Privacy Commissioner’s speeches during Privacy Week
May 14, 2014 |
During Privacy Week the Privacy Commissioner gave, or least published on the oaic website, 3 speeches: Mapping data breach notification, Privacy matters and Defining the sensor society.
They relevantly provide:
Defining the sensor society
It’s a pleasure to be here to speak to you today for Privacy Awareness Week, especially with so much going on in the privacy sphere lately.
Defining the sensor society is an ambitious and important topic for a two day conference. As Australia’s Privacy Commissioner, you will not be surprised to learn that, in my view, any discussion of this topic should have privacy and the protection of personal information at its core. And so I am encouraged to see that is the case in a number of the presentations that you will hear over the next two days.
Privacy is rarely out of the news these days. The media continues to report on exciting new technologies as well as on activities that raise privacy questions and fuel discussions — think of the News of the World revelations, and technologies like Google glass, drones and of course the debate around the US PRISM system.
It might be worth starting the day by setting up a framework for what is meant by privacy.
Article 17 of the International Covenant on Civil and Political Rights, to which Australia is a party, states that:
- No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.
- Everyone has the right to the protection of the law against such interference or attacks.
This established privacy as a human right. The Australian Privacy Act 1988 seeks to protect it in the context of informational privacy, but the right to privacy is also balanced against other competing rights, like freedom of expression, which creates a complex relationship between privacy and the media. Law enforcement and national security are other factors that need to be taken into account and balanced against the right to privacy. Different groups of people will have different opinions on how these should sit in relation to each other, and where that balance should be, which is something that is receiving a lot of media and public attention at the moment.
So why is privacy important? One answer is that people need private space, and they need privacy to be free:
Whichever way you look at it, people have the right to make choices and to exercise some control about their privacy, about how their identity is used and disclosed. Privacy is about protecting information about who we are, what we do, what we think, what we believe. It is important that organisations and the Government support people’s right to make the choices that work for them.
In Australia, privacy law is primarily concerned with the management and protection of personal information. The Privacy Act defines personal information as information or an opinion about an identified individual, or an individual who is reasonably identifiable.
Common examples of this include name, date of birth, address, medical or financial details. And now biometric information is included in the definition of sensitive information, a subset of personal information.
But the Privacy Act is not a catch-all — it doesn’t cover the acts of individuals or small businesses, and there are a lot of areas commonly associated with privacy that are not a part of current privacy legislation. Surveillance, for example, is covered by a different set of laws around the States and Territories, as well as nationally.
Defining the sensor society
People clearly remain extremely sensitive about how governments handle their personal information. The release of information relating to the US PRISM system reignited an important and complex debate about the collection of personal information for the purpose of national security. While privacy laws around the world recognise that in democratic societies such as ours privacy cannot be absolute, it is even more important that where collection of individuals’ personal information occurs for the broader interests of the community, there is as much transparency of these activities as possible. There is also need for the information to be protected in terms of strictly limiting its use, destroying unnecessary information in a timely way and ensuring that those entities with access to the information are subject to strict protocols and oversight by independent bodies. Greater transparency of these activities would help to go some way in engendering increased community trust.
It is 65 years since the publication of George Orwell’s dystopian novel 1984 and its vision of the superstate Oceania, a world of omnipresent government surveillance and public manipulation. We are now 30 years beyond 1984 but the concept still resonates, and remains a key theme in movies, books and TV shows — you only have to think of the plot lines of the blockbusters Enemy of the State, Minority Report and the Bourne series, to name just a few, not to mention pop culture references in TV shows like the Simpsons and Futurama, to see how interested people are in these issues. There is even a play about privacy currently playing in the West End in London. These more contemporary representations reflect what we know and are talking about today, the sensor society is not just about government surveillance.As the brochure for the conference suggests, we are surrounded by sensors: our cars collect detailed information about our driving habits and destinations; our smart phones gather a growing array of increasingly detailed and comprehensive information about our communication activities and more. There are now more than a billion users of Facebook, and the number of devices that are connected to the internet is rapidly approaching a trillion. New methods of harnessing this connectivity are appearing everyday — apps that allow you use your phone to get cash out of an ATM, apps that allow you to pay for a taxi without getting your card, or even your wallet, out. The growing network of sensors contributes to a fast-growing stream of data about everything from the weather to the details of our personal lives and our movements throughout the course of the day.
