Victorian Privacy Commissioner adopts privacy by design as of 1 July 2014

May 29, 2014 |

The Acting Victorian Privacy Commissioner has announced that from 1 July 2014 Privacy Victoria will be adopting Privacy by Design.  It is a welcome development but one that is not all that revolutionary.  Privacy by Design was developed by the Ontario Privacy Commissioner and has its genesis in the 1990s.  They can best be described on the Ontario Privacy Commissioner’s dedicated page, 7 Foundational Principles.

The announcment is found here and relevantly provides:

“Each year, Privacy Awareness Week has a particular theme. This year it is Data Sharing: Share with Care, Share with Confidence. The theme was carefully selected because of its significance to the work of the Victorian Public Sector and because data sharing has proven to be difficult for both individuals and public sector organisations, particularly when it comes to navigating the regulatory environment,” said Mr Watts.

“Information privacy was never conceived as preventing the appropriate sharing of personal information.  This fundamental policy is embodied in the objects section of the Information Privacy Act 2000. The legal framework encourages us to be thoughtful and open when dealing with personal information.  Being responsible means being answerable and accountable.  Implicit in this is the idea that best practice personal information handling involves good governance, that is, that personal information and the ICT systems that facilitate collecting, using and disclosing it are properly overseen and managed. There is a clear nexus between good information strategy, the execution of it and good privacy practice.  This is an important but often overlooked concept,” explained the Acting Commissioner.

“The Information Privacy Principles have much to say about information sharing in IPP2, the privacy principle that addresses the use and disclosure of personal information. The overarching rule is that when personal information is collected for a purpose, it can be used and disclosed for that or a related purpose.  The remainder of IPP2 spells out in detail exceptions that modify this general rule, reflecting the balancing of interests mentioned in s 5 of the Information Privacy Act and recognising that some interests take priority over privacy.  These include, permissions to enable information sharing when an individual’s life, health or safety are in question, investigating unlawful activity, undertaking research, law enforcement activities and for national security purposes,” said Mr Watts.

“Despite that, developing appropriate ways to approach information sharing, particularly in multi-agency environments where both individuals expect joined up service delivery and agencies seek to meet that expectation by designing more streamlined service delivery systems by using personal information more effectively, remains somewhat of a mystifying – and frustrating – experience for many who have to grapple with these issues.”

“As from 1 July this year Privacy Victoria will be formally adopting Privacy by Design. This is a series of internationally endorsed policies, approaches and benchmarks designed to integrate privacy with new technology to ensure that perceptions that privacy and the use of new technologies are tradeoffs, otherwise known as a zero-sum game, are overcome. Victoria will be the first Australian privacy office to explicitly endorse and implement Privacy by Design,” said Mr Watts.

“At a high level what Privacy by Design mandates is ‘embedding privacy into information technologies, business practices and networked infrastructures, as a core functionality, right from the outset… Privacy by Design may be defined as an engineering and strategic management approach that commits to selectively and sustainably minimise information systems’ privacy risks through technical and governance controls. At the same time, however, the Privacy by Design approach provides a framework to address the ever-growing and systemic effects of information and communications technologies and large-scale networked data systems’”,1 explained the Acting Commissioner.

“Unsurprisingly, Privacy by Design places the data-subject or end user at the heart of what drives the design and operational decisions concerning personal information. Privacy by Design is the methodology that should be used to enable and facilitate these initiatives. There is an added benefit.  As Privacy by Design is an international benchmark it is widely understood and endorsed by the global ICT community. Many global ICT providers have participated in its development and are familiar with implementing it.  Privacy by Design is nothing new for many of the Government’s private sector partners.”

“Ultimately Privacy by Design is the technique that is best adapted to support the joint objectives of respecting privacy and supporting efficient service delivery through the better use of information and communications technologies,” advised Mr Watts.

The Acting Privacy Commissioner develops the theme in the May enews, found here.  The Victorian Privacy Commissioner’s scope of operation is limited, primarily relating to the public sector agencies of the Victorian Government and their contract providers.

Despite what the media release says the private sector in Australia is not, as a group, well versed in privacy by design.  Certain areas are quite sophisticated, including the financial market as well as multinationals.  But patchy coverage of privacy regulation and very soft touch enforcement where such powers existed prior to March 2014 has meant privacy has rarely been a priority in an organisations spend. That should change now the Privacy Commissioner has significantly enhanced powers.

One Response to “Victorian Privacy Commissioner adopts privacy by design as of 1 July 2014”

  1. Victorian Privacy Commissioner adopts privacy by design as of 1 July 2014 | Australian Law Blogs

    […] Victorian Privacy Commissioner adopts privacy by design as of 1 July 2014 […]

Leave a Reply