICO, see [2021] AICmr 54 (14 October 2021). The 7-Eleven Stores determination found the respondent has interfered with the privacy of individuals whose facial images and faceprints it collected through its customer feedback mechanism, see [2021] AICmr 50 (29 September 2021).

[16] General Privacy Assembly, Adopted Resolution on Facial Recognition Technology, GPA website, October 2020, accessed 23 May 2022.

[17] The OAIC will also be making a submission to the Australian Data Strategy by 30 June 2022.