The shift to ubiquitous, expanding and accelerating data collection marks important changes in our understandings of surveillance, information processing, and privacy in the digital era. A recent discussion paper by the Australian Law Reform Commission into serious invasions of privacy in a digital era includes a lengthy section of emerging threats to privacy. This section engages with some very topical privacy issues, such as surveillance, but also around coverage of the Privacy Act — in the technological world that we now live in, it is increasingly individuals that pose risks to the privacy of other individuals — through personal surveillance, through social media and the online environment. This makes the question of how individuals can protect their privacy a difficult one, and certainly one that will require more discussion at all levels.
New technology and privacy are increasingly connected and more complex interactions and questions are coming up every day.
In the last year, our office has been involved in a lot of discussions about new technology and the privacy implications.
I recently provided a briefing to a Senate committee about the privacy implications of drone. Drones are one example of a privacy issue that is quickly coming to the fore, but the issue is complicated by the fact that they can easily be owned and operated by individuals, which is not covered by the requirements of the Privacy Act.
The need for a coordinated approach
While such technology captures the community’s attention it also captures the attention of privacy regulators globally. During the year privacy regulators around the world continued to foster greater international cooperation in the light of such developments. Through forums such as the Global Privacy Enforcement Network, the APEC Cross Border Privacy Enforcement Arrangement and regional groupings of Privacy Regulators such as the Asia Pacific Privacy Authorities Forum, concerted efforts were undertaken to build a coordinated approach to regulating the protection of personal information.
During the last year we joined with privacy regulators from around the world to engage with Google about the potential privacy concerns around the development and use of Google Glass. We also participated in the Global Privacy Enforcement Network internet sweep, where regulators from around the world chose one week to target and assess the privacy policies on high traffic websites and mobile apps.
During this sweep we looked at the 50 most trafficked websites in Australia and found that most of them had issues with the readability, findability, relevance and length of their privacy policies. We will be participating in the sweep again this year — it will be taking place next week, and we will be looking at key mobile apps. With the changes to the requirements for privacy policies due to law reform, we are hoping to see an improvement in the quality of privacy policies.
Community attitudes
The Community attitudes to privacy survey that we conducted last year shows that Australians are increasingly aware of their privacy rights and are increasingly expecting the highest standards from both business and government.
- 63% Australians have decided not to deal with a private or public sector organisations due to concerns over the way their personal information is handled. This is an increase from 40% 5 years ago.
- 69% of Australians are uncomfortable with advertising being targeted at them based on their online activities.
- 78% of people are uncomfortable with their being databases of information based on what they say and do online
- 33% of Australians reported having had a problem with the way their personal information had been handled in the previous 12 months
- 95% of people think that government and business should inform them how their personal information is handled and protected
- 96% of people think that government and business should tell them if their personal information is lost.
This increase in privacy awareness and concern is supported by what we are seeing in enquiries and complaints to our office. Since the commencement of our office there has been a gradual but steady increase in the number of privacy complaints we have received.
In the 2012–13 year we received over 12,000 privacy enquiries and 1496 privacy complaints. So far in this financial year to date we have already received 12,000 privacy enquiries and 3000 complaints.
Law reform
I thought I would finish today by talking a little bit about law reform — the changes to Australian privacy law that came into force on 12 March this year. A lot of the topics that will be discussed at this conference are not covered by the Privacy Act, but these the changes that result from law reform are large and significant, and you can’t talk constructively about privacy issues without an accurate understanding of the how that particular Act works, and what it covers.
There are a lot of changes to process for businesses and government due to the Australian Privacy Principles, and a lot of those will have a direct impact on individuals as consumers of services, whether in regards to new rights or a change in the way a service provider interacts with you. There are a few key new areas for individuals which I thought might be useful to outline.
Openness
The first is openness. Under the new laws, businesses and government agencies that are covered by the Privacy Act have greater responsibility to manage information in an open and transparent way.
They must have a clearly expressed and up-to-date privacy policy explaining what they are going to do with your personal information. They should also be providing individuals with a ‘privacy notice’ when they collect personal information, which should give more specific information about why they are collecting your information and what they are going to do with it.
