Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Defining the sensor society

Presentation by Timothy Pilgrim, Privacy Commissioner, to the 'Defining the Sensor Society Conference' at University of Queensland, Brisbane, 8 May.

Introduction

I would like to begin by acknowledging the traditional owners of the land on which we meet today, and to pay my respects to their elders, both past and present.

It’s a pleasure to be here to speak to you today for Privacy Awareness Week, especially with so much going on in the privacy sphere lately.

Defining the sensor society is an ambitious and important topic for a two day conference. As Australia’s Privacy Commissioner, you will not be surprised to learn that, in my view, any discussion of this topic should have privacy and the protection of personal information at its core. And so I am encouraged to see that is the case in a number of the presentations that you will hear over the next two days.

Privacy is rarely out of the news these days. The media continues to report on exciting new technologies as well as on activities that raise privacy questions and fuel discussions — think of the News of the World revelations, and technologies like Google glass, drones and of course the debate around the US PRISM system.

It might be worth starting the day by setting up a framework for what is meant by privacy.

Article 17 of the International Covenant on Civil and Political Rights, to which Australia is a party, states that:

  1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.
  2. Everyone has the right to the protection of the law against such interference or attacks.

This established privacy as a human right. The Australian Privacy Act 1988 seeks to protect it in the context of informational privacy, but the right to privacy is also balanced against other competing rights, like freedom of expression, which creates a complex relationship between privacy and the media. Law enforcement and national security are other factors that need to be taken into account and balanced against the right to privacy. Different groups of people will have different opinions on how these should sit in relation to each other, and where that balance should be, which is something that is receiving a lot of media and public attention at the moment.

So why is privacy important? One answer is that people need private space, and they need privacy to be free:

  • to behave and to associate with others without the threat of constant surveillance
  • to innovate, and to think, argue and act — the ingredients of any healthy democracy.[1]

Whichever way you look at it, people have the right to make choices and to exercise some control about their privacy, about how their identity is used and disclosed. Privacy is about protecting information about who we are, what we do, what we think, what we believe. It is important that organisations and the Government support people’s right to make the choices that work for them.

In Australia, privacy law is primarily concerned with the management and protection of personal information. The Privacy Act defines personal information as information or an opinion about an identified individual, or an individual who is reasonably identifiable.

Common examples of this include name, date of birth, address, medical or financial details. And now biometric information is included in the definition of sensitive information, a subset of personal information.

But the Privacy Act is not a catch-all — it doesn’t cover the acts of individuals or small businesses, and there are a lot of areas commonly associated with privacy that are not a part of current privacy legislation. Surveillance, for example, is covered by a different set of laws around the States and Territories, as well as nationally.

Defining the sensor society

People clearly remain extremely sensitive about how governments handle their personal information. The release of information relating to the US PRISM system reignited an important and complex debate about the collection of personal information for the purpose of national security. While privacy laws around the world recognise that in democratic societies such as ours privacy cannot be absolute, it is even more important that where collection of individuals' personal information occurs for the broader interests of the community, there is as much transparency of these activities as possible. There is also need for the information to be protected in terms of strictly limiting its use, destroying unnecessary information in a timely way and ensuring that those entities with access to the information are subject to strict protocols and oversight by independent bodies. Greater transparency of these activities would help to go some way in engendering increased community trust.

It is 65 years since the publication of George Orwell’s dystopian novel 1984 and its vision of the superstate Oceania, a world of omnipresent government surveillance and public manipulation. We are now 30 years beyond 1984 but the concept still resonates, and remains a key theme in movies, books and TV shows — you only have to think of the plot lines of the blockbusters Enemy of the State, Minority Report and the Bourne series, to name just a few, not to mention pop culture references in TV shows like the Simpsons and Futurama, to see how interested people are in these issues. There is even a play about privacy currently playing in the West End in London. These more contemporary representations reflect what we know and are talking about today, the sensor society is not just about government surveillance.As the brochure for the conference suggests, we are surrounded by sensors: our cars collect detailed information about our driving habits and destinations; our smart phones gather a growing array of increasingly detailed and comprehensive information about our communication activities and more. There are now more than a billion users of Facebook, and the number of devices that are connected to the internet is rapidly approaching a trillion. New methods of harnessing this connectivity are appearing everyday — apps that allow you use your phone to get cash out of an ATM, apps that allow you to pay for a taxi without getting your card, or even your wallet, out. The growing network of sensors contributes to a fast-growing stream of data about everything from the weather to the details of our personal lives and our movements throughout the course of the day.

The shift to ubiquitous, expanding and accelerating data collection marks important changes in our understandings of surveillance, information processing, and privacy in the digital era. A recent discussion paper by the Australian Law Reform Commission into serious invasions of privacy in a digital era includes a lengthy section of emerging threats to privacy. This section engages with some very topical privacy issues, such as surveillance, but also around coverage of the Privacy Act — in the technological world that we now live in, it is increasingly individuals that pose risks to the privacy of other individuals — through personal surveillance, through social media and the online environment. This makes the question of how individuals can protect their privacy a difficult one, and certainly one that will require more discussion at all levels.

New technology and privacy are increasingly connected and more complex interactions and questions are coming up every day.

In the last year, our office has been involved in a lot of discussions about new technology and the privacy implications.

I recently provided a briefing to a Senate committee about the privacy implications of drone. Drones are one example of a privacy issue that is quickly coming to the fore, but the issue is complicated by the fact that they can easily be owned and operated by individuals, which is not covered by the requirements of the Privacy Act.

