In conversation with Sophie Dawson, partner with Ashurst Sydney, OAIC Assistant Commissioner, Angelene Falk, discusses some key issues for Australian privacy governance in 2016.
Sophie Dawson: Angelene, thank you so much for coming this morning, it was a fantastic seminar. I was hoping that we could just talk quickly for the people who weren't able to make it this morning, about some of the key themes that came out today. The first one of those was big data. I hear that there are some interesting things happening in your office around big data and also in relation to de-identification and personal information at the moment.
Angelene Falk: Thanks very much, Sophie. In terms of big data, we're seeing personal information used for purposes that we haven't imagined before, so it might be that information’s collected for one purpose and then subsequently used for another reason. What that means is that the privacy principles need to be interpreted in new ways. So they're flexible principles, they're technologically neutral, they can work in a number of different contexts but what it means is that we need business and also government to take an innovative approach to how they’re dealing with privacy in the big data context. This means looking at notices, consent, making sure that there's different ways of advising people how their information's going to be used.
So what we've done at the OAIC is develop some draft guidelines and those guidelines seek to position privacy and the APPs in a big data context. We're looking for people to give us some feedback on those guidelines and in terms of de-identification, under the Privacy Act the definition of personal information is central. If it's not personal information, the Privacy Act doesn't regulate it. So what we're looking at is, is information able to reasonably identify an individual, and this was an issue that came up in a recent decision of Ben Grubb in relation to the AAT's decision which is currently under appeal to the Federal Court. That decision is going to go to the issue about what is personal information and following that decision the OAIC will release further guidance.
But in the meantime we are really exploring this issue of de-identification, so, when is information no longer personal information under the Privacy Act. And we see de-identification as potentially a very powerful tool to unlock the value of big data and also to facilitate the Internet of Things. But what we want to make sure is that it's a robust process that really does ensure people's privacy. So we've got guidance already on our website about de-identification that asks organisations to take a risk-based approach to deciding this question. But we want to check that's still fit for purpose and we want to get people's input in terms of what they need in order for them to be confident about this kind of a tool.
Sophie: And of course the definition of personal information has wider implications too, doesn't it, because the metadata in the Ben Grubb case is the sort of data that many organisations will have. I mean in that case, it was telephony, but there'd be analogous data sets across the economy. So that decision will have implications for many organisations about what, for example, they have to produce in answer to access requests but also the form of their consents and disclosures.
Angelene: Yeah that's right, and for that very reason the Commissioner formed the view that it was important to get clarity and certainty around this area, and that's why he's taken the matter to the full bench of the Federal Court.
Sophie: Terrific. And the other thing we talked about today was cyber security and the serious data breach notification bill. Angelene, would you like to just explain what's happened in relation to that bill?
Angelene: Sure. So if I start from the current position in Australia at the moment, so there's no mandatory data breach notification regime, with the exception of the My Health Records and eHealth area. So, in Australia at the moment, we encourage a system of voluntary notification, and that means where there's a real risk of serious harm to individuals we suggest that notification to those individuals and also to the OAIC is contemplated. We think that then enables organisations to take a very proactive approach to dealing with the issue and also for ensuring that they mitigate any harm to individuals.
Meanwhile, political parties of both sides have raised the issue of having a mandatory data breach notification scheme, and you'll know that there's a number of such schemes internationally, under the new EU regulation that will come into force in the next two years there will be mandatory scheme in place, so we can see that kind of global movement towards that. In terms of what happens next, it'll be a matter for the newly elected government. But I think over time we're likely to see a mandatory data breach notification scheme. The issue will be in terms of the detail of it. We would anticipate as the regulator of privacy that we would have a role in providing guidance to the regulated entities about how the scheme will work, and any of the definitions that might be included and how we see them operating.
Sophie: And of course, with the current bill, the definition everyone's talking about is serious harm, the notification requirement would kick in where there was serious harm to an affected individual or a risk of serious harm. No doubt that's one of the issues that you're all looking at and will consider.
Angelene: Indeed, and we're cognizant of other models internationally, and some international models have taken a kind of benchmark approach to that, in terms of saying, serious harm might occur when a certain number of individuals are affected. So it would depend on the detail of the bill as to whether or not that kind of approach is taken, or a more principle-based approach is taken.
In any event, the OAIC will provide guidance; we'll consult with business and agencies and get input in terms of what are the challenges that are being faced in terms of ascertaining that, and in terms of undertaking a risk assessment in what can often be a very dynamic and fast-paced environment, and how can we best provide guidance that provides the kind of clarity and certainty that's needed.
Sophie: And of course people can notify data breaches now if they want to. Can you explain a little bit about that?
Angelene: Sure. In terms of voluntarily notifying, there’s some recent research that’s come out from Deloitte’s just last week. And that shows that actually people have greater consumer trust when notification occurs. So it goes hand in hand with this idea that consumers need to be able to have control over how their personal information is being used. So as businesses and government use that asset for their own commercial purposes, there’s also a correlating responsibility to be transparent about what’s occurring with the information.
Reporting does a couple of things: in the first instance, if you report to the OAIC, we understand what’s happening, we’re able to work collaboratively with the entity and provide them some guidance as to how to deal with the matter where that’s appropriate, but more than that, we’re aware of the circumstances, we’re able to position our Enquiries Line staff to be able to have some information to provide to the public, and the whole thing can be handled much more seamlessly. In terms of consumers, they get the opportunity to take their own mitigation steps if that’s appropriate in the circumstances.
Sophie: Terrific. Thank you. And if you had just, sort of, three things that you’d like corporate counsel and in-house counsel to focus on in the privacy area this year, what would they be?
Angelene: I’d have to say, taking a Privacy by Design approach. So the whole issue of privacy impact assessments is just going to become very central to the whole privacy landscape. So under the European Union’s regulation, PIAs will be mandatory for significant projects involving personal information, and under the Australian Privacy Principles is an obligation under APP 1.2 to take reasonable steps to implement processes and procedures that make sure you comply with the APPs, so a PIA is a really key tool to enable that to happen. So that’s the first thing.
The second thing is to get security right and to make sure that there is a real culture of building in privacy and security protections in organisations.
And the third thing is to make sure that there’s a plan to deal with the issue if something goes wrong.
Sophie: Terrific. Thank you so much Angelene, and thank you again for your time this morning. It’s been really helpful.
Angelene. Been a pleasure. Thank you.