Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Privacy in Australia: Challenges and Opportunities

Speech by Timothy Pilgrim, Deputy Privacy Commissioner, to Biometrics Institute, 27 May 2010

pdfPrivacy in Australia: Challenges and Opportunities

Introduction

May I start by thanking the Biometrics Institute for this opportunity to speak, and for Leanne's warm introduction.

Our Office welcomes the commitment the Biometrics Institute has just given to include representation from consumer organisations and academia on the next review panel for the Biometrics Institute Privacy Code. Our Office believes that independent reviews of industry codes are critical to their effectiveness.

I am very pleased to be able to present to an audience of people so clearly at the forefront of biometric technology development and use. As you would all understand, research and planning is very important in achieving a project's objectives. So, today I will be talking to you about building privacy into projects early. If you are going to do privacy right, you need to think about privacy early and build it in from the start.

Like so many emerging technologies, biometric technologies have the potential to improve our lives and offer great opportunities. Many of you will be motivated by the goal of providing society with modern, innovative solutions to tackle difficult-to-solve problems.

But as you surge ahead along this path of innovation and problem-solving, other important aspects need to be considered as part of their development. And probably the most important of these, particularly in the field of biometrics, is privacy.

Now I would like to be clear about something; technology is not the enemy of privacy. Technology can be privacy enhancing. Privacy can be an enabler, not a blocker for technology development. Our Office believes it is crucial that there is a conversation about privacy and its relationship with the evolution of biometric technologies.And this conversation needs to happen now more than ever, as these technologies continue to rapidly take hold in everyday transactions.

It is now that we have the best opportunity to make sure that privacy is embedded in the design and operation of biometric technologies. Tacking privacy protections on at the end is never the best outcome. Last minute considerations can be costly and complicated for agencies and organisations, and potentially less effective in protecting individuals.

Today, I will emphasise two key messages. The first is that, for biometric technologies to be successful, individuals need to be able to trust that their privacy is not being eroded and, if possible, being enhanced. Without that crucial ingredient of trust, the industry in which you are all involved will struggle to thrive. Without the buy-in of the society in which you are operating, biometric technologies will not be able to produce the genuine solutions they aim to provide.

And the second message is that, for biometric technologies to flourish in a way that genuinely meets the community's needs and expectations, they need a nationally consistent regulatory environment. I will speak more about this later.

But first, I'd like to talk a bit more about the role privacy should play in the development and use of biometric technologies.

Biometric information and privacy

The way that governments and organisations handle biometric information is something that many people, quite understandably, feel very strongly about. This is because biometric information is about a person's physical characteristics. When we collect biometric information from a person, we are not just collecting information about that person, but information of that person.

Biometric information cuts across both information privacy and physical privacy. It can reveal sensitive information about us, including information about our health, genetic background and age, and most importantly, it is intrinsic to each of us.

The very nature of biometric information is one of its major advantages in terms of its powers of identification. However, this same attribute can also create significant privacy risks.

This is why developers and users of biometric technologies always need to have one eye on the solution the technology is being developed and used for, and the other eye on privacy outcomes. If you don't watch both, you will not be able to achieve either.

It might be a good time to talk briefly about how privacy is regulated in Australia.

The Privacy Act

I know that many of you will have a good knowledge of privacy laws. However, I still think it's useful to provide just a quick Privacy 101 update - some of the most important things you need to know about the current privacy regulatory framework and the role of our Office.

The first thing to note is that the Privacy Act is mainly about information or data protection - not about bodily or territorial privacy.

The Privacy Act protects 'personal information', which means:

information or an opinion [...], whether true or not, and whether recorded in material form or not, about an individual whose identity is apparent, or can be reasonably ascertained, from the information or opinion.[1]

The way organisations and agencies handle biometric data is only regulated by the Privacy Act to the extent that the data is also 'personal information'.

