Privacy commissioners of four states and the Commonwealth are celebrating their week on the awareness-raising calendar, at the pointy end of an election campaign that has raised awareness of one privacy risk in particular: that posed by political parties.
Calls for political parties to be brought under federal privacy legislation have become more frequent in light of contemporary fears about data security. With modern campaigning through creepy messages, data collection via tracking emails, and through postal votes, there is perhaps greater public understanding that political parties amass and combine a lot of personal data on citizens. But there is little transparency about exactly what they have, how they collect it or how they keep it secure, and in the name of free political communication, few rules constrain them.
In the clamour of the campaign’s climax, Privacy Awareness Week has some privacy authorities out at shopping centres and train stations, much like the parties, but with brochures, posters and fact-sheets all about protection of personal information. While telling people about their rights, PAW also involves trying to rekindle the conversation about responsibilities within government agencies.
Samantha Gavel, the New South Wales commissioner, said PAW was not just a good opportunity for her to remind agencies of their responsibilities.
Agencies could also use it as a chance to “raise the profile of privacy within the agency, make sure that they’ve got a privacy-aware culture, and reflect on the sort of work they’re doing and what else they can do to raise up privacy [standards] within their organisation and in the work that they’re doing.”
“And I would say that is particularly relevant if they’re doing digital-first delivery and some of those more innovative things that government’s doing now, because anything to do with digital technology tends to involve personal information and therefore privacy needs to be very much at the forefront of that,” Gavel told The Mandarin.
There was strong interest in seats at the NSW Information and Privacy Commission’s seminar for public-sector senior executives and privacy officers on Wednesday. Customer Service Minister Victor Dominello agreed to grace the proceedings along with international expert Sheila Fitzpatrick, privacy lawyer Peter Leonard, Transport for NSW general counsel Clair Hodge, and the government’s Data Analytics Centre chief Dr Ian Opperman.
Gavel said Fitzpatrick had a good understanding of the NSW and Commonwealth privacy regimes, having regularly visited Australia, and was a font of knowledge on the European Union’s General Data Protection Regulation as well.
“But of course a lot of the principles for privacy are similar around the world, because privacy legislation is principles-based. It is about how organisations collect information, how they store it, how they use it, how they disclose it.”
One can’t simply log out of government
In NSW, Samantha Gavel’s theme is about looking ahead to the nature of privacy, consent and digital government over the next 20 years.
Information technology is has already made it much easier to invade and harder to protect privacy, while companies of all kinds work to monetise data – it’s already been a decade since the head of Sun Microsystems uttered the immortal words, “You have zero privacy anyway. Get over it.”
That kind of thinking is questionable enough when it reportedly comes from the head of Facebook or some other commercial enterprise, hoping people will pay for a service with their privacy, it clearly does not apply in government.
“Citizens, the public, don’t really have a choice to deal with you when you’re a government service,” said Gavel.
Part of public trust in general is the need to work on achieving a “social license” for each new program or project, and this requires agencies to be responsive to new challenges and technologies; “practices like proactive reporting of data breaches help promote an organisational culture of privacy protection” in the NSW commissioner’s view.
“Certainly in the NSW government, in the work that I’ve been doing, I’ve been pleased to see that people do take privacy seriously,” she added. “They do understand that it’s important and they do come to us for advice on how to ensure that some of the projects they’re working on are privacy respectful.”
Government agencies should always try to build in “privacy by design” as much as possible in projects that involve personal information; this should always involve exploring ways to strengthen privacy when digitising an old process of government, where possible, and investigating all the inherent risks that are introduced.
Surveys by agencies like the IPC have generally found public support for projects that involve data sharing between government agencies or collection of personal information does depend to some extent on how well the potential benefits are accepted.
It depends on the context, of course, but to Gavel the surveys suggest public wariness over privacy and data protection regarding government projects is not irrational fear. Her view on how agencies might respond to public criticism begins with getting things right the first time.
