Privacy Commissioner speech at launch of Privacy Awareness Week

May 17, 2016 |

The Privacy Commissioner has done what he does best.  Another speech.  This time for the launch of Privacy Awareness Week.

The speech relevantly provides:


Welcome to Privacy Awareness Week 2016; and to our signature business event, the Privacy Business Breakfast.

Looking around the room I see many familiar faces, people from organisations who have been supporters of Privacy Awareness Week — and of good corporate privacy practices — for many years.

I also see a resounding endorsement of the extent to which privacy governance has found its place in businesses and agencies — we have more people from more organisations here today than at any past Privacy Business Breakfast.

It’s also a symbol of how Privacy Awareness Week, or PAW as we fondly call it, has matured on our national business and regulatory calendar.

PAW was originally conceived as a joint exercise between the Asia Pacific Privacy Authorities to raise privacy awareness as an emerging issue in the APEC region.

However, privacy has grown in public consciousness, customer consideration and business governance, to such an extent that the original desire to raise awareness of privacy per se has been eclipsed.

Privacy is now a cross-sector and cross-border conversation.

It affects any business that relies on personal information for its success, and that is pretty much every business.

It affects any government agency which seeks to improve its ability to better target and deliver services, and that is every agency.

It is paramount to consumers or clients who have investment in their personal identity, and want transparency and choice about how their identity is used and protected — and that is pretty much everyone.

I can assure you from the perspective of my Office — seeing the calls that come in, the questions that are raised, the complaints that are filed, that privacy remains, and continues to increase as a key issue for the community.

I know that as Australian consumers are known to be early adopters and heavy users of new technology — it may sometimes appear that privacy is not a top of mind issue for consumers.

But with the rush of excitement about suddenly being able to access new retail and media now cooling, and consumers being more considered, caring for one’s own personal identity remains core.

This was reinforced just last week in the release of the Deloitte Privacy Index, which reported that 94% of consumers believe trust is more important than convenience in their product and service choices.

That clear resurgence of trust over convenience also points to the rewards for businesses who have already adopted the “privacy by design” approach.

The idea that privacy can be a bolt on extra has always been impractical from a regulator’s perspective but is now also undesirable from a consumer’s.

So it’s fair to say there has never been a more important time to ensure that privacy is built into the fabric of business and into every product and service development.

In this era of a data driven economy, where innovation itself relies increasingly on using personal information in new technological contexts, businesses and agencies know that if they go down this path it will be essential that they get privacy right in order for long term success to follow.

And privacy is also, very much, an international conversation.

For domestic businesses particularly those  focusing both on a domestic and global market, the impact of the international developments such as the new EU Regulation, or the US Safe Harbour decision and the resultant development of the US Privacy Shield will be felt in Australia, which is why today is so important.

The international growth in public interest and understanding of privacy as a significant information-age concern, and the recognition in government and corporate responses to that interest, has also allowed more contemporary debates about privacy integration to emerge.

We no longer need to debate if privacy is important, and can instead focus on the current and emerging challenges we need to discuss and resolve.

And, with our baseline knowledge and awareness of privacy governance established, we can start to debate some of the more complex and nuanced issues that privacy raises — we can also allow room for new and challenging voices — which is the primary point of today’s event.

Those of you who have joined us before may recall that at this annual privacy breakfast it is customary for me to give a wide-ranging speech on the year ahead from my perspective as Australia’s privacy regulator.

It won’t be as wide-ranging today….

(Is it just me, or did the room just heave a sigh of relief?)

But don’t take this to imply that my Office does not have a diverse agenda over the coming year.

We do.

Now, for those of you who have worked closely with our Office over recent years, you will be aware that the last couple of years have been , a little challenging, to say the least. 

In the 2014 Budget the Government announced its intention to disband the OAIC, introduce new arrangements for the handling of FOI matters, and re-establish an Office of the Privacy Commissioner.

However, as part of the 2016 Budget, the Government announced that it would not proceed with those changes and returned funding to the OAIC to enable it to continue with its regulating role under both the Privacy and the FOI Acts.

As you might expect then, with the funding of the OAIC’s privacy and FOI functions now confirmed, you will be hearing from us a great deal and in a diversity of fora and locations. 

Starting this month, the OAIC’s new Privacy Professionals Network will provide opportunities throughout the year to engage on the latest business and government privacy regulation debates; and to hear updates and be involved in policy development with the OAIC team.