Second, it is important to realise that privacy, under the Privacy Act, is not an absolute right. The Privacy Act recognises that privacy needs to be balanced against other competing interests, including the desirability of the free flow of information and the recognition of the right of government and business to achieve their objectives in an efficient way. The Act is about balancing a range of interests, and that is the way our Office approaches its responsibilities.

Technology development

While the Privacy Act was designed to be technologically neutral, and while our Office believes that it has been effective in regulating flows of personal information since it was introduced in 1988, a great deal has changed in the way society conducts itself since then. Rapid advances in technology over the decades have presented significant challenges for regulation of personal information-handling in Australia.

Developments in biometric technologies have been at the forefront of this change. Back when the Privacy Act was introduced in 1988, many biometric technologies were largely confined to science fiction movies. Of course, a few, such as the use of fingerprints in law enforcement, were well established. However, the concept that biometric technologies could become part of our everyday consumer transactions was almost unthinkable.

A person standing in line at a bank branch in 1988 would struggle to conceive a future where they could phone their bank, be identified by voice recognition technology, and transact from the comfort of their own home. Yet today, this is a reality.[2]

A worker signing a time sheet as they arrived at work in 1988, would struggle to conceive a time when they would be required to have a fingerprint scanned to clock on. Yet for some people today, this is a reality.

A young adult entering a nightclub in 1988 would struggle to conceive a future where they would have to submit to a face scan before being allowed entry. This would have been the crazy plot of some futuristic television show. But today, this is also a reality.

We are likely to continue to see increasing use of biometric technologies like those I have just mentioned, as well as iris scanning, palm scanning, and many others, in ways that we cannot predict. Assuming that these new technologies are developed in a way that is genuinely sensitive to privacy, this need not necessarily be a bad thing.

Biometrics - neither good nor bad

What is interesting about biometric technology is that we tend to hear both that it is good and bad for people's privacy.

On one hand, we hear that biometric technologies enhance privacy. For example, voice recognition technology is being rolled out in some call centres to identify callers, leading to more effective protection of clients' personal information.

On the other hand, we hear that biometric technology has the potential to invade our privacy. For example, in the film Minority Report, individuals confront ubiquitous iris scanning infrastructure and technology which allows their every activity to be tracked.

How do such obviously divergent views on privacy and biometrics coexist?

The answer is: because biometric technology is what we make it. Biometric technologies are not inherently good or bad for privacy, and privacy is not a blocker to the use of biometric technologies. These technologies can become good or bad for privacy depending on how they are designed, developed and deployed.

This is one of the key messages that I would like to communicate to you today. By considering projects involving biometric technologies in the context of privacy, and by building in privacy from the very beginning of the design phase, we can ensure that biometric technologies do not impinge on, but actually enhance, the privacy of individuals.

Enjoying the benefits of biometric technologies does not also mean we have to give up other freedoms or rights. Biometric technology has a lot to offer. Let's take responsibility to develop biometric systems carefully so that they achieve their aims while protecting privacy.

How to build privacy in

Our Office encourages all agencies and organisations to conduct Privacy Impact Assessments when commencing projects that are likely to impact on privacy to design it in. Earlier this month, in Privacy Awareness Week, we launched a new version of our Privacy Impact Assessment Guide, catering for both organisations and agencies.

Building privacy in from the start is cheaper and more effective than considering it only as an afterthought. Most importantly, projects and products that have been through a comprehensive privacy planning process are likely to inspire the trust of the community, have greater take-up and success, and so build your organisation's reputation.

The essential ingredient - trust

I have already mentioned trust a few times. Trust is a major factor in consumers' decision-making processes. In fact, in the Community Attitudes to Privacy research commissioned by our Office in 2007, 36 per cent of people stated that they had decided not to deal with an organisation because of concerns about how their personal information would be handled. This shows that individuals' perceptions about personal information can often dictate their consumer decisions.

