Why all online threats feel like privacy threats: information commissioner


The revelation that Medicare card information is for sale on the dark web is just the latest story to undermine public confidence in online services. Protecting personal data must be a central pillar of all public and private transactions, writes information and privacy commissioner Timothy Pilgrim.

Like any Australian, I was deeply concerned by reports this week that Medicare Card details were being sold on the dark web.

This matter, which on its face appears to include criminal as well as privacy dimensions, has been referred to the Australian Federal Police. My office will await the outcome of their inquiries with interest, and with confidence in their expertise in this area of cyber-crime.

In the meantime it must appear to many Australians that threats to their privacy are unrelenting — as it seems like each week there is a new story about an online risk.

While many of these incidents are cyber attacks aimed at corporate interests and not primarily targeting individuals, it’s understandable they get reduced in most people’s minds to one simple idea: ’this is a threat.’

For the individual, that means ‘a threat’ to their personal data.

A successful data driven economy can be built on community trust in privacy and data security, if that trust is built first.

No wonder then that 83% of Australians, according to the Australian Community Attitudes to Privacy Survey, believe that online environments are inherently more risky for their privacy. The distinction between attack types and techniques is lost to consumers in forming their perceptions about the online world — and to most people, cyber attacks and privacy have become fused.

From my perspective as Australian information and privacy commissioner, I can assure you that these sentiments do not match the reality of the privacy breaches my office sees. Many personal information incidents still occur in the ‘offline’ world, and many real risks to our privacy are decidedly low tech — a folder containing personal information is left on a bus, or records are dumped that should have been shredded.

But the perception that the online world is more risky is understandable given our recent news cycles, and it is a perception that both public and private sector organisations need to address together. After all, there are significant service, efficiency and accessibility reasons to make online transactions secure — and to have them feel secure for the user.

Simply put, successful data-innovation needs a strong and clear foundation in privacy protection.

This requires real partnerships across sectors, and across technical industries, to shore up mutually supportive frameworks that both provide, and project, strong personal data security.

Without the assurance of personal data protection, innovations in data-based products, whether in health, government services or commercial applications, can struggle to gain long-term support.

Providing that privacy assurance requires increasingly innovative approaches to keep pace with technologies and global use — so it is necessary that Australia’s approach is coordinated across sectors, and across borders.

It’s to Australia’s credit that we took an early lead in this regard — co-founding the Asia Pacific Privacy Authorities Forum (APPA) in 1992 — and Australia will host the 47th APPA Forum and Data + Privacy Asia Pacific Conference in Sydney next week, once again bringing together privacy and data leaders from across our region.

This conference occurs at an exciting time for privacy protection in Australia. A binding Australian Public Service Privacy Governance Code is being introduced to ensure a single high standard of personal information management across all Commonwealth agencies, and a notifiable data breaches scheme will soon provide a mandatory reporting system for breaches that are likely to result in serious harm.

Australian businesses and agencies also face privacy and data issues that are truly global, such as the General Data Protection Regulation, and with these challenges in mind, the conference is attracting leading commercial, technical, health, academic and ethical figures from the UK, US, Canada and across the Asia-Pacific region.

After all, Australian businesses, agencies and consumers act in a global data environment — so sharing ideas between industries at the forefront of innovation, and regulators at the forefront of governance, will be key to the next iterations of trusted privacy frameworks.

Some good news on that front is that in my experience I also have found that Australians are innovative people who embrace new ideas for data products and services, provided that personal data protection is clear in the bargain.

A successful data driven economy can be built on community trust in privacy and data security, if that trust is built first. It’s a task that will require all our efforts, but one which will in time, mitigate our perception of threat from online transactions.

While the online (and offline) worlds will always have nefarious individuals who lurk in ‘dark’ spaces, placing personal data protection as a pillar of our public and private transactions will allow Australians to see those individuals with perspective, and with confidence that they are rare and outlying actors.

Timothy Pilgrim is hosting the Data + Privacy Asia Pacific Conference in Sydney next Wednesday, July 12.