The Community attitudes to privacy survey that we ran last year shows that 13% of people never read the privacy policies on websites, and 62% of people only read them occasionally. I strongly encourage everyone to read privacy policies — a good privacy policy will tell you a lot that you need to know about what will happen to your personal information. We have just released a poster, which is available on our website, that gives some practical tips of what to look for in a privacy policy, and I strongly encourage you to read it. Equally, I strongly encourage organisations to make their policies accessible both in content and in format — there are many techniques available to improve the comprehensibility of this kind of communication, such as the use of graphics or videos.
Your identity
The second key issue is about identity privacy. You now have the right to deal with any organisation that is covered by the Privacy Act, whether public or private sector, anonymously or using a pseudonym. Obviously there are some circumstances where this will not be appropriate and you will have to prove your identity, but this option exists for all people in a lot of situations.
Direct marketing
The third area that is likely to impact on individuals in is regards to direct marketing. Entities are only allowed to use or share your personal information for direct marketing in very specific circumstances. They must also provide you with a simple method of opting out of receiving direct marketing, and to tell you where they got your information from if you ask them.
Disclosing personal information overseas
The forth significant area of change in is cross-border disclosure, where your personal information is disclosed to an organisation outside of Australia. Under the APPs, if your personal information is disclosed overseas, the Australian entity remains responsible for how it is handled. There are some exceptions to this, but overall this new requirement puts a higher onus of responsibility on entities who disclose your personal information.
Access and correction
The last area that is substantially affected by the APPs is your right to access your personal information and have it corrected if necessary. Generally speaking, if you ask an entity for access to your personal information they have to provide it within a reasonable period of time, which the OAIC considers to be within 30 days.
If an entity refuses to give you access or to correct your personal information, they must give you written notice outlining the reasons for their refusal.
The OAIC has just published a fact sheet called ‘How changes to privacy law affect you’ and I strongly recommend that you read it. You can’t enforce or protect your rights if you don’t know what they are — privacy is about respect for the protection of all of our personal information. That is information that says who we are, what think, believe, feel, what we have done and what we want to do. Protecting privacy is about respecting the dignity of individuals.
Other people and organisations make decisions about us based on what they think they know about us through this information. That impacts each of us as we go about our daily lives. Privacy is a complex issues but the aim of privacy law is to help us set the boundaries and expectations initially through transparency of business practices to build awareness and through that trust. This should allow businesses and government to go about their legitimate activities while the community can expect their privacy to be respected.
And
Privacy matters
It’s a pleasure to be here to talk to you this morning about some of the changes to the Privacy Act that came in on 12 March, but also to talk to you about privacy awareness more generally. And I understand that we’ll have time for some questions at the end so hopefully you’ve done your research.
It is probably worth starting today by asking ‘why is privacy important?’ Of course, the answer is complex, contextual and like the concept of privacy itself, ever changing.
Of course identity security is one of the key answers to this question — in a technological and information age, issues like identity fraud and theft are an increasing problem. With the sheer volume of personal information that is stored electronically these days, protecting your privacy in the online environment is both necessary and just common sense. But there is also a larger point about the importance of privacy.
One answer to the question is that people need private space, and they need privacy to be free:
- to behave and to associate with others without the threat of constant surveillance
- to innovate, and to think, argue and act — the ingredients of any healthy democracy.
One of the purposes of the Privacy Act is to support and maintain Australia’s obligations to the International Covenant on Civil and Political Rights, where article 17 says:
- No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.
- Everyone has the right to the protection of the law against such interference or attacks.
Privacy is a human right, the Privacy Act seeks to protect it, but the right to privacy is also balanced against other competing rights, like freedom of expression, which creates a complex relationship between privacy and the media. Law enforcement and national security are other factors that need to be taken into account and balanced against the right to privacy. Different groups of people will have different opinions on how these should sit in relation to each other, and what this balance should be, which is something that is receiving a lot of media and public attention at the moment.
However, a fundamental point is that people have the right to make choices and to exercise some control about their privacy, about how their identity is used and disclosed. Privacy is about protecting information about who we are, what we do, what we think, what we believe. It is important that organisations and the Government support people’s right to make the choices that work for them.