It may, or may not, surprise you to hear that government departments actually enjoy a high level of trust from the community.In fact, that trust has been growing.73% of people surveyed said they believed that government departments were trustworthy when it came to how they collected and used personal information.This is in comparison to 64% in 2004 and 58% in 2001.

The numbers for private sector organisations were generally lower that this, with 58% of people considering 'financial organisations' to be trustworthy, 37% for retailers and 17% for businesses selling goods over the internet.

No agency or organisation can ever afford to be complacent about trust. They can lose this trust and their reputation overnight if they sustain a major breach of personal information or handle personal information poorly.

And as I mentioned, many consumers will vote with their feet if they suspect an organisation may mishandle their personal information. This statement is particularly relevant for audience members here today, given that many consumers feel that biometric data is even more sensitive than other forms of personal information.

I should also note here that we are currently conducting several investigations including an own motion investigation into the scanning of driver's licences and the separate collection of biometrics like finger prints at night clubs and other entertainment venues. This includes looking at the technology and the processes involved. As these are ongoing investigations I cannot discuss any details but it does illustrate the importance of getting the technology and the business practices right from the start.

I note with interest that the Biometrics Institute is aware of the importance of community trust and confidence in an organisation's information-handling practices. The preamble to the Biometrics Institute Privacy Code states: "only by adopting and promoting ethical practices, openness and transparency can these technologies gain widespread acceptance".

For agencies, it is even more vital to be careful to incorporate privacy principles into their operations as, in many cases, individuals may not have a choice about whether or not they participate in that agency's systems or operations. A poorly designed project incorporating biometric technology can cause considerable embarrassment or worse for government and serious repercussions for individuals.

Working with new technology is challenging, but it can also be very rewarding. If you're pioneering or implementing new biometric technologies, or any new product or service that impacts upon personal information, our Office encourages you to rigorously consider any privacy implications that may arise. By doing this, you place yourself ahead of the game, and are more likely to inspire the trust and confidence of your consumers and the community.

National consistency

There's another issue that I would like to discuss with you today. It is a little more technical, but is no less significant. It relates to the array of laws and regimes that govern the handling of personal information, including biometric information, in Australia.

As most of you will be aware, the Privacy Act is 'principles based'. There are 11 Information Privacy Principles (IPPs) for Australian Government agencies, and 10 National Privacy Principles (NPPs) for business.These principles govern how those agencies and businesses handle personal information, including its collection, use and disclosure, security and destruction.

However, the Privacy Act has some exceptions. For example, it does not cover most small businesses. Nor does it cover state government agencies. To bridge this gap, some Australian states have introduced their own laws covering their public sector.

Navigating the complex relationship between state and national laws is a familiar story in our federation, but this is little consolation for organisations and agencies trying to understand their privacy obligations.

In our current regulatory environment, some users of biometric information may fall outside of our Office's jurisdiction, and may not be required to comply with the Privacy Act.

Private sector organisations bound by the NPPs that perform some functions under contract to a state or territory government may have to comply with different laws for that work. As well, organisations contracted to Australian Government agencies may have to comply with the IPPs for functions performed under the contract, and the NPPs for their other functions. Confused?  Well, it's not surprising.

And what is the main implication for biometrics?  With different laws applying to different kinds of organisations and agencies, we risk having different standards applied to organisations and agencies conducting similar activities.

Information flows do not stop at state borders. Many large organisations have a presence in some or all Australian states and territories. In our modern, integrated economy, it makes little sense and can be very expensive to require organisations to handle information differently in different states and territories, even if these differences are often only minor.

As I'm sure you can see, the system that is currently in place can be quite complex. This is a challenge indeed. However, I'm glad to be able to inform you that there are genuine opportunities for improvements on the horizon.

Changes in the pipeline

As many of you will be aware, the Government has announced its intention to make major changes to privacy law in Australia. The Australian Law Reform Commission (ALRC) delivered a report to the Government in May 2008 recommending 295 changes to Australia's privacy framework. The Government outlined its first stage response to the Report in October last year, putting forward its position on 197 of the ALRC's recommendations.

