Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Privacy: the state of play

Presentation by Privacy Commissioner, Timothy Pilgrim, to iappANZ Summit, Monday 17 November 2014.

Good morning, everyone. I would like to begin by acknowledging the Gadigal people of the Eora Nation, the traditional custodians of this land and pay my respects to their Elders both past and present.

The annual iappANZ conference is a great chance for all of us, as privacy professionals, to reflect on key issues that have come up in the last year and our response to those issues, and to make plans for the year ahead.

It’s also a great opportunity to discuss what everyone in the privacy community is doing, and to draw on their ideas so that we can innovate and engage in a field that has to be responsive before all else.

For our Office, the last 12 months has been about preparing for, and implementing law reform, about dealing with a huge increase in work coming into our office, and dealing with a certain, significant, Government decision.

But more than that, we have spent the last 12 months engaging with business, Government, individuals, and all the time, working closely with people and organisations that approach privacy often from very different angles.

We have all spent a lot of time and energy over the last few years trying to get across the message that, far from being on the wane, the relevance of privacy is increasing, becoming more complex, and more intertwined in everything that we do, in all the decisions that we make, and in all business and Government processes.

Far from being irrelevant in the online age — the very nature of technological developments that facilitate communication, storage, use, aggregation, and engagement mean that privacy is now embedded in, and fundamental to, everything that we do.

And it is the community’s increasing participation in the online economy, where they are constantly being asked to hand over their personal information, that is making them more acutely aware of the value of their personal information and the importance of protecting it.

I think that that message is starting to be heard, and anyone who thought they were busy before should take a deep breath, because we’ve barely scratched the surface.

The International Conference of Data Protection and Privacy Commissioners was held in Mauritius recently, and the focus of the Conference’s declaration was on the Internet of Things. But more than that, it, and the conference, was about the complexity of information in today’s world — big data, personal information, inter-connectivity, global regulation and enforcement.

I read an article recently that spoke about the “issue formerly known as privacy”.[1] The author of this article was saying that privacy is no longer about keeping information from others, it is actually about human relationships — privacy is about having assurances that the information about us that is available won’t be misused, or used against you.  While I would certainly never say that people don’t have the right to control what information is shared and what isn’t, the issue of personal control, and, more broadly, trust, is at the core of what this writer was saying.  

The Mauritius declaration says that personal development should not be defined by what business or the government know about you, and yet, the proliferation of the Internet of Things — the sheer volume of data that is collected about all of us every day — is increasing the risk that this is exactly what will happen.

As individuals we are all constantly struggling to find the balance between protecting our privacy and participating with others in this technological age. Often it is difficult to do both, or to fully understand the consequences of decisions that we make.  Big data is aptly named — no regular person can fully understand all the ramifications of providing what may seem like small and insignificant snippets of information in their day to day transactions.  The potential uses of data, the different ways that data may be able to be aggregated in the future are simply too many and too big to see from where we’re standing.

The Mauritius declaration coming out of this year’s International Conference states that ‘connectivity is ubiquitous’[2].  It is easy to see why the conference focussed on the Internet of Things — connectivity is ubiquitous, and the thousands of devices that we all use to make our personal and professional lives easier every day form a massive web, linking all of our actions, decisions and movements.  The amount of data generated every day is simply too big to be controlled or even fully understood at an individual level.

What then of privacy protection?  The International Conference rightly noted that big data is a challenge to key privacy principles, by its very nature.  But when we begin to talk about the principles behind privacy, we can see that we already have the perfect tool in our hands for addressing this massive and multifaceted issue that privacy has become in the digital age.

Privacy is about principles.  It is about the principles of transparency, accountability, responsiveness.  Privacy legislation in Australia is specifically designed to be flexible to changing needs, changing community expectations and changing technologies, and this means that we are well placed to move with the times.

In the world that we live we are being asked to share more and more personal information particularly as we navigate the online world. And it’s easy to say that we have the choice whether or not we do this. But it’s simply not realistic to say that someone should just not use social media if they want to protect their privacy, that they should chose to not use a smart phone, to not use email. These systems are built-in to how we interact and function as a society, and we, as privacy professionals and experts need to ensure our approach to privacy is flexible enough to take this into account.