The scope of the Privacy Act
But it is important to note that the Privacy Act is not a catch-all — it doesn’t cover the acts of individuals or many small businesses, and there are a lot of areas commonly associated with privacy that are not a part of privacy legislation. Surveillance, for example, is covered by a different set of laws. However, the concept of privacy applies to a large range of issues, and how you have the right to make choices about your privacy that work for you.
New technology and privacy are increasingly connected and more complex interactions and questions are coming up every day.
In the last year, our office has been involved in a lot of discussions about new technology and the privacy implications.
An example is that I recently provided a briefing to a Senate committee about the privacy implications of drones. Drones are a privacy issue that is quickly coming to the fore, but the issue is complicated by the fact that they can easily be owned and operated by individuals, which is not covered by the requirements of the Privacy Act.
While such technology captures the community’s attention it also captures the attention of privacy regulators globally. During the year privacy regulators around the world continued to foster greater international cooperation in the light of such developments. Through forums such as the Global Privacy Enforcement Network, the APEC Cross Border Privacy Enforcement Arrangement and regional groupings of Privacy Regulators such as the Asia Pacific Privacy Authorities Forum, concerted efforts were undertaken to build a coordinated approach to regulating the protection of personal information.
During the last year we joined with privacy regulators from around the world to engage with Google about the potential privacy concerns around the development and use of Google Glass. We also participated in the Global Privacy Enforcement Network internet sweep, where regulators from around the world chose one week to target and assess the privacy policies on high traffic websites and mobile apps.
During this sweep we looked at the 50 most trafficked websites in Australia and found that most of them had issues with the readability, findability, relevance and length of their privacy policies. We will be participating in the sweep again this year — it will be taking place next week, and we will be looking at key mobile apps. With the changes to the requirements for privacy policies due to law reform, we are hoping to see an improvement in the quality of privacy policies.
The key thing to note about privacy legislation in Australia is that the Privacy Act covers information privacy, and specifically regulates the handling of ‘personal information’.
Personal information is information, whether true or not, that identifies, or could reasonably identify you. This includes things like name, date of birth and address, but it also includes things like opinions and photos.
The federal Privacy Act is technology neutral principles-based legislation that came into force in the federal public sector in 1989, and extended to include parts of the private sector in 2000. Unlike other legislation, the Privacy Act is generally not prescriptive, dictating specific processes, but instead sets out a series of privacy principles that organisations must comply with in regards to the way they handle personal information.
Although the legislation is technology neutral, 25 years is a long time, especially when you consider how quickly technology has changed in the last 5 to 10 years, and continues to change. The recent reforms to the Privacy Act that came into effect on 12 March aim to take into account the way that this has impact on information handling and management, with changes to rules around transparency, information security, cross-border disclosure and direct marketing.
Part of the changes include the replacement of the two separate privacy principles for the public and private sectors with a single set that are consistent across all organisations that are covered by the Act — the Australian Privacy Principles (or APPs).
Law reform also introduces some significant changes to credit reporting rules as well as stronger enforcement powers for our office. You may have heard about the changes to our enforcement powers in the media lately. We are now able to issue enforceable undertakings, even for issues we have investigated on our own initiative. An enforceable undertaking can require an entity to take, or to stop, a certain action or process. We are also able to issue fines of up to 1.7 million dollars for serious or repeated breaches of privacy.
Law reform
There are a lot of changes to process for businesses and government due to the APPs, and a lot of those will have a direct impact on you as consumers of services. There are a few key new areas for individuals that can be drawn out of the changes.
Openness
The first is openness. Under the new laws, businesses and government agencies that are covered by the Privacy Act have greater responsibility to manage information in an open and transparent way.
They must have a clearly expressed and up-to-date privacy policy explaining what they are going to do with your personal information. This policy must explain the kinds of personal information they collect and use, what they are going to do with it, and whether they are likely to disclose it overseas. They must also say how you can access and correct your personal information and make a privacy complaint.
They should also give you a ‘privacy notice’ when they collect your personal information, which will give you more specific information about why they are collecting your information and what they are going to do with it.
The Community attitudes to privacy survey that we ran last year shows that 55% of young people don’t read the privacy policies on websites. I strongly encourage you not to be one of those people — a good privacy policy will tell you a lot that you need to know about what will happen to your personal information. We have just released a poster, which is available on our website, that will give you some practical tips of what to look for in a privacy policy, and I strongly encourage you to read it.
