Privacy Commissioner gives a speech to The Law Society of New South Wales Government Solicitors Conference.
September 8, 2015 |
Timothy Pilgrim in a speech Office of the Australian Information Commissioner — Update delivered on 1 September 2015 to the New South Wales Government Solicitors conference in Sydney gave some insight into the role and future of the Office of the Information Commissioner. It is a subject of some debate and controversy particularly for those who practice in the area of Freedom of Information. He also talked about his core responsibility as Privacy Commissioner.
It is worth highlighting some salient points .
In relation to privacy regulation the Privacy Commissioner stated:
During the past year, our office:
- handled 12,241 privacy enquiries
- received 2,838 complaints, successfully closing 1,976
- and managed 117 voluntary data breach notifications
- undertook 12 privacy assessments (formerly known as audits), involving 85 entities, to assist compliance with good personal information handling practices making recommendations to improve privacy practice.
Those statistics are only impressive if one has not familiar with reading statistics in this sphere. Handling an enquiry has a broad meaning. Closing 1,976 complaints out of 2,838 received also means little without further information. The Privacy Commissioner can close a complaint of his own volition. What “successfully closing” means is phrase without meaning. What is telling is that there has been no determinations involving the new provisions of the Act, that is those that took effect on 12 March 2014. That is more than passing strange.
Similarly managing 117 data breach notifications is another descriptor so vague as to be meaningless. A more interesting question would be what caused the data breaches and what did the Privacy Commissioner do about that. The assessments are, likewise, a descriptor meaning little.
In short the statistics carry no real weight without further details.
The Privacy Commissioner went on to say:
The office accepted its first enforceable undertakings under the 2014 reforms to the Privacy Act, following a Commissioner Initiated Investigation.
The enforceable undertaking was made with Optus. Optus reported itself. Compared to similar actions in the United Kingdom and the United States its effect was anaemic. This is hardly a banner moment for the Privacy Commissioner. A made to order undertaking falling into the regulator’s hands does not bespeak hard graft paying off.
He also said:
At the same time, we continued to bed down the most significant reforms to the Privacy Act following their commencement on 12 March 2014.
As part of this we issued 32 sets of guidance material to assist entities covered by the Privacy Act, and for the broader community, to understand their responsibilities and rights.
An important example of this guidance was the release of our Regulatory action policy, and complimentary Regulatory action guide which clarify OAIC’s commitment and approach to our privacy regulation activities.
We also released the Privacy management framework, designed to enable good privacy practice by embedding privacy governance within entities.
This activity report should be taken with a very large bucket of salt. The amendments to Privacy Act were passed by House of Representatives on 23 May 2012 and the Senate on 18 September 2012. It was assented to on 12 December 2012 (the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (No 197). Most of the amendments, in particular the new enforcement powers, took effect on 12 March 2014. Parliament specifically allowed a 15 month period from enactment to commencement to allow all relevant parties to prepare for the new provisions. That includes the Privacy Commissioner. Why wasn’t all of this bedding down done during the 15 month period? It is true that the Regulatory Action policy and guidelines have been produced but why weren’t they done during the 15 month period. Even so that didn’t stop enforcement action being taken. Enforcement should have begun soon after the new provisions came into effect, sending a clear message to a market that has long been deaf and blind to proper privacy policies. The guidelines themselves are not extraordinary documents, tending to the general and conservative, and not superior to the guidelines produced by the Information Commissioner’s Office in the UK.
On a verifiable analysis the output of the Privacy Commissioner since 12 March 2014 has been quite modest.
What is curious is the Privacy Commissioner’s statement that:
Beyond speaking to the output of our office, these statistics also speak to the rapidly-growing consumer and corporate interest in privacy management.
Indeed, the fact that voluntary data breach notifications increased by nearly 50% on the previous year speaks of agencies and businesses who understand that a good privacy reputation is good for their business, and for the success of their programs in the case of government agencies.
