Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Good privacy is good business the path to excellence

Speech by Karen Curtis, Privacy Commissioner, 2010 Government Business Conference, Sydney, 6 May 2010.

 

pdf Good privacy is good business the path to excellence

Firstly I acknowledge the traditional owners of the land we meet on - the Gadigal people of the Eora nation - and I pay my respects to their elders past and present.

This conference is about achieving public service excellence.

I'm sure that in some circles there are people who'd say that public service excellence is a contradiction in terms or an oxymoron.  A bit like when Sir Humphrey said to his Minister, Minister you can be open and have government, you just can't have open government!

I'm not one of those people.  I wasn't surprised that a study found the APS as comparable to some of the best services in the world.

But part of maintaining excellence is striving to improve and stay ahead of the game.  A strong public service can only improve with regular re-evaluation and critical analysis.

So it's fortuitous we have the blueprint for public sector reform: Ahead of the Game; developed by the Advisory Group on Reform of Australian Government Administration.

I'm sure you'll be hearing plenty about the Blueprint over the next two days, so I won't go into too much detail.  But it does provide the context for my talk.

My message to you is that good privacy practice is fundamental to public sector excellence.

It is also timely that I happen to be speaking to you during Privacy Awareness Week.  PAW is promoted by my Office and other privacy regulators from a number of countries across the Asia-Pacific region and other Australian jurisdictions.  It's a celebration of privacy and an opportunity to reinforce awareness of obligations and rights.  This year's theme is 'Privacy: It's in your hands" which captures the sentiment that we all have choices to make and obligations to meet in our personal and professional lives.

As the Blueprint has highlighted, times are changing.  As Bob Dylan said:

Come gather 'round people (public servants)

Wherever you roam

And admit that the waters (the issues)

Around you have grown

And accept it that soon

You'll be drenched to the bone

If your time to you is worth savin'

Then you better start swimmin' or you'll sink like a stone

For the times they are a-changin' . . .

The times have changed in a number of ways.  People now have greater expectations of high quality service from their governments.  Technology continues to advance and we have to deal with new issues like the ageing population, global warming and national security.

But what hasn't changed is people's need for, and expectation of, privacy.  Circumstances may have changed in the Information Age, but that core need of respect for the individual has not.  Why?  Because people need privacy to lead full and dignified lives.  It is nothing new or controversial.  

If privacy were not important, then I can tell you that reality TV shows would not be rating as well as they do!  The producers of those shows understand that having every move, every slip up, every humiliation, recorded and played on prime time television is difficult for contestants.  It's difficult because people need time out from the spotlight.

In Australia, we fulfil our international treaty obligations and recognise the importance of privacy to human dignity and autonomy through the Privacy Act at the federal level and we have a number privacy laws at the state and territory level too.

The Privacy Act regulates personal information handling in the public and private sectors.

Some of the key features of the Privacy Act that should be borne in mind are:

  • The principles apply to 'personal information' - which the Act defines as 'information or opinion about an individual whose identity is apparent or can be reasonably ascertained.'
  • It is principle-based law - that is, law which provides agencies with broad, core rules that they must then apply to their specific operations. When in doubt, return to the principles. They show the principles behind the law; the 'why' behind the rule.
  • The principles cover how agencies collect, use, disclose and safeguard personal information.
  • Privacy law is really about respect and common sense.
  • Privacy is not an absolute right. It has to be balanced against community interests, freedom of expression and the rights of government to be efficient.

As the Information Age has unfolded and developed, so too has the importance of privacy law.  It provides a check on information handling at a time when personal information can be moved, matched, mashed, linked, searched and circulated on a mass scale and with great ease.

The Blueprint provides a good framework for a discussion of why good privacy practice lies at the heart of public service excellence.

Ahead of the game - creating privacy excellence in our public service

As Steven explained, the Blueprint outlines four core components which are critical to a high-performing public service.  They are:

  1. Meeting the needs of citizens
  2. Strong leadership and strategic direction
  3. A highly capable workforce
  4. Operating efficiently and at a consistently high standard.

I want you to imagine for a moment that the public service is a tree, and these four components can be considered four major branches.  If one branch is unhealthy, then the whole tree suffers.

So where does good personal information handling fit in?  Some might say it's a smaller branch or even a twig.  But that is not understanding the pervasiveness of personal information in the public sector.

Good personal information handling is essential to a high-performing public service.  Therefore, I see good privacy practice as being at the core of each of those four components.

So how does good personal information handling fit into each of those four components of a high-performing public sector?

