Skip to main content
Skip to secondary navigation
Menu
Australian Government - Office of the Australian Information Commissioner - Home

Privacy matters

Presentation by Timothy Pilgrim, Privacy Commissioner, to the 'Privacy matters' public lecture at Griffith University, Brisbane, 8 May.

Introduction

I would like to begin by acknowledging the traditional owners of the land on which we meet today, and to pay my respects to their elders, both past and present.

It’s a pleasure to be here to talk to you this morning about some of the changes to the Privacy Act that came in on 12 March, but also to talk to you about privacy awareness more generally. And I understand that we’ll have time for some questions at the end so hopefully you’ve done your research.

It is probably worth starting today by asking ‘why is privacy important?’ Of course, the answer is complex, contextual and like the concept of privacy itself, ever changing. 

Of course identity security is one of the key answers to this question — in a technological and information age, issues like identity fraud and theft are an increasing problem. With the sheer volume of personal information that is stored electronically these days, protecting your privacy in the online environment is both necessary and just common sense. But there is also a larger point about the importance of privacy.

One answer to the question is that people need private space, and they need privacy to be free:

  • to behave and to associate with others without the threat of constant surveillance
  • to innovate, and to think, argue and act — the ingredients of any healthy democracy.[1]

One of the purposes of the Privacy Act is to support and maintain Australia’s obligations to the International Covenant on Civil and Political Rights, where article 17 says:

  1. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.
  2. Everyone has the right to the protection of the law against such interference or attacks.

Privacy is a human right, the Privacy Act seeks to protect it, but the right to privacy is also balanced against other competing rights, like freedom of expression, which creates a complex relationship between privacy and the media. Law enforcement and national security are other factors that need to be taken into account and balanced against the right to privacy. Different groups of people will have different opinions on how these should sit in relation to each other, and what this balance should be, which is something that is receiving a lot of media and public attention at the moment.

However, a fundamental point is that people have the right to make choices and to exercise some control about their privacy, about how their identity is used and disclosed. Privacy is about protecting information about who we are, what we do, what we think, what we believe. It is important that organisations and the Government support people’s right to make the choices that work for them.

The scope of the Privacy Act

But it is important to note that the Privacy Act is not a catch-all — it doesn’t cover the acts of individuals or many small businesses, and there are a lot of areas commonly associated with privacy that are not a part of privacy legislation. Surveillance, for example, is covered by a different set of laws. However, the concept of privacy applies to a large range of issues, and how you have the right to make choices about your privacy that work for you.

New technology and privacy are increasingly connected and more complex interactions and questions are coming up every day.

In the last year, our office has been involved in a lot of discussions about new technology and the privacy implications.

An example is that I recently provided a briefing to a Senate committee about the privacy implications of drones. Drones are a privacy issue that is quickly coming to the fore, but the issue is complicated by the fact that they can easily be owned and operated by individuals, which is not covered by the requirements of the Privacy Act.

While such technology captures the community's attention it also captures the attention of privacy regulators globally. During the year privacy regulators around the world continued to foster greater international cooperation in the light of such developments. Through forums such as the Global Privacy Enforcement Network, the APEC Cross Border Privacy Enforcement Arrangement and regional groupings of Privacy Regulators such as the Asia Pacific Privacy Authorities Forum, concerted efforts were undertaken to build a coordinated approach to regulating the protection of personal information.

During the last year we joined with privacy regulators from around the world to engage with Google about the potential privacy concerns around the development and use of Google Glass. We also participated in the Global Privacy Enforcement Network internet sweep, where regulators from around the world chose one week to target and assess the privacy policies on high traffic websites and mobile apps.

During this sweep we looked at the 50 most trafficked websites in Australia and found that most of them had issues with the readability, findability, relevance and length of their privacy policies. We will be participating in the sweep again this year — it will be taking place next week, and we will be looking at key mobile apps. With the changes to the requirements for privacy policies due to law reform, we are hoping to see an improvement in the quality of privacy policies.

The key thing to note about privacy legislation in Australia is that the Privacy Act covers information privacy, and specifically regulates the handling of ‘personal information’.