The statistics do not speak to the output of the office. Enforcement remains poor. The statistics in and of themselves do not indicate significant activity if regard is had to how long the amendments have been in place. Claiming that data breach notifications have increased by 50% means nothing unless the base is known. The motivation of voluntary data breach notifications may be several, if not many. One of which is getting ahead of the bad publicity or notifying when there is no alternative. The leakage of personal data of refugees by the immigration department in the past does not go to the success of anything.
The statistics as presented do not “speak to” any “consumer and corporate interest in privacy management” (whatever that means). While the studies, in Australia and overseas clearly show consumers care about their privacy and are concerned about interference with it there is no corresponding evidence that there is a renaissance of interest in “privacy management.” (such language! Waffle.). Privacy compliance is poor. The understanding of privacy obligations by organisations and their employees is spotty. One of the key reasons is that the regulation of the Privacy Act is inadequate and enforcement effectively non-existent.
Which is why the statements by the Privacy Commissioner are so disappointing when he said:
It’s something we want to encourage and so, with the 2014 Privacy Act amendments now well embedded, a key focus for the year ahead is strategic privacy assessments. We have looked at entities’ privacy policies under Australian Privacy Policy (APP) 1 including a number of ACT government agencies, online privacy policies of top websites, and most recently GP health clinics.
We will build on this work and look at how entities are implementing effective privacy practice, procedures and systems.
More hand holding?!? Really?! The legislation has been in place for almost 3 years. Organisations and agencies needed to get their houses in order by now. Taking a “look” (whatever that means) at how entities are implementing effective privacy policies is a tepid approach to regulation. It is all about easy options. Don’t offend, don’t upset. Don’t do.
Eventually the Privacy Commissioner went onto the enforcement side of things stating:
Turning then from the carrot to the stick, you will have also seen an increase in the matters which I have determined under the s 52 Determination powers of the Privacy Act (7 in the last financial year).
More a twig than a stick. None of these determinations relate to the new provisions. Seven is not all that many in any event. It is more than the work rate of previous Privacy Commissioners but is a low base. What about injunctive relief? There has never been a basis in the last 10 years?
This seems an appropriate point to briefly note some significant decisions in the last 12 months.
While the vast majority of privacy complaints are resolved without need to recourse to determination, these cases do provide some useful signposts of potential risks to that entity’s privacy practices and how my Office may view these.
The problem with the above statement is that “resolved without need to recourse to determination” includes cases where the Privacy Commissioner closes the complaint without resolution or satisfaction of the complainant. So it is claim of little substance.
One case in particular has attracted significant attention as it brought together a journalist from our ‘paper of record’, the nation’s largest telecommunications provider, and arguably the most topical issue in privacy in the past year, metadata.
In Ben Grubb and Telstra Corporation Limited, I found that Telstra had breached Mr Grubb’s privacy by failing to provide to him personal information about him held by Telstra.
Significantly, in order to reach that decision I needed to first conclude, against Telstra’s consistent argument, that Mr Grubb’s metadata did in fact constitute personal information.
The Grubb decision is good but a single swallow does not make a summer. It is also a process that took 2 years. That is ridiculous.
While I note that Telstra is appealing this matter to the AAT, this case will remain significant because the challenge Telstra faced in withholding the data will inevitably occur more and more often.
Telstra argued that much of the metadata sought was simply not ‘personal information’, because on its face the data was anonymous.
This is correct.
But that argument overlooks the reality of data-linking and that a customer’s identity and much more information about them can be established by cross-matching data sets.
Personal information is not just that which does identify you but also that which reasonably can.
For this reason the challenge faced by Telstra will lie with any organisation that handles complex data sets in which anonymous data can be linked to other sources from which an individual becomes reasonably identifiable.
Retailers and loyalty programs, in particular, spring to mind.
Pending any appeal outcomes, my advice to prudent organisations would be to work on the assumption that such data is “personal information” and to manage it and secure it as if it is.
One swallow does not make a summer. It is a good decision and an important one. But it is one decision which took two years to process. How is that good regulation?
Turning briefly to other determinations, relevant specifically to Government agencies.