1. The first branch: Meeting the needs of citizens

The Blueprint speaks of the importance of meeting the needs of citizens by providing high quality tailored public services and by engaging citizens in the design and development of services and policy.

Of course, in any discussion about the public service and its effectiveness, we must return to the citizen, because they are at the centre of what we do.

Good personal information handling is essential to meeting the needs of citizens.

Good information handling means that individuals receive the right service at the right time in the right way.  You need to have the right information at the right time used for the right purpose.  It's nothing new or revolutionary.

What you may not have focused on is that for individuals to get the most from public services, they need to be able to trust agencies to use, disclose, and protect their information appropriately and respect their right to privacy.  When governments don't get it right, citizens aren't happy.

On the whole, Australians tend to trust the public sector to handle their personal information appropriately.  Community attitudes research commissioned by my Office in 2007 found that 73 percent of Australians considered government departments to be trustworthy when it came to the handling of their personal information (a figure that has steadily increased over the past six years).  The only sector more trusted to protect privacy was the health sector.

Of course, trust can be eroded in no time at all - for example, in the event of a data breach and a sustained media attack - so agencies cannot afford to be complacent.  Trust is an elusive commodity.  Do not take it for granted!

2. The second branch: Strong leadership and strategic direction

The second component of a high-performing public service is strong leadership and strategic direction.  Again there is a privacy angle here!  Often information handling is in the hands of frontline staff; case managers; those at the coalface so to speak.  But this does not mean that good privacy practice starts and ends with them.

Agencies with the best culture of privacy protection are generally those with strong leadership - leaders that recognise the importance of good personal information handling and actively encourage their staff to embed privacy in their day-to-day activities.

All departments and agencies have Privacy Contact Officers - do you know yours? - but some departments and agencies have a more integrated and direct line to the top.  Privacy is seen as a core business value and a risk to manage and is reported upon regularly to senior management.  What visibility does privacy have in your organisation?

If senior people don't give appropriate attention to privacy, neither will their staff.  Privacy becomes a mere compliance issue and staff may be encouraged to only meet the bare minimum of the requirements of the Privacy Act, and not aspire to best privacy practice.

I'm pleased to say that I don't think that this is a big problem in our public service today, but I do think it pays to remind agency heads and managers of their role in creating a public service culture that respects privacy.

Public sector leaders also play a role in ensuring that privacy is built in early to new projects and policies that involve the handling of personal information.  By encouraging rigorous, evidence-based policy development and undertaking comprehensive privacy impact assessments, public sector leaders invest in the future of privacy protection in Australia and meet the expectations of the citizens.

A current good example is DHS, and I congratulate them, as they are building privacy firmly into their service delivery reform.    

Privacy impact assessments are really becoming the norm now for new projects that involve the handling of personal information.  Referred to as  'PIAs', they are an accepted assessment tool used in many countries across the world including Canada, the United States, the United Kingdom and New Zealand.  Indeed, US President Barak Obama has said PIAs now have to be undertaken on federal projects involving significant personal information.

A PIA is an assessment tool that describes in detail the personal information flows in a project, and analyses the possible privacy impacts of the project.  A PIA can help agencies to identify when the collection of particular information is unnecessary for a given project, or where additional accountability or oversight processes may reduce privacy risks.

PIAs also help to engender community trust in new proposals, if the issues raised during the PIA process are addressed in the proposal's development.

Generally, a privacy impact assessment should:

  • describe the personal information flows in a project
  • analyse the possible privacy impacts of those flows
  • assess the impact of the project as a whole may have on the privacy of individuals, and
  • explain how those impacts will be eliminated or minimised.

For large projects, conducting a PIA may be an iterative process, with a number of PIAs done at various stages of development or as project design evolves.

It is much easier and more productive to influence the development of policies and initiatives in the formative stage, rather than trying to add privacy considerations on at the end.  PIAs build in privacy rather than bolting them on at the end, possibly to the detriment of the project as a whole.

My Office has produced a PIA Guide to help agencies through the PIA process.  And tonight, as a part of my Office's Privacy Awareness Week celebrations, Senator Joe Ludwig as the Minister responsible for privacy will launch a revised version of the guide which expands its scope to cover PIAs in the private sector too.  The new version of the guide will be available on our website from tonight.

Now to return to the 'branches' of the public sector tree - let's move on to the third component of a high-performing public service.

