A new Australian Public Service privacy code will be developed in coming months and implemented next year, in the hope of reassuring sceptical citizens that government agencies can be trusted to collect, store, analyse and share data about individuals.
The Office of the Australian Information Commissioner and the Department of the Prime Minister and Cabinet jointly announced the decision as part of Privacy Awareness Week, which ends on Sunday.
For the OAIC, this year’s theme is “trust and transparency” while in Queensland, it’s “care before you share” and New South Wales has a whole month dedicated to privacy. We’re also in the middle of Information Awareness Month, which is centred on similar issues.
The Commonwealth’s set-piece reveal included a formal letter that information commissioner Tim Pilgrim (pictured) sent PM&C secretary Martin Parkinson in March, asking the central agency to either develop the code itself with his help or the other way around, as well as Parkinson’s affirmative reply which followed a meeting of federal secretaries on May 3.
The code will be built around the Australian Privacy Principles, particularly point 1.2 and PM&C says it will also “circulate comprehensive guidance material that will help agencies comply with the requirements”.
The central agency has faith that yet another set of rules will turn around the significant and growing concerns about how much information government is collecting about citizens, and how well it can secure it:
“PM&C supports the development of the Code, as strong personal data protection is vital to unlocking the potential of government-held data. The value of publicly held data is often maximised when it can be shared and built upon, so it is vital that APS-wide standards and capabilities are obtained. The Code can therefore be a catalyst to transform the Australian Government’s data performance – increasing both internal capacity and external transparency to stakeholders.”
“Privacy protection fully supports data innovation when an integrated approach is taken,” Pilgrim added in the joint statement.
“The Privacy Code, and its supporting tools and resources, will ensure the APS has the skills and capabilities to place that integrated approach at the centre of public sector innovation. We are looking to make best practice the only practice for government-held data.”
A symbolic code with no new obligations
In his initial letter, Pilgrim told Parkinson there was an “urgent need for the Australian Government to build a social licence for its uses of data” but also said the proposed code would contain no new obligations and mainly act to “symbolise the APS’s commitment to the protection of privacy” as a way to build public trust.
The code would be more action-based than the principles, with explicit guidance on how to comply with the existing obligations like:
- have a privacy management plan;
- appoint a dedicated privacy contact officer;
- appoint a senior official as a ‘Privacy Champion’ to provide cultural leadership and promote the value of personal information;
- undertake written Privacy Impact Assessments (PIAs) for all ‘high risk’ projects or initiatives that involve personal information;
- keep a register of all PIAs conducted and make this available to the OAIC on request; and
- take steps to enhance internal privacy capability, including by undertaking any necessary training, and conducting regular internal audits of personal information-handling practices.
To explain his push to codify best practice, Pilgrim listed the policies pushing government agencies to rapidly embrace data sharing as well as Australia’s new commitments to the international Open Government Partnership, recommendations of the Productivity Commission’s recent inquiry into data availability and use, Alastair MacGibbon’s review of the 2016 Census failure, and new European Union regulations that come into force next year.
“Against this background, it is particularly important to remember that many APS agencies have powers to collect personal information on a compulsory basis, in exchange for the provision of services and payments. This means that in a practical sense, individuals are not always able to exercise meaningful choice over how their personal information is used.
“Finally, a number of Australian Government agencies have been involved in several high profile privacy incidents in recent times. While these have been the result of a range of circumstances, through my Office’s subsequent involvement in them, I have formed the view that there is a need to strengthen the overall privacy governance processes within APS agencies. I believe that if this is not done, there is a risk that the community may lose trust in the ability of government to deliver on key projects which involve the use of personal information.”
Survey says… a third of people don’t like government data sharing
Pilgrim also recently released the results of the 2017 Australian Community Attitudes to Privacy Survey, which showed that only about one third of Australians are OK with government agencies sharing their personal information with other agencies.
In comparison, only 10% said they were fine with companies doing the same.
Combined, state and federal government departments are considered trustworthy by about the same proportion of the population as financial institutions, according to the survey, with both groups scoring just under 60%.
About 40% of citizens are uncomfortable with government agencies using their personal details for research or policy-making purposes, but another 46% are cool with it.
Having said that, the privacy of Australians can be bought pretty easily; 33% would trade personal information for rewards or benefits, 32% for “better customer service” and 20% would do so just for the chance to win a prize.
Meanwhile, the NSW Information and Privacy Commission released its own report, Conditions Enabling Open Data and Promoting a Data Sharing Culture, an academic affair it commissioned from legal scholar and cyber security expert Alana Maurushat of UNSW.
The Digital Transformation Agency also chose this week to publish a blog post explaining how it will attempt to build “privacy by design” into the GovPass digital identity framework, which is sure to face opposition from privacy advocates.
The Queensland Crime and Corruption Commission got into the spirit of Privacy Awareness Week with a reminder to public servants not to abuse their access to sensitive information about other citizens.
“Due to the nature of the work of some Queensland public sector agencies, they handle private and confidential information. Public servants, including police officers, have an obligation not to misuse the access to this information,” CCC chair Alan MacSporran said in a statement.
“What may seem like a simple peek at someone else’s private information is actually a serious invasion of privacy. It can potentially amount to a criminal offence and be the subject of an investigation by the CCC.”
The CCC received 554 corruption allegations relating to the misuse of information between July 1, 2016 and April 30, 2017 — about 9% of all allegations it receives, and a slight decrease from the 638 allegations received in the same period of the previous financial year.
“Misuse of information allegations can involve accessing or disclosing official information without a legitimate reason, unintentionally disclosing official information, falsifying information or records, acquiring or retaining information or records illegally, or inadequately safeguarding information,” MacSporran explained, adding that the CCC would continue to focus on “improper release of confidential information” in 2017-18.
“The public has every right to expect their personal information is not being accessed or disclosed unless there is a lawful reason.”
The CCC publication Information security and handling provides public sector agencies with practical advice to ensure private and confidential information is secured. Another of its reports considered Unauthorised access, disclosure and the risks of corruption in the Queensland Public Sector.