Harmonising Australia’s privacy regime


Privacy by Design is picking up steam, with advocates emboldened by the new reality of a growing data-driven economy. Victoria Draudins maps how the public sector privacy bodies are responding to the challenge.

Information has never been easier to share than today. And thanks to advances in areas like analytics and AI, it has never been more valuable, with commentators grandly proclaiming from time to time that data is ‘the new oil’ of the 21st century.

Of course, the flipside of this ‘new age of information’ lies in maintaining privacy without creating unnecessary barriers. “Privacy is something that goes to the core of a person – to their sense of self and hence to their dignity and human rights,” says outgoing NSW Privacy Commissioner, Dr Elizabeth Coombs.

Any public servant introducing new technologies in government must grapple with complexity or uncertainty surrounding privacy. This is driven by the extremely context-specific nature of applying privacy principles, and may be exacerbated by differing standards across jurisdictions, the proliferation of new technologies and international developments. However, these drivers may also assist in creating more universal privacy standards, which ensures privacy is embedded from the start of the process — rather than as an afterthought.

Navigating Australia’s complex privacy regime

Our privacy regime is governed by a complicated lattice of privacy rules administered by various federal and state authorities. The Office of the Australian Information Commissioner (OAIC) handles the privacy issues of federal agencies, large businesses, health providers and some small businesses under the Privacy Act 1988, while states and territories handle issues relating to their own state or territory agencies using their own jurisdiction-specific legislation. Essentially, all legislation involves some form of Privacy Principles — although these can vary substantially from jurisdiction to jurisdiction. The Attorney-General’s Department also has carriage of security standards.

As the private sector leads in technological advances, the OAIC often paves the way in privacy development. While most states and territories have specific privacy bodies headed by Commissioners (or an Ombudsman in the case of Tasmania), Western Australia and South Australia, subsume privacy back into other agencies. As a result, aspects of those states’ privacy regimes are less rigorous than other jurisdictions.

This matters more and more as government move to join-up information. For example, as I wrote about recently, the Attorney-General’s Department’s Face Matching Service is running into issues in securing agreement from some states to share their driver licence photos, as other jurisdictions may not have the same level of privacy protections.

Privacy is more important than ever in the face of new technologies

It’s not only that information is being shared more easily — the very nature of information is changing. As Coombs observes: “The financial year 2016/17 has been marked by announcements of self-driving cars, artificial intelligence, robotic intelligence, robotic clouds, facial recognition, the internet of things and more.”

These developments are far from academic. Last year the Northern Territory embarked on a Driverless bus. And over a year ago, the Therapeutic Goods Administration issued a warning about the potential cybersecurity risks of hacking of medical devices like pace-makers or insulin devices.

The Acting NSW Commissioner notes that “during this time of fast technological evolution, it is important to remember that privacy is actually becoming more important to individuals.” Speaking of a report she released into community attitudes into privacy at the end of June, the Commissioner notes that ‘people care very much about their ability to control who may obtain their personal or health information and who may be able to identify them based upon this information.’ The community also has ‘strong views’ about how information provided for one purpose may be put to other uses without their consent.

Building on this theme, the DTA reveals some perhaps surprising and unexpected additional insights of how the public views government-held data. As a spokesperson tells The Mandarin, “we’ve conducted extensive user research throughout each stage of Govpass … people are more willing to share personal data with the government than social media or private organisations.”

The future involves lifting standards and creating better uniformity

Considering the break-neck pace of technological change, co-ordination and harmonisation amongst privacy authorities is more important than ever. Queensland Privacy Commissioner Philip Green notes that ‘It’s hard to be on top of it all, so it’s really essential we collaborate … government lags behind the private sector, so the OAIC provides some good guidance.’

Efforts to ensure coordination involve those states and territories with privacy authorities maintaining weekly contact with their counterparts to discuss important issues. They also make sure reach out internationally. In mid-July, the OAIC hosted the 47th Asia Pacific Privacy Authorities (APPA) Forum followed by the Data + Privacy Asia Pacific Conference 2017. According to Commissioner Green, “We see great benefit [in collaborating] as information can be shared at the touch of a button – data protection has no borders.” 

Turning from talk to action, the Queensland Office of the Information Commissioner is currently in the process of trying to update its legislation, and has brought a submission to bolster their principles and bring them more in line with the Australian Privacy Principles.

Of South Australia and Western Australia, Green thinks that while there are some protections for more extreme issues — for example SA has created a newer Act on surveillance — some in government view privacy as an afterthought or believes that there is enough existing statute without requiring specific privacy authorities. However, the Commissioner believes that these states need to be bound by the same standards and protections as the rest of the country, for example relating to criminal code protections or child exploitations.

Ultimately however, issues taking place internationally will raise privacy practises. The EU is strengthening and harmonising its data protection laws, which means that Australian business with ties to the EU must be compliant with these additional protections by 2018. In particular, Green’s view is that small exporters and small departments interacting with those oversees “should lift their game … ultimately Europe will drive stronger Australian practises.”

And in another Australian bellwether, in the UK the Information Commissioner is clamping down on access to data following the Google DeepMind saga — where the NHS was ruled to have breached data protection rules when it handed over 1.6 million patient records to the Google-owned AI company in an authorised trial. The UK Commissioner stated that: “There’s no doubt the huge potential that creative use of data could have on patient care and clinical improvements, but the price of innovation does not need to be the erosion of fundamental privacy rights.” For its own part, DeepMind stated how it’s fast moving pace may have been to its detriment:

“In our determination to achieve quick impact when this work started in 2015, we underestimated the complexity of the NHS and of the rules around patient data, as well as the potential fears about a well-known tech company working in health. We were almost exclusively focused on building tools that nurses and doctors wanted, and thought of our work as technology for clinicians rather than something that needed to be accountable to and shaped by patients, the public and the NHS as a whole. We got that wrong, and we need to do better.”

A Privacy by Design approach helps ensure privacy protections

In the face of complexities, the questions of when to engage with privacy bodies is not necessarily clear — even among privacy experts themselves. According to Green, “there is a lot of academic debate about it — there’s a risk that you can do too much cooking if engaging early on, which might make it hard to provide feedback later … But, on balance, it’s good to be involved at the start of the process rather than being left in the dark.”

The Queensland Commissioner notes that engagement by agencies can be “a bit haphazard”. He notes that “While [OAIC Privacy Commissioner] Tim has a legislative mandate to be consulted by federal agencies, here in Queensland, our Act says we can comment, but this depends on central agencies or Parliament.”

But regardless of when privacy authorities are engaged, a Privacy by Design approach ensures privacy is built into the process at the start, rather than being an afterthought. The NSW Privacy Commissioner agrees, stating: “In terms of innovations or changes in practices, a ‘Privacy by Design’ approach assists organisations to comply not just with the legislation but also with community expectations. In privacy as in many other areas, community expectations can vary from what legislation provides and also from what administrators find convenient.”

This can be demonstrated in Govpass, which took a Privacy by Design approach to ensure privacy was a ‘core component’. A DTA spokesperson also outlined the importance of consulting with a range of stakeholders, from privacy regulators, experts, academics and civil liberties groups. In addition, they note that “we brought on board a specialist adviser from the OAIC to join the project team who is guiding our policy work around privacy”.

This brings to mind parallels to stories I’ve heard of organisations embedding enterprise architects or other specialists in digital delivery initiatives so that teams can roll out projects more quickly. Perhaps this increased privacy focus in large government projects is a sign of things to come.