The need for a coordinated approach

While such technology captures the community's attention it also captures the attention of privacy regulators globally. During the year privacy regulators around the world continued to foster greater international cooperation in the light of such developments. Through forums such as the Global Privacy Enforcement Network, the APEC Cross Border Privacy Enforcement Arrangement and regional groupings of Privacy Regulators such as the Asia Pacific Privacy Authorities Forum, concerted efforts were undertaken to build a coordinated approach to regulating the protection of personal information.

During the last year we joined with privacy regulators from around the world to engage with Google about the potential privacy concerns around the development and use of Google Glass. We also participated in the Global Privacy Enforcement Network internet sweep, where regulators from around the world chose one week to target and assess the privacy policies on high traffic websites and mobile apps.

During this sweep we looked at the 50 most trafficked websites in Australia and found that most of them had issues with the readability, findability, relevance and length of their privacy policies. We will be participating in the sweep again this year — it will be taking place next week, and we will be looking at key mobile apps. With the changes to the requirements for privacy policies due to law reform, we are hoping to see an improvement in the quality of privacy policies.

Community attitudes

The Community attitudes to privacy survey that we conducted last year shows that Australians are increasingly aware of their privacy rights and are increasingly expecting the highest standards from both business and government.

  • 63% Australians have decided not to deal with a private or public sector organisations due to concerns over the way their personal information is handled. This is an increase from 40% 5 years ago.
  • 69% of Australians are uncomfortable with advertising being targeted at them based on their online activities.
  • 78% of people are uncomfortable with their being databases of information based on what they say and do online
  • 33% of Australians reported having had a problem with the way their personal information had been handled in the previous 12 months
  • 95% of people think that government and business should inform them how their personal information is handled and protected
  • 96% of people think that government and business should tell them if their personal information is lost.

I thought I would take 2 minutes here to show you the animated infographic that was made of the results of the survey, which you might be interested in.

[Community attitudes to privacy video]

This increase in privacy awareness and concern is supported by what we are seeing in enquiries and complaints to our office. Since the commencement of our office there has been a gradual but steady increase in the number of privacy complaints we have received.

In the 2012–13 year we received over 12,000 privacy enquiries and 1496 privacy complaints. So far in this financial year to date we have already received 12,000 privacy enquiries and 3000 complaints.

Law reform

I thought I would finish today by talking a little bit about law reform — the changes to Australian privacy law that came into force on 12 March this year. A lot of the topics that will be discussed at this conference are not covered by the Privacy Act, but these the changes that result from law reform are large and significant, and you can’t talk constructively about privacy issues without an accurate understanding of the how that particular Act works, and what it covers.

There are a lot of changes to process for businesses and government due to the Australian Privacy Principles, and a lot of those will have a direct impact on individuals as consumers of services, whether in regards to new rights or a change in the way a service provider interacts with you. There are a few key new areas for individuals which I thought might be useful to outline.

Openness

The first is openness. Under the new laws, businesses and government agencies that are covered by the Privacy Act have greater responsibility to manage information in an open and transparent way.

They must have a clearly expressed and up-to-date privacy policy explaining what they are going to do with your personal information. They should also be providing individuals with a ‘privacy notice’ when they collect personal information, which should give more specific information about why they are collecting your information and what they are going to do with it.

The Community attitudes to privacy survey that we ran last year shows that 13% of people never read the privacy policies on websites, and 62% of people only read them occasionally. I strongly encourage everyone to read privacy policies — a good privacy policy will tell you a lot that you need to know about what will happen to your personal information. We have just released a poster, which is available on our website, that gives some practical tips of what to look for in a privacy policy, and I strongly encourage you to read it. Equally, I strongly encourage organisations to make their policies accessible both in content and in format — there are many techniques available to improve the comprehensibility of this kind of communication, such as the use of graphics or videos.

Your identity

The second key issue is about identity privacy. You now have the right to deal with any organisation that is covered by the Privacy Act, whether public or private sector, anonymously or using a pseudonym. Obviously there are some circumstances where this will not be appropriate and you will have to prove your identity, but this option exists for all people in a lot of situations.

Direct marketing

The third area that is likely to impact on individuals in is regards to direct marketing. Entities are only allowed to use or share your personal information for direct marketing in very specific circumstances. They must also provide you with a simple method of opting out of receiving direct marketing, and to tell you where they got your information from if you ask them.

Disclosing personal information overseas

The forth significant area of change in is cross-border disclosure, where your personal information is disclosed to an organisation outside of Australia. Under the APPs, if your personal information is disclosed overseas, the Australian entity remains responsible for how it is handled. There are some exceptions to this, but overall this new requirement puts a higher onus of responsibility on entities who disclose your personal information.

Access and correction

The last area that is substantially affected by the APPs is your right to access your personal information and have it corrected if necessary. Generally speaking, if you ask an entity for access to your personal information they have to provide it within a reasonable period of time, which the OAIC considers to be within 30 days.

If an entity refuses to give you access or to correct your personal information, they must give you written notice outlining the reasons for their refusal.

The OAIC has just published a fact sheet called ‘How changes to privacy law affect you’ and I strongly recommend that you read it. You can’t enforce or protect your rights if you don’t know what they are — privacy is about respect for the protection of all of our personal information. That is information that says who we are, what think, believe, feel, what we have done and what we want to do. Protecting privacy is about respecting the dignity of individuals.

Other people and organisations make decisions about us based on what they think they know about us through this information. That impacts each of us as we go about our daily lives. Privacy is a complex issues but the aim of privacy law is to help us set the boundaries and expectations initially through transparency of business practices to build awareness and through that trust. This should allow businesses and government to go about their legitimate activities while the community can expect their privacy to be respected.

Footnotes

[1] R Clarke, What’s ‘Privacy’? (2004) Australian National University <www.anu.edu.au/people/Roger>