In February 2015, I found that the Great Barrier Reef Marine Park Authority had breached Information Privacy Principles (IPP) 11.1 of the Privacy Act by disclosing the complainant’s personal information to a news outlet.
I declared that the agency apologise in writing to the complainant, review its training of staff and agents who act on the agency’s behalf in handling personal information and confirm with me that the review of the training had been completed.
I also awarded $5,000 to the complainant for non-economic loss.
How is an award of $5,000 in a contested hearing anything but a risible award.
In another case that was also related to disclosure under IPP 11.1, I found that the Department of Veterans’ Affairs (DVA) had interfered with the complainant’s privacy by disclosing his personal information to Australian Defence Force officers and the Department of Defence.
I determined that the DVA should apologise in writing to the complainant and that the Secretary initiate a review of privacy complaints within the DVA, and notify me of the results of the review.
In September 2014, I found that the Department of Defence had breached the Privacy Act by disclosing the complainant’s sensitive personal information to his treating GP after he had expressly refused to grant consent for this to occur.
I found that the Department should apologise in writing, amend its information handling procedures, specifically around the handling of sensitive personal information, undertake staff training and pay the complainant $5,000.
The decision was right but the remedy was insipid and ridiculous. Compared to the type of awards handed out in the UK and the United States these findings compare poorly.
With the above decisions in mind, I would like to conclude by remarking that we still, occasionally, receive the message that privacy is a roadblock to getting work done.
This is a complaint that will never dissipate. There are still complaints that Consumer Law impedes competition. To the contrary in fact by any objective measure.
Privacy needs to be considered in corporate and project planning, so that privacy protections and responsiveness to privacy is built into delivery.
When a privacy-by-design approach is taken to project and policy planning privacy law is flexible enough to both protect individuals and facilitate effective agency performance.
These are all quite admirable sentiments. But the Privacy Commissioner has settled into preferring sunny aphorisms over the more tedious and less friendly tasks of enforcement. Fewer friends in the latter case but more integrity in performing one’s statutory tasks and fulfilling statutory responsibilities.
Any agency or organisation thinking that they can ‘game the system’ because of the uncertainty about the future of the OAIC better look at what we have done over the last 12 months and think again! We are actively using the powers available to us to uphold these important community rights.
Organisations won’t game the system. How can they when they tend to ignore it altogether. For many organisations outside high profile or high risk areas, such as finance, mining and resources, privacy compliance is an afterthought and the resources devoted to maintaining secure systems fall a long way down the spend list. To a large degree that has been because the laws have been lax and when they are not they are not effectively enforced. Businesses don’t look to the problems with the OAIC and decide to pull apart their privacy policies and halve the IT budget on security. Many organisations don’t bother with proper privacy policies and the IT budgets have already been quartered. If there is no risk there is no urge to comply.
I have been reading the Privacy Commissioner’s speeches for some time now. They invariably follow the same Pollyanish approach; great things being done, working with business, will take action if have to and then talk up some upcoming policy and talk about some positive developments like the Damascene conversions of organisations who see the privacy light. It tends to the general and where it is specific there is much left out to give the statistics real form and substance. This speech followed that pattern. It is quit well written. Other than that it is more of the same. That is depressing enough.
The full speech provides:
Good morning.
I would like to begin by acknowledging the Gadigal people of the Eora Nation, the traditional custodians of this land and pay my respects to their Elders both past and present.
As solicitors in the Government field, many of you will have had cause to focus on the activities of the Office of the Australian Information Commissioner (OAIC) in the past year. You may even had direct dealings with us.
It is therefore not surprising that you may be wondering what is the current state of play with the OAIC and its future, and more specifically, the important jurisdictions of privacy and freedom of information (FOI) that we are responsible for.
Even this morning the future of the OAIC has again been the subject of a number of media articles.
So this morning, I want to outline the current status of the OAIC and importantly, how I see us going forward on privacy and FOI through the mid to longer term.
But first, a quick bit of background. The OAIC was established in November of 2010 to bring together the functions of information policy, FOI and privacy governance.