Your identity
The second key issue is about your identity. You now have the right to deal with any organisation that is covered by the Privacy Act, whether public or private sector, anonymously or using a pseudonym. Obviously there are some circumstances where this will not be appropriate and you will have to prove your identity, but this option exists for all people in a lot of situations.
Direct marketing
The third area that is likely to impact on you as individuals in is regards to direct marketing. Organisations are only allowed to use or share your personal information for direct marketing in very specific circumstances. They must also provide you with a simple method of opting out of receiving direct marketing, and to tell you where they got your information from if you ask them.
Disclosing personal information overseas
The forth significant area of change in is cross-border disclosure, where your personal information is disclosed to an organisation outside of Australia. Under the APPs, if your personal information is disclosed overseas, the Australian entity remains responsible for how it is handled. There are some exceptions to this, such as when you specifically consent to it being disclosed overseas, but overall this new requirement puts a higher onus of responsibility on entities who disclose your personal information.
Access and correction
The last area that is substantially affected by the APPs is your right to access your personal information and have it corrected if necessary. Generally speaking, if you ask an entity for access to your personal information they have to provide it within a reasonable period of time, which the our office considers to be within 30 days.
If the information they hold about you is incorrect, and can request and gain a correction. Again, this must take place within a reasonable period of time.
If an entity refuses to give you access or to correct your personal information, they must give you written notice outlining the reasons for their refusal.
We have just published a fact sheet called ‘How changes to privacy law affect you’ and I strongly recommend that you read it. You can’t enforce or protect your rights if you don’t know what they are.
Credit reporting
The credit reporting system is also an area that has changed significantly under law reform. The ability to get credit is something people often take for granted, but if something goes wrong it’s usually at the worst possible time.
Some aspects remain the same, and some are different, but the key things to remember are:
- You have the right to access and request corrections to the information held about you by credit reporting bodies and credit providers like banks.
- In some cases if you are more than 14 days late on a bill, this information may be added to your credit report — this is your repayment history. This is NOT the same as a default.
- If you are more than 60 days late on a bill, this is a default. If the credit provider has followed a certain procedure it may be recorded on your credit report.
- A default cannot be recorded for an amount that is less than $150, or if you are under 18.
- A ‘credit repair’ agency cannot get information that is correct removed from your credit report.
- If there is incorrect information in your credit report, you can directly request a correction — you do not need to use a ‘credit repair’ agency for this.
We have just published a series of 16 fact sheets about credit reporting. These provide a summary of all the different aspects of the credit reporting system. Don’t let the number of fact sheets put you off — we have deliberately split the information into single issues fact sheets so that you can easily find just the information that you are looking for.
Awareness
I’d like to finish up today by talking about some current issues in privacy, as well as about community awareness. In the age of big data, social media and cloud computing, it is increasingly important that people think about the concept of privacy and what it means to them. I am concerned that people aren’t considering the potential risks of disclosing too much personal information, particularly when engaging online.
I spoke briefly before about online identity security — one of the issues closely associated with this is managing your digital identity. Your digital identity is made up of a thousand tiny pieces of information that is available about you online, whether on professional networking sites like LinkedIn, in publically available photos, in social media posts and in information about you that is shared by other people. This information can be added up to form a comprehensive and identifiable profile of you that may be used by anyone from prospective employers to direct marketing organisations. Your digital identity is real and it is almost impossible to change, so you need to consider how you want to be seen, now and into the future.
The Community attitudes to privacy survey showed that young people consider online services, including social media, to be the biggest privacy risk we face today. 60% of respondents aged 18–25 were of this opinion, but despite this, 33% of them have regretted something that they posted on social media. It is also worth noting that only 9% of Australians consider the social media industry to be trustworthy.
Australians are increasingly conscious of privacy issues – 82% of people said they knew of the existence of federal privacy laws, and 33% of Australians said that they had a problem with the way their personal information was handled in the last year. This is supported by the ever increasing number of privacy enquiries and complaints that we receive. In the 2012–13 financial year we received 1496 privacy complaints and 12 602 privacy enquiries. Already, in the current year so far we have received about 3000 complaints and 12,000 privacy enquiries.
Our office is also receiving an increasing number of voluntary data breach notifications — this might not seem like a good thing, but the previously low numbers of data breach notifications probably indicated a failure to report them, rather than a lower number of data breaches.