3. The third branch: A highly capable workforce

The Blueprint reported that about half of agencies spend less than one percent of their budget on staff development.  Only a small proportion of agencies spend an amount similar to the best private sector organisations.

A highly capable workforce is the third component of a high-performing public service.  Part of developing a capable workforce is investing in training for staff to ensure that they can carry out their responsibilities with confidence.

Privacy training is vital so that agencies meet their obligations under the Privacy Act.  All staff should be familiar with the Information Privacy Principles in the Privacy Act, and embed them in their daily practices.

How many of you know the 11 IPPs that came into effect in 1989?  Don't answer, because I know it's not the majority of you.

But luckily, to help with this, for Privacy Awareness Weeks, my Office has produced handy bookmarks for agency staff.  One has the IPPs on it and the most recent bookmark gives guidance on what to do when using or disclosing personal information - and also gives you hints for your personal life!  I would like to see all public sector staff with our bookmarks on their desk!  You can order them now from the Privacy Awareness Week website: (www.privacyawarenessweek.org/).

At a minimum as public servants we should know the IPPs exist and some basics as the principles aren't quantum physics!  For instance, you can use other people's personal information if you can say 'Yes' to one of the following:

  • 1. Are you using the information for the purpose you obtained it?
  • 2. Are you using the information for a directly related purpose?
  • 3. Have you got consent for this other purpose?
  • 4. Are your required or authorised by a law to use this information for this other purpose?
  • 5. Is the use for law enforcement or to protect public revenue?
  • 6. Are you using the information to protect someone's life or health from imminent threat?

Many agencies like Medicare and Centrelink have extensive training programs for new staff on privacy.  Make sure your agency does a refresher every now and then.  If you have staff that started at your agency twenty years ago, it's likely they've forgotten a few of the key points they learned in their privacy training in 1990!

I cannot emphasise enough the importance of privacy training as part of creating a highly capable workforce.  It really is a good investment and it could be the thing that protects your agency from an avoidable data breach and an embarrassing headline. 

It is also something my compliance officers look at when investigating a breach.  If an agency has a training regime in place and policy and procedures for handling personal information, it is less likely to be found to be in breach of the Act.

Be ready for when things go wrong...

So.  You've got the Privacy Awareness Week bookmarks.  Your staff know the Information Privacy Principles inside out and receive regular training.  You do PIAs on all new projects that involve the handling of personal data.  Your agency has a strong commitment to good privacy practice and encourages a culture of respect for the privacy of individuals.  And then, despite all this, the impossible happens.  You have an information security breach.

Sometimes, despite the best efforts of agencies, an information security breach occurs.  I am not excusing it or saying that it's okay now and then to let your guard down.  Of course it isn't.  But the reality is that they happen and your agency needs to be prepared to act fast to rectify the situation when they do.  Our 2009 Portable Storage Device survey found that 58% of agencies either lost or had stolen agency issued PSDs in the previous year.

How do you deal effectively with information security breaches?  There is a lot that agencies can do to mitigate harm.

Data breaches can happen for a range of reasons.  They can be caused by human error or corrupted IT systems.  They can involve accidentally sending the wrong letter to someone, thus exposing the personal information of another.  They might involve a courier losing a package containing personal data, or a printing glitch that prints unrelated personal information on the backs of letters to clients, or a lost USB containing a database of 100 000 clients.

Whatever the situation, agencies should take the breach seriously and assess the possible or likely harm to affected individuals.  Sometimes, but not always, agencies will notify affected individuals.  Once again, you have the power in your hands - so be prepared!

Here are some simple steps to minimise the risk of a data breach.  Most involve common sense - for example:

  • Personal information shouldn't leave the premises unless absolutely necessary.
  • Don't allow large amounts of information being downloaded onto single media.
  • Protocols should cover how personal information is transferred and how portable storage devices are used, and staff should be trained in these protocols.
  • Personal information held on portable devices should be encrypted.

My Office produced a Guide to Handling Personal Information Security Breaches which gives clear steps to take to minimise the impact of a breach on those individuals affected by it.

These steps are:

  • Step 1: Contain the breach and do a preliminary assessment
  • Step 2: Evaluate the risks associated with the breach
  • Step 3: Consider notification of affected individuals
  • Step 4: Prevent future breaches.

The Guide has examples to help decide whether notification is an appropriate response.

While the Guide is voluntary, it represents good practice in handling breaches, and I would suggest you read it and consider its use.  It represents a crucial step in being prepared!

Since its release, the number of data breach notifications my Office has received has increased.  Rather than a negative, I see this as a positive proactive step and a strong indication that business and government realise that good privacy is good business.