This built on what had been the successful model of the Office of the Privacy Commissioner which had been in existence since 1988.
However, in May 2014 the Government announced an intention to disband the Office, to put in place new arrangements for these functions.
- FOI complaints would be handled by the Ombudsman;
- FOI policy and reporting would go to the Attorney General’s Department (AGD);
- Review of FOI decisions would be handled by the AAT; and
- A new Office of the Australian Privacy Commissioner would be established.
The Bill to implement these changes was passed by the House of Representatives and the changes were to take effect on 1 January 2015. But, the Bill has not yet been considered by the Senate.
However, in anticipation of these changes and in recognition that there was a potential significant impact on the administration of both Acts and importantly on the careers and futures of our staff in our Canberra Office, we began to implement some of the changes.
This was necessary as from 1 July 2014 our budget had been reduced to also reflect these changed arrangements.
Consequently we:
- began a process to assist staff in Canberra obtain new jobs or transition out of the APS
- arranged for the Commonwealth Ombudsman to commence dealing with FOI complaints
- transferred FOI policy and reporting functions to the AGD;
- further streamlined our IC review processes to improve the timeliness of our processes, including using s.54(W) to allow matters to go to the Administrative Appeals Tribunal (AAT), and
- closed our Canberra premises in December 2014, moving the remaining FOI functions to our Sydney Office where the bulk of our privacy work had always been handled.
However, as I said, to date, the Bill to abolish the OAIC has not been considered by the Senate. Consequently as we moved closer towards the 2015/16 financial year it was clear that the OAIC would be continuing to operate and as a result funding was reappropriated to allow us to continue on with our streamlined IC Review processes.
This has, naturally, created uncertainty and speculation particularly amongst administrative law and open government advocacy circles about the ability of the OAIC to be effective and perform the important role that it holds for the community in the privacy and FOI spaces.
So let me be clear about this.
Of course, this uncertainty is far from an ideal situation and I hope that soon we will have some clarity about the future of the OAIC.
However, having spent in excess of 30 years in the public service, I believe I am safe in saying that it is quite remarkable what the OAIC has achieved in this period of uncertainty and, regardless of what may occur over the months ahead, this should be a heads up, or to look at it another way, a warning to those entities covered by both the Privacy Act 1988 (Privacy Act) and, while we have the jurisdiction, the FOI Act, that we will actively be fulfilling the mandate we have to ensure the community’s rights are upheld under both statutes.
Let me turn now to our achievements over the last 12 months or so.
Firstly our achievements in FOI.
As I mentioned prior to May 2014 the OAIC had already been revising its Information Commissioner (IC) review processes to improve the timeliness of decisions and this has significantly enhanced our performance with respect to IC Reviews during the 2014-15 year.
While we are close to resolving the last of our legacy backlog, in terms of new matters coming in our current average time for finalising these is around 3 months.
The number of IC review decisions finalised were up 40% on the previous year, to 138.
And overall, while we received 374 IC review applications during the year we finalised 482. At the same time making significant inroads into the legacy backlog, further demonstrating the effect of our revised processes.
We are using our power under s 54W to refer matters to the AAT where that facilitates better administration of the Act, but overall this remains a small number of the matters finalised.
But, we are still clearly maintaining an active role in this space and consequently, while the FOI policy function moved to the AGD, it is my intention to review and amend the FOI Guidelines in the next few months to update them in the light of a number of decisions made by both the OAIC Commissioners and the AAT. This is important in my view as Agencies must have regard to those guidelines as set out in the FOI Act.
Turning to privacy regulation, for anyone who is working in this area it is abundantly clear that the OAIC has been extremely active in this area over the last 12 months. By way of some statistics:
During the past year, our office:
- handled 12,241 privacy enquiries
- received 2,838 complaints, successfully closing 1,976
- and managed 117 voluntary data breach notifications
- undertook 12 privacy assessments (formerly known as audits), involving 85 entities, to assist compliance with good personal information handling practices making recommendations to improve privacy practice.
The office accepted its first enforceable undertakings under the 2014 reforms to the Privacy Act, following a Commissioner Initiated Investigation.