This brings us back to the issues of control, and trust. Privacy is not about secrecy, as you all well know.  Needing or wanting to share personal information does not decrease the need for privacy protections — on the contrary, it increases the necessity for them.  As individuals’ information is more broadly available in more places, and as more uses can be found for it, and as more profit can be generated from it, people are rightly concerned about protecting themselves.  At the same time, they have a legitimate expectation that Government and business will do that, that they will protect their information, and will be held accountable if they fail to do so.

As privacy professionals we have a responsibility to ensure that people are able to engage in the modern world with confidence and safety.  

What are we doing about it?

So, it is with this in mind that over the last 12 months, we have been meeting with a number of organisations, both in the public and private sectors, working to refine all of the guidance that we produce, and to provide guidance across the board.  

We want to help as much as possible — it would not achieve anything for us to say that we know privacy has become a part of every process, but then to step back and say ‘you deal with it’.

That’s clearly not how we work, and it’s not the approach we want to take. There is a reason our preferred method of resolving complaints is conciliation — we want to work with organisations to help them figure out what went wrong, so they can stop it from happening again.

This is the approach that we take with assessments as well. Formerly known as audits, we see assessments more as a working report card than as regulatory action.  Through assessments, we can identify privacy risks and areas of non-compliance, and can make recommendations to help organisations reduce those risks or address areas of non-compliance.  We have worked hard to bring organisations up to speed with the law, and the changes to the law, and over the next year we’re going to be testing their governance frameworks, to see if they’ve stepped up.

As you know, our office takes part in the annual Global Privacy Enforcement Network privacy sweep. In 2013, not long before law reform implementation, we took part in a sweep that looked at privacy policies on high traffic websites.

We assessed whether the privacy policies of the top 50 Australian websites, public and private sector, were ready to comply with APP 1.  You may have read our media release at the time, and will not be surprised to hear that most did not.

APP 1 is the bedrock principle that sets up all of the other practices, procedures and systems organisations need to have in place to meet their obligations.  If you get APP 1 right, you’ve got privacy governance right.  So, in the next 12 months we will be conducting assessments of the websites that we had identified for follow up action, checking for compliance with APP 1.  These websites, and organisations, fall across a range of sectors, including Government, finance and telecommunications — we will not be singling out a specific sector for attention, but we will be bringing our eye to bear on organisations that are the high risk or high volume users of personal information.

Regulatory Action Policy/Guide

This approach is indicative of our entire regulatory approach. We work with organisations, give guidance to assist them to comply and take regulatory action when and as necessary.

Earlier this year, we released a draft Privacy Regulatory Action Policy for consultation, and I’m delighted to announce that we are formally launching the policy today.  This policy explains the range of regulatory powers available to me, and formalises the approach our office has been taking in using these powers.

It is important to note that this policy doesn’t make a radical shift in our approach to regulation.  What it does is provide transparency about our existing approach, making it as clear as possible to organisations what our powers are, and what we see as our responsibilities in regards to using them.

Our Privacy Regulatory Action Policy seeks to achieve our regulatory objectives – promoting and ensuring the protection of personal information – in ways that are necessary and proportionate.

We are also working on a Guide to privacy regulatory action, and today we’re releasing a number of chapters of an exposure draft for consultation.  This guide complements the regulatory action policy by addressing the regulatory powers and giving stakeholders a more detailed explanation of how we will exercise each power.

The guide, read alongside the Regulatory action policy and the APP guidelines, will help your organisation to understand our expectations of you.

While we are generally required to investigate and attempt to conciliate complaints, we have the discretion to choose when to use our other privacy regulatory powers.  The Regulatory Action Policy sets out situations when we will select and target matters warranting regulatory action.  As you would expect, factors that we take into account in deciding whether to take action, and what action to take, include (but are not limited to) the seriousness of the situation, whether the organisation in question has been the subject of prior compliance or enforcement action, whether the conduct relates to a systemic issue, and whether they have taken appropriate steps to remedy the situation, and what these steps are.

In the case of a data breach, this includes whether the organisation attempted to conceal the breach, which will not be looked well on by our office.  

We’ll also consider the risk that the issue poses to our goal of promoting and ensuring the protection of personal information, and whether taking privacy regulatory action presents an opportunity for promoting and ensuring best practice compliance.

The Policy also emphasises that, where possible, our preferred approach is to work collaboratively with organisations to encourage voluntary compliance with obligations, before enforcement action is taken.