Personal information is information, whether true or not, that identifies, or could reasonably identify you. This includes things like name, date of birth and address, but it also includes things like opinions and photos.

The federal Privacy Act is technology neutral principles-based legislation that came into force in the federal public sector in 1989, and extended to include parts of the private sector in 2000. Unlike other legislation, the Privacy Act is generally not prescriptive, dictating specific processes, but instead sets out a series of privacy principles that organisations must comply with in regards to the way they handle personal information.

Although the legislation is technology neutral, 25 years is a long time, especially when you consider how quickly technology has changed in the last 5 to 10 years, and continues to change. The recent reforms to the Privacy Act that came into effect on 12 March aim to take into account the way that this has impact on information handling and management, with changes to rules around transparency, information security, cross-border disclosure and direct marketing.

Part of the changes include the replacement of the two separate privacy principles for the public and private sectors with a single set that are consistent across all organisations that are covered by the Act — the Australian Privacy Principles (or APPs).

Law reform also introduces some significant changes to credit reporting rules as well as stronger enforcement powers for our office. You may have heard about the changes to our enforcement powers in the media lately. We are now able to issue enforceable undertakings, even for issues we have investigated on our own initiative. An enforceable undertaking can require an entity to take, or to stop, a certain action or process. We are also able to issue fines of up to 1.7 million dollars for serious or repeated breaches of privacy.

Law reform

There are a lot of changes to process for businesses and government due to the APPs, and a lot of those will have a direct impact on you as consumers of services. There are a few key new areas for individuals that can be drawn out of the changes.

Openness

The first is openness. Under the new laws, businesses and government agencies that are covered by the Privacy Act have greater responsibility to manage information in an open and transparent way.

They must have a clearly expressed and up-to-date privacy policy explaining what they are going to do with your personal information. This policy must explain the kinds of personal information they collect and use, what they are going to do with it, and whether they are likely to disclose it overseas. They must also say how you can access and correct your personal information and make a privacy complaint.

They should also give you a ‘privacy notice’ when they collect your personal information, which will give you more specific information about why they are collecting your information and what they are going to do with it.

The Community attitudes to privacy survey that we ran last year shows that 55% of young people don’t read the privacy policies on websites. I strongly encourage you not to be one of those people — a good privacy policy will tell you a lot that you need to know about what will happen to your personal information. We have just released a poster, which is available on our website, that will give you some practical tips of what to look for in a privacy policy, and I strongly encourage you to read it.

Your identity

The second key issue is about your identity. You now have the right to deal with any organisation that is covered by the Privacy Act, whether public or private sector, anonymously or using a pseudonym. Obviously there are some circumstances where this will not be appropriate and you will have to prove your identity, but this option exists for all people in a lot of situations.

Direct marketing

The third area that is likely to impact on you as individuals in is regards to direct marketing. Organisations are only allowed to use or share your personal information for direct marketing in very specific circumstances. They must also provide you with a simple method of opting out of receiving direct marketing, and to tell you where they got your information from if you ask them.

Disclosing personal information overseas

The forth significant area of change in is cross-border disclosure, where your personal information is disclosed to an organisation outside of Australia. Under the APPs, if your personal information is disclosed overseas, the Australian entity remains responsible for how it is handled. There are some exceptions to this, such as when you specifically consent to it being disclosed overseas, but overall this new requirement puts a higher onus of responsibility on entities who disclose your personal information.

Access and correction

The last area that is substantially affected by the APPs is your right to access your personal information and have it corrected if necessary. Generally speaking, if you ask an entity for access to your personal information they have to provide it within a reasonable period of time, which the our office considers to be within 30 days.

If the information they hold about you is incorrect, and can request and gain a correction. Again, this must take place within a reasonable period of time.

If an entity refuses to give you access or to correct your personal information, they must give you written notice outlining the reasons for their refusal.

We have just published a fact sheet called ‘How changes to privacy law affect you’ and I strongly recommend that you read it. You can’t enforce or protect your rights if you don’t know what they are.

Credit reporting

The credit reporting system is also an area that has changed significantly under law reform. The ability to get credit is something people often take for granted, but if something goes wrong it’s usually at the worst possible time.

