Peter A Clarke

The Privacy Commissioner has just posted his most recent speech, titled Privacy Governance to the iappANZ on 11 February 2015.  The Commissioner’s prose tends to the general and intentions and directions, when voice, are couched in such opaque terms that it would be easier to divine future actions by reading entrails.  There is a bit of something for all interested parties.  It is certainly a more restrained means of sending messages to the market than the Federal Trade Commission and the Information Commissioner’s Office.

The key issues to take from the speech are:

• a recognition that a lot of organisations don’t have an adequate privacy governance structure in place.  This of course has been well known to practitioners for some time.  Where the risk of regulatory action is perceived as low, compliance will suffer;
• responsibility for privacy governance sits firmly with the CEO, the Executive, the board or the management of any organisation.  This is a welcome statement.  It is consistent with commentary from overseas privacy practitioners and academics, including Daniel Solove who has been very outspoken about this issue.
• In  cases involving major data breaches it is often due to a clear failure of governance, creating a vulnerability
• The Commissioner is about to embark upon an assessment of the online privacy policies of 21 entities against the requirements of Australian Privacy Principle 1. The Commissioner describes this is a demonstration that the OAIC is “proactively looking at entities responses to the new requirements.”  Perhaps but there are many other equally, if not more effective ways of proactively regulating.  Such as taking high profile enforcement action against malefactors.  There really is no substitute for taking action, especially when provided with enforcement powers.  The Federal Trade Commission and the Information Commissioner’s office have their critics but they are active in taking action on privacy enforcement.  The Privacy Commissioner has thus far been long on exhortation and short on enforcement.
• he will soon launch another document titled  Privacy Management Framework to assist organisations develop or review their privacy program, and to meet the requirements set out in APP 1.2.
• The OAIC’s theme for 2015 is Privacy everyday. Good as far as it goes.  Better might be Regulating and enforcing Privacy every day.

The current state of regulation suffers from the generality, or a greater or lesser degree, of the drafting of the various Guides; of the APPs, of securing personal information, of personal impact assessments etc… The regulator through enforceable undertakings, determinations drafted in a manner more consistent with a court decision and civil penalty proceedings in the Federal Court establish a more rigorous structure.  In that context it is worth considering the article authored by Daniel Solove and Woodrow Hartzog titled The FTC and the New Common Law of Privacy, published in 114 Columbia Law Review 583(2014) which shows that the Federal Trade Commission’s privacy jurisprudence has created its own branch of common law, including establishing norms, expectations, obligations which can be considered in a rigorous way.  This assists in both advising and meeting claims by the regulator.

The speech provides:

We’re all here today to talk about privacy in the context of risk. Richard has provided a great overview of a risk-based approach to privacy. I would like to continue that discussion, and talk about how a risk approach to privacy translates into privacy governance and the overall business management framework in the context of Australian regulatory requirements.

We have been talking for a long time about the need to build privacy into ‘business as usual processes’, and how essential it is to include in business and project planning. Our messages around this aren’t going to change, but now that we have had almost a year to settle into the changes to privacy laws, we’d like to start talking about more than just basic compliance, and shift the conversation to ongoing governance. A key component of a successful end-to-end privacy program is regular monitoring. This will ensure that privacy policies, procedures and guidance are being followed and that they remain relevant to your business and the privacy risks it faces.

The European Union’s Article 29 Data Protection Working Party states that there are three core components of an accountability framework:

• the establishment of internal privacy policies and processes,
• the building of a privacy governance structure, and
• the establishment and performance of review mechanisms.

Well, by now I assume that you, and your clients, all have well established policies and processes, but what we are seeing is that a lot of organisations don’t have an adequate privacy governance structure in place.

This raises the question — where does the responsibility for privacy lie in an organisation? Obviously the answer to that question is going to depend on the type and size of the organisation — some businesses might have an entire section devoted to privacy compliance and governance, whereas some will have only a single person. However, I think the key to answering this question lies with understanding the value of personal information.

Personal information is an asset to any business, and should be treated as such. Business assets are available to be used, but in order for their value to be fully realised they must also be protected.  

So, while the day-to-day responsibility for personal information and privacy may sit within various areas of a business, in my view, responsibility for privacy governance sits firmly with the CEO, the Executive, the board or the management of any organisation. It is these roles that must promote privacy as an asset to be respected, managed and protected.

The recently released Telstra Cyber Security Report 2014[1] has reported that the responsibility for security is changing within organisations. With IT security incidents having a greater impact on business continuity and reputation of an organisation, C-level executives are being held more accountable for the security decisions within organisations.

Among the organisations surveyed, it was reported that 84% of CEOs/CFOs and COOs, and 71% of CTOs and CIOs are getting involved in the final stages of decision making of IT security services spending. This is certainly very encouraging.

Just last week we saw reports of the Anthem health insurance data breach in the US where the personal information of 80 million customers was un-encrypted and left vulnerable to unauthorised access.

Increasingly, data breaches are due to issues of technology and connectivity — hacking, malware, online scams. But you only have to look at these data breaches to understand the vital importance of privacy governance. In many cases there is a clear failure of governance, creating a vulnerability that is able to be exploited. The maturity of an organisation’s governance and leadership can be clearly seen in the importance placed on privacy, the way in which it is invested in, and how an organisation responds to a data breach.