At the same time, we continued to bed down the most significant reforms to the Privacy Act following their commencement on 12 March 2014.
As part of this we issued 32 sets of guidance material to assist entities covered by the Privacy Act, and for the broader community, to understand their responsibilities and rights.
An important example of this guidance was the release of our Regulatory action policy, and complimentary Regulatory action guide which clarify OAIC’s commitment and approach to our privacy regulation activities.
We also released the Privacy management framework, designed to enable good privacy practice by embedding privacy governance within entities.
Beyond speaking to the output of our office, these statistics also speak to the rapidly-growing consumer and corporate interest in privacy management.
Indeed, the fact that voluntary data breach notifications increased by nearly 50% on the previous year speaks of agencies and businesses who understand that a good privacy reputation is good for their business, and for the success of their programs in the case of government agencies.
This is of course very positive.
It’s something we want to encourage and so, with the 2014 Privacy Act amendments now well embedded, a key focus for the year ahead is strategic privacy assessments. We have looked at entities’ privacy policies under Australian Privacy Policy (APP) 1 including a number of ACT government agencies, online privacy policies of top websites, and most recently GP health clinics.
We will build on this work and look at how entities are implementing effective privacy practice, procedures and systems.
This year we will also commence privacy oversight of the implementation of mandatory telecommunications data retention scheme and the implementation of the privacy aspects of the Counter-Terrorism Legislation Amendment (Foreign Fighters) Act 2014, which introduces changes to the handling of personal information.
We are already working closely with Department of Immigration and Border Protection on privacy impact assessments and we have put together a new national security team, working on privacy assessments, advice, and privacy impact assessments.
We will similarly be working with telecommunications service providers to ensure that privacy protections are built into their practices, procedures and systems and have already released guidance in this area.
Throughout all this work, there is of course the need to balance individual privacy with national security. But, this is not a single limb test. Even when the public interest balance falls in favour of national security there is still a need to ensure policies are implemented in a way that minimises their privacy impact to the fullest extent that is reasonably possible.
With that in mind, I’d like to take a moment to address privacy impact assessments.
I’ve been talking about the value of these for a long time.
Although some organisations and agencies have adopted them as part of their business-as-usual processes, many are lagging behind on this important and effective tool.
Privacy Impact Assessments (PIAs) should be considered for any new program that involves changes to personal information handling, and that includes proposals to mandate collections, use or disclosures of personal information in legislation.
Most new legislation, including legislative instruments, must be accompanied by a statement of compatibility with human rights. That is; compatibility with the rights and freedoms recognised in the seven core international human rights treaties to which Australia is a party.
This includes, under the International Covenant on Civil and Political Rights, a right to privacy. So where a policy or legislative proposal impacts on privacy, a PIA can help agencies to address the statement of compatibility.
Overall, having a PIA is vitally important when considering privacy in the context of any legal or legislative issues. It can, and should, be a vital component of both project planning and of risk assessment.
But in the overall context of managing privacy within agencies and organisations I hope that everyone is becoming familiar with our new Privacy Management Framework.
But just in case anyone is not, the Framework is a tool that is designed to help agencies comply with their ongoing obligations under APP 1.2 and, above all, to embed privacy into their project planning and processes.
As is clear from the Framework, a leadership commitment to a culture of privacy is a foundation for good privacy governance and is really the first step in meeting an entity’s obligations.
APP 1.2 requires agencies to be proactive in establishing, implementing and maintaining privacy processes. Just writing a privacy policy, or putting in place set-and-forget processes is not enough.
This is why our Framework provides clear steps to develop and maintain best privacy practice.
Most importantly, it can help entities to avoid meeting the regulatory arm of my office.
In that respect, when we do an assessment of an agency or an organisation we will be looking to see how privacy is managed right up to CEO level.
Turning then from the carrot to the stick, you will have also seen an increase in the matters which I have determined under the s 52 Determination powers of the Privacy Act (7 in the last financial year).
This seems an appropriate point to briefly note some significant decisions in the last 12 months.