Australians are consistently in support of a greater level of transparency from both government agencies and businesses when it comes to information handling — 95% of people believe that they should be informed how their information is handled and protected, and 96% of people believe that they should be informed if their personal information is lost.
If you’re interested in knowing a bit more about community awareness and attitudes to privacy, there is a comprehensive research report available on our website.
Conclusion
Privacy is about respect for the protection of all of our personal information. That is information that says who we are, what we think, believe, feel, what we have done and what we want to do. It is about respecting the dignity of individuals.
Other people and organisations make decisions about us based on what they think they know about us through this information. That impacts each of us as we go about our daily lives. Privacy is a complex issues but the aim of privacy law is to help us set the boundaries and expectations initially through transparency of business practices to build awareness and through that trust. This should allow businesses and government to go about their legitimate activities while the community can expect their privacy to be respected.
More and more of our everyday interactions have a potential impact on privacy and that will only continue to increase, as technological solutions to information management become more and more innovative. This in itself is not a problem, but it means that we have to become more aware and more vigilant about how our personal information is used and disclosed. Familiarity can often breed complacency, but it is up to you to control your privacy. Privacy is important, and once lost, it is almost impossible to get back.
And finally:
Mapping data breach notification
It’s great to be here for Privacy Awareness Week, especially with so much going on in the world of privacy already this year.
Privacy is rarely out of the news these days. The media continues to report on exciting new technologies as well as on activities that raise privacy questions and fuel debate.
As a society we are increasingly connected and more complex interactions and questions are coming up every day. In a world of increasingly complex technological solutions to information management, data breaches are becoming more and more common, and the damage that they can cause is becoming more far-reaching and serious.
The cost of data breach
This is supported by research, in particular, the 2013 Ponemon study into the cost of data breaches in Australia[1] which showed that the cost of data breaches to companies is increasing, and that data breaches caused by a malicious or criminal attack are increasing. The Ponemon study shows that there was a 23% increase in the average total cost of data breaches to organisations from 2011 to 2012 — the average total organizational cost of data breach in 2012 was $2.71 million. It is clear that data breaches have the least financial impact on organisations that have a data breach plan in place, on organisations that respond quickly, and on organisations that employ specialists in this field, such as having a Chief Privacy or Information Security Officer.
How data breaches happen?
Data breaches can occur in many ways. It may be a lost or stolen laptop or portable storage device, a misplaced file, a database being ‘hacked’ into or inadvertently published online, a staff member mistakenly providing information to the wrong person — the classic mail room error that catapults a respectable organisation and its Chief Executive Officer onto the front page of the newspaper.
The Ponemon report showed that:
- 43% of organisations say the root cause of data breach was malicious or criminal attacks, up from 36% in 2011
- 33% of breaches involved negligent employees or contractors
- 24% of breaches were due to IT and business process failures.
As businesses increasingly look to more cost efficient information management solutions like cloud computing, all of these contributing factors become more of a concern. Good information security, robust businesses processes and up-to-date staff training are all key elements to maintaining the security of information.
You may have seen coverage of the recent Target data breach in the US. Fortunately, this didn’t affect any Australian customers, but this was a case where hackers stole the personal information of approximately 70 million people. This breach has led to a multi-jurisdiction investigation, and the introduction of a US Senate bill that seeks to improve how companies must protect customer data. A Reuters Ipsos poll showed that approximately 40% of the people who shopped at Target during the relevant period had not been notified. It is also worth noting that Target has said that its profits for the 4th quarter fell 46% due to this breach.[2]
As you would have seen in our office’s recent statement on information security — where information security is inadequate, being hacked will not necessarily be an excuse. Nor can you contract out of your privacy obligations, businesses remain responsible for the personal information that they have collected, even when they are using contracted services to handle that information.
The own motion investigation report into Multicard that was released last week is a perfect example of the importance of business processes that take account of privacy. In this instance, personal information was made publically available through a series of clear failures in basic information management and security.
The OAIC’s approach
Our office has experienced an increase in data breach notifications over the last year. In the 2013–13 year, we received 61 voluntary data breach notifications. In the current year so far we have received 50. This is in addition to the nearly 3000 complaints (which is an over 50% increase) on a range of privacy issues. This is reflective of a broader global trend — as governments and businesses become more reliant on electronic records and networked systems the risk of a breach occurring increases.