The Government has said that it intends to release exposure draft legislation reflecting these changes during 2010.[3] 

A number of the recommendations that the Government has decided to adopt will have significant, and hopefully positive, impacts for the environment in which biometric technologies must operate in Australia. I'd like to explain some of these to you now.

Single set of privacy principles

As I mentioned earlier, in the Privacy Act, there are two sets of privacy principles.

In what is probably the key reform proposal of all of the ALRC's 295 recommendations, the Government announced that it sees the wisdom in replacing these two sets of principles with a single set of principles to cover all entities that are now covered by the NPPs or the IPPs.This means that, for the first time, Australian Government agencies will have the same obligations as private sector organisations covered by the Act (of course with a few exceptions).

So what does this mean for users of biometric data?  This represents a significant step towards national consistency in the regulation of privacy and biometrics. For the first time, one set of rules will cover the biometrics field at a national level.

Biometric information as sensitive information

As I mentioned earlier, when we collect biometric information from a person, we are not just collecting information about that person, but information of that person. Recognising this fact, the Government has accepted the ALRC's recommendation that biometric information be treated as 'sensitive information' under the Privacy Act.

As it stands, the Privacy Act regulates the handling of personal information generally. The NPPs also contain extra protections specifically dealing with what is termed 'sensitive information', whereas the IPPs do not. The new, unified set of privacy principles will apply the higher protections applying to sensitive information to both agencies and organisations.

Sensitive information is a subset of personal information and includes information about things such as:

  • racial or ethnic origin
  • religious beliefs or affiliations
  • criminal record information
  • health information.

The ALRC neatly explains the rationale behind treating biometric information as 'sensitive information':

'Biometric information shares many of the attributes of information currently defined as sensitive in the Privacy Act.It is very personal because it is information about an individual's physical self. Biometric information can reveal other sensitive information, such as health or genetic information and racial or ethnic origin. Biometric information can provide the basis for unjustified discrimination.'[4]

What this change will mean then is that organisations and agencies will only be able to collect sensitive biometric information about an individual in defined circumstances, including where:

  • the individual has consented to the collection
  • the collection is authorised or required by or under law, or
  • the collection is necessary to prevent a serious threat to the life, health or safety of any individual.

This change will give individuals greater confidence that their sensitive biometric information will be appropriately treated by both agencies and organisations. And as you know, confidence is an important ingredient in building up trust.

This change will also ensure that both agencies and organisations have consistent obligations regarding the way they handle biometric information.

Technological neutrality

Importantly, the Government has also committed to ensuring that the Privacy Act remains technologically neutral. What this means is that the Act will continue to regulate information handling without referring to specific technologies.

This is important because it gives the Privacy Act the flexibility to be relevant to new technological realities as they present themselves.

The current Privacy Act was introduced in 1988 - a time when many people were only just buying their first microwave. People did not have access to the internet, mobile phones and an array of other technologies, including biometric technologies, that are central parts of our lives today. The principles that underpin the Privacy Act are even older, having originated in the 1980 OECD Privacy Guidelines.

It is a testament to the success of the principle of technological neutrality that the Privacy Act has been able to regulate personal information flows in Australia for more than 20 years without major difficulties.

Of course, technological neutrality does not mean that we bury our heads in the sand when it comes to technological change. Our Office believes that we can have technological neutrality of privacy laws while still having laws that are technologically relevant. We believe that technological neutrality allows the Privacy Act to be adequately flexible to accommodate technological change. What we don't want is a privacy regime that goes out of date every time technology changes! 

Privacy codes

Going hand-in-hand with the concept of technological neutrality is the proposal to expand the Privacy Commissioner's powers in relation to privacy codes.

At present, industry groups are able to propose the introduction of a privacy code in a specific area. If the code has protections equal to or stronger than the NPPs, the Privacy Commissioner can approve it, and any organisation that opts in to the Code must comply with it. Our Office can handle complaints about breaches of privacy codes.