Some aspects remain the same, and some are different, but the key things to remember are:

  • You have the right to access and request corrections to the information held about you by credit reporting bodies and credit providers like banks.
  • In some cases if you are more than 14 days late on a bill, this information may be added to your credit report — this is your repayment history. This is NOT the same as a default.
  • If you are more than 60 days late on a bill, this is a default. If the credit provider has followed a certain procedure it may be recorded on your credit report.
  • A default cannot be recorded for an amount that is less than $150, or if you are under 18.
  • A ‘credit repair’ agency cannot get information that is correct removed from your credit report.
  • If there is incorrect information in your credit report, you can directly request a correction — you do not need to use a ‘credit repair’ agency for this.

We have just published a series of 16 fact sheets about credit reporting. These provide a summary of all the different aspects of the credit reporting system. Don’t let the number of fact sheets put you off — we have deliberately split the information into single issues fact sheets so that you can easily find just the information that you are looking for.

Awareness

I’d like to finish up today by talking about some current issues in privacy, as well as about community awareness. In the age of big data, social media and cloud computing, it is increasingly important that people think about the concept of privacy and what it means to them. I am concerned that people aren’t considering the potential risks of disclosing too much personal information, particularly when engaging online.

I spoke briefly before about online identity security — one of the issues closely associated with this is managing your digital identity. Your digital identity is made up of a thousand tiny pieces of information that is available about you online, whether on professional networking sites like LinkedIn, in publically available photos, in social media posts and in information about you that is shared by other people. This information can be added up to form a comprehensive and identifiable profile of you that may be used by anyone from prospective employers to direct marketing organisations. Your digital identity is real and it is almost impossible to change, so you need to consider how you want to be seen, now and into the future.

The Community attitudes to privacy survey showed that young people consider online services, including social media, to be the biggest privacy risk we face today. 60% of respondents aged 18–25 were of this opinion, but despite this, 33% of them have regretted something that they posted on social media. It is also worth noting that only 9% of Australians consider the social media industry to be trustworthy.

Australians are increasingly conscious of privacy issues – 82% of people said they knew of the existence of federal privacy laws, and 33% of Australians said that they had a problem with the way their personal information was handled in the last year. This is supported by the ever increasing number of privacy enquiries and complaints that we receive. In the 2012–13 financial year we received 1496 privacy complaints and 12 602 privacy enquiries. Already, in the current year so far we have received about 3000 complaints and 12,000 privacy enquiries.

Our office is also receiving an increasing number of voluntary data breach notifications — this might not seem like a good thing, but the previously low numbers of data breach notifications probably indicated a failure to report them, rather than a lower number of data breaches.

Australians are consistently in support of a greater level of transparency from both government agencies and businesses when it comes to information handling — 95% of people believe that they should be informed how their information is handled and protected, and 96% of people believe that they should be informed if their personal information is lost.

I thought you might be interested to see the animated infographic video that we made with the sponsors of the community attitudes project.

[Community attitudes to privacy video]

If you’re interested in knowing a bit more about community awareness and attitudes to privacy, there is a comprehensive research report available on our website.

Conclusion

Privacy is about respect for the protection of all of our personal information. That is information that says who we are, what we think, believe, feel, what we have done and what we want to do. It is about respecting the dignity of individuals.

Other people and organisations make decisions about us based on what they think they know about us through this information. That impacts each of us as we go about our daily lives. Privacy is a complex issues but the aim of privacy law is to help us set the boundaries and expectations initially through transparency of business practices to build awareness and through that trust. This should allow businesses and government to go about their legitimate activities while the community can expect their privacy to be respected.

More and more of our everyday interactions have a potential impact on privacy and that will only continue to increase, as technological solutions to information management become more and more innovative. This in itself is not a problem, but it means that we have to become more aware and more vigilant about how our personal information is used and disclosed. Familiarity can often breed complacency, but it is up to you to control your privacy. Privacy is important, and once lost, it is almost impossible to get back. 

Footnotes

[1] R Clarke, What’s ‘Privacy’? (2004) Australian National University <www.anu.edu.au/people/Roger>