The enforcement action options are based on an escalation model and include accepting an enforceable undertaking from the entity, making a determination, seeking an injunction (including to restrain an organisation from engaging in conduct while we investigate a possible contravention) or applying to court for a civil penalty order.  Finally, we will always endeavour to conduct our regulatory action in a timely manner, to minimise uncertainty and delay.

The Regulatory Action Policy is available on our website from today, and I’m sure you will find it a very useful resource.

Guide to securing personal information

But of course, it is far better to build compliance into your business processes, than to leave things to chance and end up meeting the regulatory side of our office.

With that in mind, our office is continuing to work on publications that are designed to help you build privacy compliance into your processes and your culture from step one. 

And an important one of these is our upcoming Guide to securing personal information.  This is an updated version of our Guide to Information Security, and it sets out examples of reasonable steps entities are required to take under the Privacy Act to protect the personal information they hold.

In rewriting and refocusing this guide we held a public consultation so that we could ensure that it, as much as possible, met the needs of the organisations using it.  

We received a lot of feedback on this guide, which is great to see, with submissions covering a range of areas.  Some of the key areas addressed in submissions were the management of third party providers, the need to take into account the increasing shift towards the use of cloud service providers in both the private and public sectors, the use of Australian and international standards, and the importance of fostering a culture of personal information security.

In addition to updating it for the APPs, we are making some further updates to take account of the changing environment and the lessons we have learned.

We want to make sure organisations recognise the dynamic nature of information in the electronic age and that some, seemingly non-personal information, may become ‘personal information’ during the information life cycle, meaning that their obligations under the Privacy Act may change.

Further, limiting access to personal information in order to minimise the ‘trusted insider’ risk is an important mitigation strategy — we have seen a number of instances where staff have had access to information they did not need, which has resulted in mishandling of personal information.

Which brings me to the next point, which is the absolute necessity of designing and building-in security measures that factor in the human element.  There is always the chance of insider risk, of deliberate mishandling, but even more likely is that someone will make a mistake. Your staff are human, and humans make errors. Design your security measures for that eventuality.

This guide will be released soon, and if you saw my statement on the mandatory data retention proposal you will understand why this publication is so important.  As I have previously said on many occasions, any organisation that collects or holds personal information must ensure that they have security measures in place that are appropriate for the information they hold, which includes factoring in the risk and likelihood of it being breached, and mitigating against that.

Complaints and regulatory action

So I’ve been talking for quite a while about privacy generally, and why we’re all doing what we’re doing, and I think that’s really important, because without the broader context it is easy to get bogged down in the day-to-day of getting it done, but I’d like to talk briefly about some investigations that we’ve run recently, and also a little about complaints.  I want to do this because we don’t exist in a vacuum — and the issues that we addressed in these investigations are part of a broader system of privacy laws and community expectations.

Since March I’ve used my powers under section 52 to make five Determinations of individual privacy complaints, including one very recently against Telstra.

In this determination I awarded a complainant $18,000 for non-economic loss after Telstra failed to take reasonable steps to provide notice that his personal information would be published in the white pages.

This decision was published on our website about a fortnight ago, and although this may not relate to you, it relates to broader issues of notice and transparency, and I encourage you to take note of it.

Oh, and if you’re counting, the fifth one has been made and will be posted on our website over the next couple of days.  So that  will be three concerning organisations and two relating to Australian government agencies.

Whatever the sector, customers have a reasonable expectation of privacy, and in a time when information can be released and accessed quickly and easily, it is essential for you to consider the consequences of your business processes, and to act with transparency at all times. 

You may have also seen the report we published last week into the Department of Immigration and Border Protection data breach.  This was a Commissioner Initiated investigation.  This report resonates with a number of important and timely privacy issues, and I think that this case will have an impact for some time.

In case you aren’t familiar with it, in February the Department of Immigration and Border Protection published a statistical report, with charts and tables that had been copied in from excel spread sheets and were still linked to the original data tables.  The result was that approximately nine and a half thousand people’s personal information was available for download on the Department’s website.  As I said in the report, this breach was particularly concerning given the vulnerability of the people concerned, and it highlights some important issues around risk mitigation.

If your systems and process do not adequately address known privacy risks, then that is an accident waiting to happen.  And this breach further demonstrates what I was talking about earlier in regards to the sheer scope of connectivity in the world that we live in today — it shows the enormous difficulties in effectively containing a breach where information has been published online.