To give you an example in the local Australian context, you will recall the investigation I carried out into the Department of Immigration’s handling of asylum seeker’s personal information. This data breach occurred after the publication of statistical data on the internet without the appropriate steps being taken to de-identify the information. I found that the Department was aware of the privacy risks of embedding personal information in publications, but that the systems and processes failed to adequately address those risks. This type of breach is not unique to the Department — we have seen similar failures in the private sector.

We are just getting ready to conduct an assessment of the online privacy policies of 21 entities against the requirements of Australian Privacy Principle 1. These assessments will look at whether the policies are clearly expressed and up-to-date, cover the content and contact requirements and are available in an appropriate form. This demonstrates that the OAIC is proactively looking at entities responses to the new requirements.

Forward thinking and actively managing privacy risk are essential to understanding and acting on your privacy responsibilities. Simply maintaining the status quo, whether in relation to a data breach, or in relation to the changing landscape of data protection and information handling, is the most ineffective way of dealing with the challenges of the information age. Privacy leadership, and from this, a robust culture of accountability and governance, is the most effective way of rising beyond mere box-ticking compliance to best practice.

You will all be aware of new requirements in the Australian Privacy Principle 1.2 to take reasonable steps to establish and maintain internal practices, procedures and systems that ensure compliance with the APPs. The APP guidelines outlines ways that this could occur in practice, providing a list of important steps, including implementing governance mechanisms, regular staff training, and a program of proactive review and audit of the adequacy and currency of your privacy policy and of the practices, procedures and systems implemented under APP 1.2. This obligation is a continuous and proactive one, and we have recognised that this is an area that organisations need help with.

We will soon launch a Privacy Management Framework to assist organisations develop or review their privacy program, and to meet the requirements set out in APP 1.2. You may have seen work from our colleagues in Hong Kong, New Zealand and NSW IPC in this area recently — there is a growing international awareness of the need for this kind of framework to assist organisations with the fundamentals of privacy governance. Our framework will emphasise governance, leadership and accountability as forming the basis of a robust management framework.

It will provide a practical guide on how to establish a privacy management framework, including elements such as planning and strategy, risk assessment, breach and incident management and regular evaluation and review. The framework will also encourage organisations to go beyond mere compliance and commit to best practice.

Information lifecycle

As I have noted, organisations must be aware of the value of personal information, both to the organisation and also to their customers, so that decisions can be made about the measures put in place to protect it. Technology becomes more important to business every day. But the technologies that currently make the biggest difference — like Cloud Computing, Big Data and Mobility — also increase the privacy risks your organisation faces.

With this in mind, I am going to talk a little bit about the information lifecycle, which can be found in our new Guide to securing personal information. Anyone in the room who has read the new guide, and hopefully that’s most of you, will have seen the graphical representation of the information lifecycle, as a process that starts before collection, raises issues when you collect or hold personal information, and then moves to destruction and de-identification when you no longer need the information.

We have represented this as a cyclical lifecycle to emphasise the dynamic nature of information and the need to consider your information handling in relation to all processes, projects and business units. 

In this electronic age the way that organisations collect and store personal information is constantly changing. For example, de-identified information may be added to over the course of a relationship with a client, or moved to a different storage solution, and by being added to, or associated with another piece of information, become personal information.

If previously non-identifiable information becomes identifiable personal information, then your obligations under the Privacy Act will change. If you haven’t accounted for that risk in your planning, you may not adequately fulfil your privacy obligations.

There was an interesting MIT study recently that looked at the ease with which information could be re-identified, and showed how quickly the shift from ‘anonymous data’ to ‘personal information’ can occur. And it can happen quickly. This study found that with four pieces of information that were not considered personal information — so no names, addresses, or credit card numbers — the researchers were able to identify 90% of people in a data-set of 1.1 million users over 3 months.[2]

This type of study is a great example for us of the risks of not thinking ahead about how you handle information. Having a governance and accountability framework in place will help you manage the dynamic nature of information and allow you to be privacy aware at all stages of information handling, rather than considering it in isolation or in relation to discrete projects.

Conclusion

I feel confident that everyone in the room today knows how important privacy management is.  That’s why you are here — because you understand the importance of accountability and risk management, and ensuring you are proactive in implementing your accountability and governance commitments.

Over the last 12 months we have reviewed and launched a range of guidance to help you do this. The Privacy Management Framework will build on this guidance by not only joining the dots between our various guidance, but also between your obligations under the Privacy Act and its practical implementation in your organisation. The Framework will be launched during Privacy Awareness Week 2015. And I encourage you to visit the OAIC’s website and become a Privacy Awareness Week partner, a non-financial arrangement, and a great way to demonstrate that your organisation takes privacy seriously.

The OAIC’s theme for 2015 is Privacy everyday. The theme emphasises the need for organisations to embed privacy practices into business as usual processes and succinctly captures what I have been talking about today. Your organisation must commit (from the top down) to grow a robust privacy culture of continual improvement. And, should I have to ‘visit’ an organisation as a result of a privacy incident, I will be focusing equally on assessing the privacy culture of that organisation, from the top down, as much as I will on process and technology solutions.

To achieve this privacy culture, you must regularly review your processes and policies, and the implementation of those processes and policies, to ensure that your organisation stands ready to address and respond to the risks to privacy that arise everyday.