“I think it’s about going back to basics for agencies, so … making sure that they do a privacy impact assessment, that they include privacy by design, so that when they are thinking about projects, at every stage they’re looking at how [they can] do this in a more privacy respectful way.
“So it’s about making those little decisions all the way along and thinking about these things ahead of time so it really is about being proactive. I think where you do see some of the more controversial projects, it’s perhaps because some of this thinking wasn’t done early enough and incorporated in.”
When privacy risks are identified through a PIA, “you do need to pay attention to what comes out in your privacy impact assessment and mitigate the risks, not just ignore them.”
What’s everyone else doing?
Each state has a different theme for its PAW campaign: In Victoria, it’s all about shared responsibility for information commissioner Sven Bluemmel and privacy commissioner Rachel Dixon, whose office organised several public lectures and information packs on privacy rights, governance, how to respond to data breaches, and matters of digital information.
“Good privacy practices should not only be upheld because it’s the law, but because it is an important part of creating a better society,” said Bluemmel.
“Protecting privacy truly is everyone’s responsibility. Poor privacy practices by some can cause harm to all of us by undermining trust in democratic processes.
“Because of this, it is vital that we empower every person to understand the impact their individual privacy choices can have.”
In Queensland, the message is to “build privacy into your everyday” and for its events, the Office of the Information Commissioner has selected some very up-to-date topics for government agencies: biometrics, automation and data de-identification — as well as the frightening possibility of re-identification.
The Northern Territory Commissioner is emphasising that privacy is “good for business” in its efforts to talk about privacy rights and responsibilities at shopping centres, and running a forum for the relevant public servants on Thursday.
At federal level the Office of the Australian Information Commissioner has set up up an eye-catching website that implores, “Don’t be in the dark on privacy.”
The OAIC is focusing on data breaches, online security, credit rating information, health information and the risks of sharing personal information. Events include a sold-out “business breakfast” in Sydney, a podcast recorded by Legal Aid NSW, and the launch of Deloitte’s Privacy Index on Friday, while the agency has published its latest “insights report” on notifiable data breaches.
“Our personal information is a vital input into the economy and government agencies,” said information commissioner Angelene Falk, adding that over 450 organisations had signed up as PAW supporters. “Managing this information responsibly, as organisations face increasingly complex data protection challenges, is critical.”
Also on Friday is a forum for federal public servants run by the Australian Government Solicitor featuring two information commissioners, Victoria’s Sven Bluemmel and his federal counterpart Angelene Falk, with a gaggle of privacy and FOI experts.
Do they know it’s Privacy Awareness Week at all?
There seem to be no public agencies in Western Australia, South Australia, Tasmania or the ACT that officially observe Privacy Awareness Week, which is an international event begun in Australia’s region by the peak body for Asia-Pacific privacy authorities.
WA and SA do not have privacy commissioners or statutory privacy regimes, but there are regulations, principles and guidelines. In the ACT, the OAIC performs “some of the functions” of a privacy commissioner for the territory, and in Tasmania the Ombudsman handles alleged breaches of the state’s Personal Information Protection Act.
SA has a set of public-sector “privacy principles” overseen by a committee, and regulations around protection of personal healthcare information are the remit of a dedicated commissioner.
“In addition, the South Australian Department of Health and Department of Families and Communities have developed a Code of Fair Information Practice which outlines what the Departments and their service providers should do, and what clients can expect, in protecting personal information,” explains the OAIC “The Code also has its own set of privacy principles which have specific requirements for the handling of health information.”
In WA, “Various confidentiality provisions cover government agencies and some of the privacy principles are provided for in the Freedom of Information Act 1992 (WA) overseen by the Office of the Information Commissioner (WA),” the OAIC explains. “The Health and Disability Services Complaints Office (HaDSCO) is an independent statutory authority that also handles complaints relating to health and disability services in Western Australia.”