APP 11
If you are familiar with the APPs, which I’m sure you all are, you will know that APP 11, on information security, requires organisations that hold personal information to take reasonable steps to protect the information from misuse, interference and loss, and from unauthorised access, modification or disclosure.
Our office’s Guide to information security is also helpful here. The last section of the Guide sets out various strategies to ensure appropriate safeguards are in place to protect personal information. I won’t go into each of these now as they are outlined in the Guide and one page summary is available on our website. We will launch a revised version of the Guide to reflect the new APP 11 requirements shortly.
I have previously found, after investigation, that organisations were in breach of the Privacy Act by not taking reasonable steps to prevent a data breach involving a cyber-attack.
Regular review of information security measures is crucial, particularly given how regularly organisations change their processes, information, personnel, applications and infrastructure, as well as changing technology and security risks. Organisations must implement and maintain information security measures that respond to this changing landscape. I also expect that entities will regularly review the operation and effectiveness of the steps and strategies they have taken to protect personal information.
In the event of a data breach, an organisation may be found not to have ‘disclosed’ personal information under APP 6 if they have been hacked, but they may still be found in breach of APP 11 if they did not take reasonable steps to protect the information from unauthorised access.
That being said, we strongly encourage organisations to come to us for advice if they do experience a data breach. We recently released a new privacy regulatory action policy for consultation — some of you may have seen it — and we will soon release the finalised policy, incorporating the feedback that we received. The regulatory action policy clearly states that notification will not stop us from commencing an investigation if we feel that it is necessary and appropriate, but it also says that proactive notification of a data breach will be taken into account when considering whether regulatory action is necessary.
We also strongly encourage all organisations to make full use of our voluntary data breach notification guide, which provides detailed guidance on processes you can follow if you experience a data breach as well as outlining our expectations in regards to notification.
The Data breach notification guide and the Guide to information security, which we launched at last year’s business breakfast, are key publications for any organisation.
A collaborative approach to enforcement
The regulatory action policy states that our preferred regulatory approach is to work with entities to encourage compliance and best practice. This approach aims to help prevent contraventions and the subsequent need to investigate matters, or to take formal enforcement action.[3] The tools which we will use to encourage voluntary and best practice compliance include:
- engaging with regulated entities to provide guidance, promote best practice compliance, and identify and seek to address privacy concerns as they arise.
- engaging with regulated entities who voluntarily and proactively notify our office of a data breach incident, including by providing advice to the entity on containing and responding to the incident
- conducting assessments of whether personal information is being maintained and handled in accordance with the APPs. Through these assessments, our office would identify privacy risks and areas of non-compliance, and may make recommendations for how the entity might reduce those risks or address areas of non-compliance
- recommending an entity conduct a privacy impact assessment (PIA) where it proposes to engage in a new activity or function involving the handling of personal information about individuals, or when a change is proposed to information handling practices. As you may know, this week we launched an updated Guide to undertaking a privacy impact assessment, which provides an easy-to-follow ten-step process.
However, in the event that working with entities is not effective, our office has a range of regulatory responses available. The Commissioner is empowered to direct an entity to develop a code, to direct an agency to conduct a PIA, to conduct a privacy assessment, to make enforceable undertakings. We may initiate an investigation, conciliate or determine a complaint, and direct the production of a document or the taking of certain action. In the case of a serious or repeated breach of privacy, we may apply for civil penalties.
Conclusion
The key messages on this issue that we would like to share with businesses are that data breaches are inevitable reality of modern business. The only viable way to deal with this problem of the information age is to be prepared — being prepared will help you prevent a breach, will help manage any reputation damage if you do have a breach and will save you money in the long run. Maintaining best practice information security is good business sense — you need to mitigate the risk that a data breach could be caused by careless or inadequate processes at your end.
We will be collaborative in our regulatory approach — we want to help you achieve best privacy practice in order to limit both breaches and harm to individuals. But ultimately our role is to protect the public — in a situation where a business does not cooperate, or flagrantly ignores their obligations, we will not hesitate to take appropriate action.
[…] Privacy Commissioner’s speeches during Privacy Week […]