If a new Australian Public Service privacy code is to increase public confidence in government, public service leaders will need to be very clear and open about exactly what is going to change.
The process of developing a code, which includes a public consultation process, has only just begun. But when there is already a Privacy Act and Australian Privacy Principles for the public service to follow, it is going to be difficult to convince citizens that a third addition to the framework is going to make much difference.
Last week’s announcement, consisting mainly of letters exchanged months earlier between privacy and information commissioner Tim Pilgrim and APS head Martin Parkinson, as well as a joint statement from the two, was a rather soft launch.
Pilgrim’s letter was by far the most detailed statement but was not written to the public. It’s useful — if the aim is to reassure public servants that the new code won’t make their jobs more difficult or even very different to now — but not so useful in explaining the point of the code to sceptical citizens.
The Privacy Week announcement stands in contrast to Pilgrim’s tough talk at a hearing of the Senate inquiry into Centrelink’s controversial debt recovery operations, which occurred on the same day and became the source of several slightly misleading news reports about the new APS privacy code.
Anyone reading reports of this hearing could be forgiven for thinking the plan was to empower Pilgrim to impose big new fines — up to $1.8 million! — on APS agencies that fail to comply with strict new rules that would be imposed next year.
But these potential civil fines already exist under the Privacy Act, and Pilgrim confirmed by email that the code will not add any new penalties. It is far from clear that a new code will really give the Office of the Australian Information Commissioner any sharper teeth than it has now.
“Powers such as to make binding determinations, issue compensation orders, or to seek civil penalties, are already available to me in the event of Privacy Act breaches,” he added.
Challenged to explain real penalties
As Hansard records, the commissioner told the senators about the maximum penalty that is possible “if there has been a serious breach, or a repeated breach” — as well as the other steps that come first, like a legally binding “written undertaking” to change a process.
It is unlikely that an alleged breach of the principles by a government agency would ever get that far, and it is extremely doubtful that a new code will increase the chance of Pilgrim taking them to court. It sounds like it won’t add additional requirements — even though it could under the act — and Pilgrim’s suggestion that it will “symbolise” the government’s newfound commitment to privacy is hardly likely to inspire public confidence in the OAIC’s regulatory oomph.
What the code will do is add another layer to the existing framework with more explicit guidance to agencies on how they should practically embody the privacy principles in a public service context. At this stage it sounds like a legally binding good practice guide, and it is hard to guess what the public will make of it when it emerges next year.
The APS privacy code will only be the third of its kind and the two existing codes, covering credit reporting and social research respectively, have more focused aims.
The clearest point Pilgrim made at the inquiry was that he wants to see agencies doing more privacy impact assessments, doing a better job of them, and publishing them.
“Through the code, privacy impact assessments will need to be undertaken where there are high-risk activities going on, using quite complex and detailed sets of data,” he told Nick Xenophon Team senator Sky Kakoschke-Moore. “Under the act it will be a requirement to publish those impact assessments.”
It’s not clear what this means exactly because again, it is early days and the code is still months away from being finalised.
“My intention in introducing the Australian Public Service Privacy Code is to ensure all Commonwealth agencies approach privacy management in an integrated way, as well as providing resources and support to build this capability,” Pilgrim told The Mandarin.
“The implementation of the Code will also provide Australian communities with confidence that a single, high standard of privacy protection exists across government agencies they deal with.”
Will it? This simple and optimistic view, which is echoed by Parkinson, seems to underestimate the scale of the challenge.
Breaches often accidental, caused by rashness
Digital identity and privacy consultant Stephen Wilson doubts a new code will have much effect, especially if it only amounts to a promise to follow the existing law, but thinks more governance around privacy protection can only be a good thing.
“I think that a lot of what we see time and time again in the APS is just rashness, at different levels,” he told The Mandarin, referring to privacy accidents that could be reduced with requirements that force public servants to “look before they leap” more often. In some cases, “a second pair of eyes” might be all that’s needed, he says.
“I don’t think a code in and of itself is going to have a lot of dramatic effect. It will take months and months and there’s a whole class of privacy breaches that it won’t touch anyway,” he adds.
Wilson believes “calculated, deliberate releases of data” like in the controversial case of blogger Andie Fox will continue, given the minister and department both defended their actions in that case, and that a new code would not stop the release of supposedly anonymous datasets that can technically be re-identified later.
Privacy issues are seen by a lot of public servants as a hindrance, blown out of proportion by hysterical protestors — but as a recent survey also published last week by the OAIC shows, worries about government agencies playing with personal information go well beyond a radical fringe.
In Wilson’s view, the key issue is cultural. He sees a lot of open data “utopianism” in the public sector but too little concern about privacy protection, or critical analysis of the true costs and benefits of combining and sharing huge amounts of data.
He believes the views of public servants are too heavily influenced by the enthusiasm of a small subset of the community — those who use a lot of open data for research or commercial reasons — and that the problem of re-identification has not been taken seriously enough.
He thinks agencies declare datasets have been de-identified or anonymised with far too little appreciation of the risk that they may not stay that way. The risk is different in each case and, he argues, should be addressed clearly and publicly in a PIA every time.
“Public servants seem to think that a key performance indicator is to just put more and more government data out into the public domain… I think that whole movement has become almost religious,” Wilson said.
“There’s almost a cultural expectation that we’re going to keep putting public data out there, and we’re going to have a modicum of security and a modicum of de-identification around it.”
Pilgrim seems to be caught between reassuring government that this process will restore trust and allow its “innovation” with data to continue apace with less pesky interruptions, and telling the public the new regulations will mean they can rest easy after a few high-profile stumbles and controversial incidents.
The key issue is that the government is enamoured with providing open data to the research and commercial sectors, as well as its own new projects based on data analytics, and it has become clear that it needs a lot more “social license” to continue doing so.
For this process to work, it is imperative to get the balance right between what the government wants — the social license to keep going ahead in the directions it is going with data analytics and open data — and the needs of citizens to not only feel like their personal information is in safer hands, but for this to be the reality, through genuine changes to culture and practice.