Privacy has grown in public consciousness, customer consideration and business governance, to such an extent that the original desire to raise awareness of privacy per se has been eclipsed.
Privacy is now a cross-sector and cross-border conversation. It affects any business that relies on personal information for its success, and that is pretty much every business. It affects any government agency which seeks to improve its ability to better target and deliver services, and that is every agency.
It is paramount to consumers or clients who have investment in their personal identity, and want transparency and choice about how their identity is used and protected — and that is pretty much everyone. I can assure you from the perspective of my office — seeing the calls that come in, the questions that are raised, the complaints that are filed, that privacy remains, and continues to increase as a key issue for the community.
I know that as Australian consumers are known to be early adopters and heavy users of new technology — it may sometimes appear that privacy is not a top of mind issue for consumers. But with the rush of excitement about suddenly being able to access new retail and media now cooling, and consumers being more considered, caring for one’s own personal identity remains core.
This was reinforced just last week in the release of the Deloitte Privacy Index, which reported that 94% of consumers believe trust is more important than convenience in their product and service choices. That clear resurgence of trust over convenience also points to the rewards for businesses who have already adopted the “privacy by design” approach.
The idea that privacy can be a bolt-on extra has always been impractical from a regulator’s perspective but is now also undesirable from a consumer’s. So it’s fair to say there has never been a more important time to ensure that privacy is built into the fabric of business and into every product and service development.
In this era of a data driven economy, where innovation itself relies increasingly on using personal information in new technological contexts, businesses and agencies know that if they go down this path it will be essential that they get privacy right in order for long term success to follow.
We no longer need to debate if privacy is important, and can instead focus on the current and emerging challenges we need to discuss and resolve.
Privacy Professionals Network
Now, for those of you who have worked closely with our office over recent years, you will be aware that the last couple of years have been a little challenging to say the least.
In the 2014 budget the government announced its intention to disband the OAIC, introduce new arrangements for the handling of FOI matters, and re-establish an Office of the Privacy Commissioner.
However, as part of the 2016 budget, the government announced that it would not proceed with those changes and returned funding to the OAIC to enable it to continue with its regulating role under both the Privacy and the FOI Acts.
As you might expect then, with the funding of the OAIC’s privacy and FOI functions now confirmed, you will be hearing from us a great deal and in a diversity of fora and locations.
Starting this month, the OAIC’s new Privacy Professionals Network will provide opportunities throughout the year to engage on the latest business and government privacy regulation debates; and to hear updates and be involved in policy development with the OAIC team.
I’m delighted to say that the first of these meetings will take place in a fortnight’s time, in Perth.
This will in turn be the start of a calendar of professional meetings and seminars to be held in major cities around the country. But the choice to begin in WA is a deliberate one which sends, I hope, a positive symbol of how this national regulator intends to engage with privacy professionals on a national basis.
Big data, big challenge
Turning now to this year, you will be hearing from us on the important issue of how Australia can not only manage, but lead the way in, reconciling the significant policy and innovation potential of big data with the vital public confidence that comes from the protection of personal information.
Exploring and testing this potential is undeniably a current reality of Australian business and government; and as Australia’s privacy regulator, I must respond to that reality. For this reason, my office is consulting on a draft guide to big data in the context of the Australian Privacy Principles.
This has been developed in recognition of the use of data, and its potential to bring about social and economic benefits. But in order to realise those benefits we need to get privacy right as it is critical to consumer and public trust.
There is no doubt that big data practices challenge us to think about how key existing privacy principles — including notice and consent, data collection, use limitation and retention minimisation — work in practice.
However, the APPs are technologically neutral, and structured to reflect the entirety of the information lifecycle. This means entities have the flexibility to tailor their personal information handling practices to respond to the privacy challenges of big data uses.
The draft guide is aimed at facilitating big data activities while protecting personal information. It encourages entities to take a risk management approach and to use existing privacy tools to get privacy right for big data. Key privacy requirements and helpful privacy tips are outlined in the draft guide, and we want your feedback so together we can get privacy right in this important area.