Although we know that the report was only available on the Department's website for about 8 days and in an online archive for about 16, and that it was taken down as soon as they were notified that the data was accessible, the point remains that the information was accessed a number of times, and there is no way to retrieve that information.

So far, we have received over 1600 complaints from individuals affected by this breach, and these complaints are ongoing.  A number of these were received in the 2013–14 financial year, and are reflected in the massive 183% increase in privacy complaints that we received last year, but the majority of them won’t be seen in our reporting until next year.

A very substantial amount of the increase in complaints is attributable to this and another significant data breach in the last year, which led to a large number of individual complaints being lodged with our office.  However, even if we take out the complaints from these two data breaches we still had a 100% increase in the number of complaints.

While there’s a degree to which this is bad — obviously it would be great if there was a drop in privacy issues and a related drop in complaints —I also see this increase in complaints as a positive.  People are increasingly more aware of their rights, and that they are prepared to exercise those rights.

This tells me, and it should tell you, that consumers are just as aware as we are of how privacy has become an inherent part of everything they do.  And remember the figure from last year’s Community Attitudes to privacy Survey – 60% were prepared to not deal with an organisation because of concern about their personal information handling practices!

I am disappointed when I hear comments that there is an attitude within some organisations of waiting for the breach to happen, waiting for the complaint to be made and, equally concerning, waiting to see an organisation taken to the courts for a civil penalty — before taking the appropriate steps to manage and protect their personal information holdings.  I personally hope this is just gossip.  Surely recent events such as the Target breach in the US and the impact that had on their financial performance and the personal impact it had on their senior management should be sufficient warning about the importance of managing the privacy risk. And if they’re not, then I hope you’ve read my recent decisions, listened very closely to what I have been saying about our regulatory approach, and that you’re planning to read our Regulatory Policy very closely, because not taking the right approach to managing privacy appropriately will not put you in good stead in the event I undertake an investigation of your organisation.

Wrapping up the year

Clearly a lot has happened since the 2013 iappANZ conference.

Since then we have all worked together to implement the new privacy laws, the most significant changes to the Act since its commencement, we’ve seen the ALRC’s report on a statutory cause of action, we’ve examined mobile apps as part of a Global privacy sweep, the data retention debate has hotted up, the right to be forgotten has been getting attention throughout the Asia Pacific region, and we have experienced the largest growth in privacy complaints to the office since the Act commenced.

Pleasingly, we marked an extremely successful Privacy Awareness Week with over 200 partner organisations and agencies, and have since released a raft of community focused resources, including a series of 5 videos. But sadly, we have continued to see a number of significant and high profile data breaches.

Finally, I’m sure everyone in the room is aware that in the May budget the Government signalled its intention to abolish the Office of the Australian Information Commissioner.  We’ve had a challenging few months as we have put into effect the Government decision.  For over four years our office has been working on privacy, freedom of information and information policy issues.  This has provided an opportunity to explore the connections between these areas, which we have been able to capitalise on when developing policy and providing advice to business, government and the public.

The Freedom of Information Amendment (New Arrangements) Bill 2014 was introduced to the Australian Parliament on 2 October, passed by the House of Representatives and immediately referred to a Senate Committee hearing.  The Committee held a public hearing in Sydney last week and we are now waiting for the Committee’s report which is due on 25 November.  So we do not yet know precisely what our fate will be, but what we do know is that it’s business as usual for privacy.  There will be a Privacy Act, as it is now, there will be a Privacy Commissioner supported by an Office, so it will be business as usual for us all in term of privacy regulation.

And this is the message I want to leave you with today.  Everyone in the room knows that privacy is absolutely about business as usual — it must be embedded in all of our processes, because it is inherent to everything that we do, to all of our interactions in everyday life.

We all, in this room and more broadly, have great responsibilities in this age of ubiquitous connectivity.  We can collapse under the flood of interactions, connections, and the sheer volume of data that is being created, shared and used every day.  Or we can take that deep breath, accept that privacy is now a central tenet of all of our professional lives, and step up to the challenge.

Footnotes

[1] ‘The issue formerly known as privacy’, http://america.aljazeera.com/articles/2014/11/4/data-privacy.html

[2] Mauritius Declaration on the Internet of Things (PDF), http://www.privacyconference2014.org/media/16421/Mauritius-Declaration.pdf