Many of you here today will of course be familiar with one such code - the Biometrics Institute Privacy Code although our Office notes, regrettably, the low take up of the Code by businesses who are members of the Institute. We would encourage you to look again at the benefit in signing up to the higher privacy protections afforded to individuals by the Code, such as demonstrating to your clients your commitment to good privacy practice.

As well our Office welcomes the Institute's recent development of the Privacy Awareness Checklist which each member has been asked to complete when renewing their membership.

Under the proposed changes to the Privacy Act, the Privacy Commissioner will be able to request that an organisation or industry body develop a Privacy Code binding specified organisations. If an appropriate code is not developed, the Commissioner will be able to develop and impose one.

Of course, our preferred approach is to allow industries to take responsibility for their privacy obligations, and we are confident that this will happen. The Office encourages your industry to be proactive in its approach to privacy, and as I mentioned before, to build privacy into projects, rather than simply bolting it on.

However, this code-making power will allow our Office and industry the flexibility to ensure that certain fields dealing with specialised kinds of information and technology can be regulated appropriately, and in more detail than in the Act if necessary. This will give the Office the power to respond in a timely manner to new technologies with specific privacy issues, without needing a Privacy Act legislative change, which can be a very time-consuming and uncertain process!

Consistent laws in states and territories

With all of these changes planned in the sphere of privacy law, particularly with the use of biometric technologies, you could be forgiven for feeling slightly intimidated. My advice to you is not to be overwhelmed by the challenges that come with change, because the developments unfolding before us actually present great opportunities:

  • the opportunity to develop consistent privacy laws across the public and private sectors in Australia
  • the opportunity for all of us in the room to get ahead of the game, and start planning for the future
  • and, perhaps most significantly, the opportunity for parliaments across Australia to take the new national laws as a model, to simplify and make consistent information-handling laws across all jurisdictions.

I refer again to the example I used earlier of some organisations needing to be conscious of both the NPPs and the IPPs and possibly even state privacy legislation. Our Office can see a future where laws across the country relating to information handling, including the regulation of biometric technologies, will be aligned. With a simplified national privacy regime, government and organisations would at the same time have a reduced compliance burden and greater certainty of their obligations.

Conclusion

So in concluding let me say again that there is nothing wrong with acknowledging that biometric technologies have the potential to offer our society many great benefits.

Equally though, done badly, the development and use of biometric technologies has the potential to impinge on individual privacy and thereby risk undermining community confidence in such technologies. Once that community confidence evaporates, so too does much of the potential that might have made the technologies attractive in the first place. This is why it is important to address and build in privacy now.

If, as I suspect it is, the ultimate goal of the work of this audience is to devise, build and use innovative technological solutions the work you do is too important to risk jeopardising good results with poor privacy protections.

It is also vital that the environment in which these biometric technologies are developing be simple and nationally consistent to allow them to flourish in a considered, rather than an ad hoc, fashion. By having a simple, clear, nationally consistent environment, everybody knows where they stand, and individuals can be more confident that agencies and organisations will appropriately safeguard their privacy.In a word, it will generate trust.

Thank you.


[1] Privacy Act 1988, s 6.

[2] NAB media release, NAB selects Telstra and Salmat VeCommerce to supply voice biometric solution, 22 June 2009, retrieved 19 May 2010 from: http://www.nab.com.au/wps/wcm/connect/nab/nab/home/About_Us/8/5/14/NAB+selects+Telstra+and+Salmat+VeCommerce+to+supply+voice+biometric+solution

[3] Department of the Prime Minister and Cabinet website, retrieved 19 May 2010 http://www.dpmc.gov.au/privacy/alrc.cfm

[4] Paragraph 3.170, Discussion Paper, Australian Law Reform Commission, Review of Privacy, 2007 (retrieved on 19 May 2010 from http://www.austlii.edu.au/au/other/alrc/publications/dp/72/3.html)