While the vast majority of privacy complaints are resolved without need to recourse to determination, these cases do provide some useful signposts of potential risks to that entity’s privacy practices and how my Office may view these.
One case in particular has attracted significant attention as it brought together a journalist from our ‘paper of record’, the nation’s largest telecommunications provider, and arguably the most topical issue in privacy in the past year, metadata.
In Ben Grubb and Telstra Corporation Limited, I found that Telstra had breached Mr Grubb’s privacy by failing to provide to him personal information about him held by Telstra.
Significantly, in order to reach that decision I needed to first conclude, against Telstra’s consistent argument, that Mr Grubb’s metadata did in fact constitute personal information.
While I note that Telstra is appealing this matter to the AAT, this case will remain significant because the challenge Telstra faced in withholding the data will inevitably occur more and more often.
Telstra argued that much of the metadata sought was simply not ‘personal information’, because on its face the data was anonymous.
This is correct.
But that argument overlooks the reality of data-linking and that a customer’s identity and much more information about them can be established by cross-matching data sets.
Personal information is not just that which does identify you but also that which reasonably can.
For this reason the challenge faced by Telstra will lie with any organisation that handles complex data sets in which anonymous data can be linked to other sources from which an individual becomes reasonably identifiable.
Retailers and loyalty programs, in particular, spring to mind.
Pending any appeal outcomes, my advice to prudent organisations would be to work on the assumption that such data is “personal information” and to manage it and secure it as if it is.
Turning briefly to other determinations, relevant specifically to Government agencies.
In February 2015, I found that the Great Barrier Reef Marine Park Authority had breached Information Privacy Principles (IPP) 11.1 of the Privacy Act by disclosing the complainant’s personal information to a news outlet.
I declared that the agency apologise in writing to the complainant, review its training of staff and agents who act on the agency’s behalf in handling personal information and confirm with me that the review of the training had been completed.
I also awarded $5,000 to the complainant for non-economic loss.
In another case that was also related to disclosure under IPP 11.1, I found that the Department of Veterans’ Affairs (DVA) had interfered with the complainant’s privacy by disclosing his personal information to Australian Defence Force officers and the Department of Defence.
I determined that the DVA should apologise in writing to the complainant and that the Secretary initiate a review of privacy complaints within the DVA, and notify me of the results of the review.
In September 2014, I found that the Department of Defence had breached the Privacy Act by disclosing the complainant’s sensitive personal information to his treating GP after he had expressly refused to grant consent for this to occur.
I found that the Department should apologise in writing, amend its information handling procedures, specifically around the handling of sensitive personal information, undertake staff training and pay the complainant $5,000.
With the above decisions in mind, I would like to conclude by remarking that we still, occasionally, receive the message that privacy is a roadblock to getting work done.
Well, I think if an agency is finding that they are consistently coming up against privacy, then they’re probably not approaching privacy obligations in an integrated way.
Privacy law in Australia is principles based — it’s flexible and able to accommodate a vast range of different information sharing and handling arrangements.
But it is not a bolt-on accessory.
Privacy needs to be considered in corporate and project planning, so that privacy protections and responsiveness to privacy is built into delivery.
When a privacy-by-design approach is taken to project and policy planning privacy law is flexible enough to both protect individuals and facilitate effective agency performance.
So, what does all this demonstrate?
Well, pending other decisions, it is my intention that OAIC will continue deliver the combination of functions we have outlined and will actively continue to do this to the high and efficient standard we have achieved in the past year.
Any agency or organisation thinking that they can ‘game the system’ because of the uncertainty about the future of the OAIC better look at what we have done over the last 12 months and think again! We are actively using the powers available to us to uphold these important community rights.
Finally, it would be remiss of me not to remark that the significant output our Office has achieved, in challenging and changing circumstances is an amazing demonstration of the commitment of our people to uphold the best values of public service and meet the needs of the Australian community.
Thank you.
[…] Privacy Commissioner gives a speech to The Law Society of New South Wales Government Solicitors Conf… […]