Deidentification in government and business
My office is of the view that obtaining an agreed understanding of the role that deidentification may play is a key priority, and one we want industry and expert input on.
Deidentification if done properly, can be a privacy enhancing tool with potential to unlock the value of big data. And the OAIC will be revisiting its guidance on deidentification in coming months. To that end we will be conducting a series of conversations, through the Privacy Professional’s Network and other networks, to work with business, government, consumer and technical groups on the possibilities of deidentification.
We want to ensure that our end guidance is not only an accurate reflection of the Privacy Act, but also a practical and reliable solution that builds public confidence in the potential public benefit of data-driven innovation.
To be clear, my office understands the value of information. Indeed, the FOI Act, which I also regulate, is underpinned by the principle that government held information is a national resource — with all the associated expectations as to how it should be used in transparent public interest and to the best value.
We also understand that the value of this information is often best realised when it can be shared, used and built upon. And, as principles-based law, the Privacy Act is flexible enough to support all manner of data initiatives, provided that an integrated approach to privacy management is taken up front.
With this in mind you’ll also see a lot of focus from us on the Internet of Things and tech start up sectors this year — working to build privacy governance into the outset of our future tech-leading companies. We are collaborating with these sectors on the need to get privacy right and are encouraging them to make use of tools like our Privacy Management Framework, and our template for small and medium enterprises.
This collaborative approach is our preferred model to regulation but rest assured that it will continue to be supported by a robust calendar of assessments, investigations in a variety of business and government sectors.“One of our top sources of complaints is about giving access to an individual’s own personal information.”
Without divulging our full assessment calendar I can say that — building on our assessment of Coles and Woolworths loyalty programmes so far this year — it will include a look at some of the other most popular loyalty schemes in Australia.
We will also be continuing a strong focus on telecommunications as part of our oversight of the privacy aspects of the telecommunications metadata retention regime, as well as examining government agencies with significant personal information holdings.
I stress that being the subject of an assessment does not necessarily mean that there is anything untoward. But our assessments are vital to providing consumer and public transparency as to how their individual privacy rights are being protected and respected. They are also designed to assist entities to enhance their information handling practices.
What is personal?
The focus on individual rights also continue this year with the start-up of another important consultative forum, our Consumer Privacy Network, the CPN. The first meeting of which will be held next week.
I look forward to the CPN informing many of the policy and public education initiatives we have planned for the coming year — particularly as we look to expand the public education and information role of the OAIC, to ensure that people continue to be aware of their privacy rights and how to exercise them.
This will continue to be supported by a dispute resolution, conciliation and determination system that I am pleased to say is now running more effectively and efficiently than ever before — providing timely and fair outcomes for complainants, as well as clear guidance to businesses and agencies on regulatory expectations.
For example, one of our top sources of complaints is about giving access to an individual’s own personal information. We want to make it easier for business and agencies to get this right, so we’ve developed a new access and correction resource.
More broadly, last financial year our office received some 12,241 privacy enquiries, opened nearly 3000 complaints and closed close to 2000, as well as handling 117 voluntary data breach notifications. We also conducted 19 assessments involving 101 entities across government and business. Our average resolution time for formal complaints has also come down significantly.
In August, the very definition of personal information — arguably the most important term in the Privacy Act– will be considered by the full bench of the Australian Federal Court.
As many of you will recall this definition was explored by the Administrative Appeals Tribunal, in an appeal of my determination in the matter of Grubb v Telstra. The AAT’s decision presents, potentially, a new and different scope to what constitutes personal information under the Privacy Act.
I firmly believe that clarity and certainty around that definition are critical to the operation of the act and to the fair and reasonable expectations of any business or agency which is required to be accountable to it.
Accordingly, I am of the view that consideration of this issue by the full bench of the Federal Court is essential for both our office, and the entities we regulate.
This is an edited extract from a speech by Timothy Pilgrim for PAW Business Breakfast on May 16 in Sydney.