4. The fourth branch: Operates efficiently and at a consistently high standard

The fourth and final component of a high-performing public service is that it operates efficiently and at a consistently high standard.  The preceding three components lead into this one - it's like the strongest branch of the tree where you put your swing...  If you get the first three components right, your agency is on the way to operating efficiently.  For example:

  • you won't be spending money tacking on privacy controls to new projects, because you will have dealt with privacy early on in privacy impact assessments - you'll have more efficient, focused and effective program delivery
  • you won't be spending money and wasting time on emergencies such as notifying people of breaches of their personal information, trying to fix bad situations, and putting out fires in the media
  • your staff will be well trained and get it right the first time when handling the personal information of citizens, and
  • agency heads will foster a culture of respect for privacy in their workplaces which will encourage staff to go the extra mile with good information handling.

Handling personal information consistent with people's expectations is really a key element of service delivery and delivering privacy excellence.  Australians should know that their personal information is in good hands.

Good privacy is good business

So ... good privacy is good business.  Good privacy practice significantly enhances agency outcomes, while meeting the needs and expectations of individuals.

In each of the four branches of a high-performing public service, good privacy forms a key component in achieving good agency outcomes.  Indeed, one could argue that agencies must take greater care than private sector organisations in handling personal information appropriately, because unlike in the private sector, people don't generally have the option of shopping around if they don't like the service they receive at the first place.  In most cases, the individual has no other options.  So agencies have an added obligation to get their information handling right the first time round.

In addition to privacy being part of the four branches, like the  public service values, fostering a culture of privacy awareness and respect can be seen as the roots - mostly invisible, but providing a firm foundation that both anchors and nourishes the tree as a whole.

I have already mentioned the role that agency heads play in cultivating a culture of privacy.  Promoting privacy is one of my key statutory responsibilities.  As it is currently Privacy Awareness Week, this is a time for agency staff to be reminded about privacy obligations and to reinforce the culture of good privacy in public sector workplaces.

Privacy Awareness Week products and advice

The theme of this year's Privacy Awareness Week is 'Privacy: it's in your hands'. The idea is this:  that we all have a responsibility both to protect others' personal information at work, as well as to protect our own personal information in our daily lives.

To mark Privacy Awareness Week, my Office has launched some practical advice and products that address some contemporary issues in privacy.  In addition to the bookmarks and the PIA guide that I mentioned earlier, some other items include:

  • A pocket-sized guide with simple tips on privacy and mobile phones for individuals. We developed this in partnership with the Department of Broadband, Communications and the Digital Economy and the Australian Communications and Media Authority. In fact, I have one here in my hands - hot off the presses! They are available from my Office.
  • An information sheet on ID scanning in pubs and clubs.
  • A new set of case notes which outline specific privacy complaints my Office has received and how we applied the law.
  • An online, quiz-based self help ID theft prevention tool, which was developed in partnership with members of the Asia Pacific Privacy Authorities, and is available now from http://www.privacyawarenessweek.org/. It helps you to work out how likely you are to be a victim of ID theft across 11 areas in your life. I'm at 15% risk but I'm going to work on that!

We hope that these products will assist agencies, organisations and individuals become better informed about pervasive but relatively new areas where privacy considerations arise, such as the use of ID scanning, and the privacy implications of using internet-enabled mobile phones.

As technology advances, we cannot afford to bury our heads in the sand and ignore developments.

As privacy professionals, we are sometimes accused of being 'blockers' to technological development.  However, technology can actually be privacy enhancing, so technology is not the enemy of privacy.  In fact, you can have PETS - Privacy Enhancing Technologies as opposed to PITS  - Privacy Invasive Technologies.

What we are doing this week is highlighting to agencies, organisations and individuals the things that they should be aware of when using new technologies.

We want people to be aware of their rights and to feel confident to question what is happening to their personal information.  There are many things to consider, and this raised consciousness is something that I want to see.

Everyone needs to be aware that they have a choice.  A choice about who they give their information to; a choice about the security settings they use on their mobile phones and social networking sites.

The choice is in your hands.  There are practical things that we can do to protect and strengthen our privacy, and this week has illustrated that.  And that is consistent with the APS reform agenda.

So I hope as we all implement the recommendations of "Ahead of the Game" so that we are not - to use another Bob Dylan reference - Blowin' in the Wind - but rather - The Answer My Friends is that good privacy is good business, and that the power to create excellence is in your hands!