New South Wales privacy commissioner Elizabeth Coombs wants to help government agencies do a better job of protecting personal information, but says she needs more funding to do it.
Coinciding with Privacy Awareness Week across the Asia-Pacific, Coombs delivered a raft of recommendations today on how to strengthen privacy across NSW in her annual report to parliament on the operation of the Privacy and Personal Information Protection Act 1998.
Along with a list of legislative changes to address newer technological challenges and bring the act into line with other jurisdictions, Coombs also wants to improve privacy practices across the state’s public service. She suggests establishing cross-agency projects, with the NSW Public Service Commission and Department of Premier and Cabinet being key candidates.
Noting that the way public service agencies are run has a significant effect on privacy protection, she reports:
“Some of the issues raised by agencies reflect the need for greater organisational capability in understanding privacy and its governance. This can be reflected in the management of privacy risks and sometimes, in the erroneous use of privacy as a reason not to provide information requested or to maintain ‘information bunkers’.”
Coombs says NSW agencies have displayed an “overall commitment to good privacy frameworks and practices” throughout the year. Some have performed strongly but others are “still to understand the importance of privacy in establishing a strong customer service ethos and organisational accountability”. She acknowledges that agencies need more support and that to date, it has been “insufficient” but says “improved resourcing … is required to enable this to occur”.
The privacy commissioner also wants to see the law changed to ensure that privacy protection is never weakened through the outsourcing of government services to private companies and not-for-profits. She also believes the right to view and correct personal information that is held about you should be enshrined solely in the PPIP Act, not in the Government Information (Public Access) Act 2009, and explains:
“This would simplify the current multiple arrangements and remove the administrative complexity imposed on NSW public sector agencies.”
While the growing legions of digital evangelists continue to promote the view that privacy is dead, or at least terminally ill, Coombs noted that the NSW public still hold onto the idea that privacy is inherently a good thing, for its own sake. According to the report:
“The public is concerned about ‘big data’ and data mining, surveillance, identity theft, on selling of personal information, ‘big brother’ and metadata interception, risks in the shared economy, vulnerability particularly of seniors and younger children, seemingly insecure storage of personal information by organisations including ammunition retailers and the excessive amount of personal information collected for mundane transactions — amongst other things!”
The privacy commissioner says the shift to a simpler, consolidated service delivery model featuring one-stop shops is “an opportunity to place privacy respectful practices at the heart of customer services and build trust with the community”.
Coombs wants to see greater protection for data that is sent interstate by government agencies, the right to anonymity and pseudonymity “where lawful and practicable” and mandatory reporting of serious breaches, “particularly if this is introduced into Commonwealth legislation”. She explains:
“A shift from old style reactive compliance to proactive and effective incorporation of privacy in organisational governance and culture is the future and the adoption of the ‘privacy by design’ principle provides the vehicle to achieve this shift.”
Concerns around ‘big data’ and the increasing use of surveillance devices are particularly “high in the public’s consciousness”, according to Coombs, who advises:
“The challenges and risks to privacy protection posed by these developments require strategies to utilise such technologies while protecting the privacy and personal information of individuals. Similarly, data sharing and data mining concern the public.
Appropriate methodologies for data sharing and de-identification of data are required to enable agencies to utilise the sector’s data for policy development and service planning while protecting the privacy of individuals whose personal information is being utilised.”
Clients of all state-owned corporations should recieve formal privacy protection, in Coombs’ view, either under Commonwealth law or the NSW PPIP Act she administers. She suggests amendments at state level to greater harmonise the national privacy regime would be more practical than attempts to create a single, national framework, which would be “neither quick, easy nor necessarily successful”.