I’m delighted to say that the first of these meetings will take place in a fortnight’s time, in Perth.

This will in turn be the start of a calendar of professional meetings and seminars to be held in major cities around the country. But the choice to begin in WA is a deliberate one which sends, I hope, a positive symbol of how this national regulator intends to engage with privacy professionals on a national basis.

And, to be realistic, as good as the catering is here at the Westin, it’s still a lot to ask people to endure a red-eye flight from Perth for the privilege.

Turning now to this year, you will be hearing from us on the important issue of how Australia can not only manage, but lead the way in, reconciling the significant policy and innovation potential of big data with the vital public confidence that comes from the protection of personal information.  

Exploring and testing this potential is undeniably a current reality of Australian business and government; and as Australia’s privacy regulator, I must respond to that reality. For this reason, my Office is consulting on a draft Guide to big data in the context of the Australian Privacy Principles.

This has been developed in recognition of the use of data, and its potential to bring about social and economic benefits.

But in order to realise those benefits we need to get privacy right as it is critical to consumer and public trust.

There is no doubt that big data practices challenge us to think about how key existing privacy principles — including notice and consent, data collection, use limitation ,and retention minimisation, — work in practice.

However, the APPs are technologically neutral, and structured to reflect the entirety of the information lifecycle.

This means entities have the flexibility to tailor their personal information handling practices to respond to the privacy challenges of big data uses.

The draft guide is aimed at facilitating big data activities while protecting personal information. It encourages entities to take a risk management approach and to use existing privacy tools to get privacy right for big data. Key privacy requirements and helpful privacy tips are outlined in the draft guide, and we want your feedback so together we can get privacy right in this important area.

And, as I recently outlined at the CeBit 2016 conference a couple of weeks ago, my Office is of the view that obtaining an agreed understanding of the role that deidentification may play is a key priority, and one we want industry and expert input on.

Deidentification if done properly, can be a privacy enhancing tool with potential to unlock the value of big data. And the OAIC will be revisiting its guidance on deidentification in coming months. To that end we will be conducting a series of conversations, through the Privacy Professional’s Network and other networks, to work with business, government, consumer and technical groups on the possibilities of deidentification.

We want to ensure that our end guidance is not only an accurate reflection of the Privacy Act, but also a practical and reliable solution that builds public confidence in the potential public benefit of data-driven innovation.

To be clear, my Office understands the value of information.

Indeed, the FOI Act, which I also regulate, is underpinned by the principle that government held information is a national resource — with all the associated expectations as to how it should be used in transparent public interest and to the best value.

We also understand that the value of this information is often best realised when it can be shared, used and built upon. And, as principles-based law, the Privacy Act is flexible enough to support all manner of data initiatives, provided that an integrated approach to privacy management is taken up front.

With this in mind you’ll also see a lot of focus from us on the Internet of Things and tech start up sectors this year — working to build privacy governance into the outset of our future tech-leading companies.

We are collaborating with these sectors on the need to get privacy right and are encouraging them to make use of tools like our Privacy Management Framework, and our template for small and medium enterprises (which you can find in your show bags).

This collaborative approach is our preferred model to regulation but rest assured that it will continue to be supported by a robust calendar of assessments, investigations in a variety of business and government sectors. 

Without divulging our full assessment calendar I can say that — building on our assessment of Coles and Woolworths loyalty programmes so far this year — it will include a look at some of the other most popular loyalty schemes in Australia.

You’ll want to ask which programs I’m talking about. But that would be something of a spoiler, wouldn’t it?

All I can suggest is, have your Privacy Management Frameworks well established.

We will also be continuing a strong focus on telecommunications as part of our oversight of the privacy aspects of the telecommunications metadata retention regime, as well as examining government agencies with significant personal information holdings. 

I stress that being the subject of an assessment does not necessarily mean that there is anything untoward. But our assessments are vital to providing consumer and public transparency as to how their individual privacy rights are being protected and respected. They are also designed to assist entities to enhance their information handling practices.

The focus on individual rights also continue this year with the start-up of another important consultative forum, our Consumer Privacy Network, the CPN. The first meeting of which will be held next week.

I look forward to the CPN informing many of the policy and public education initiatives we have planned for the coming year — particularly as we look to expand the public education and information role of the OAIC, to ensure that people continue to be aware of their privacy rights and how to exercise them.

This will continue to be supported by a dispute resolution, conciliation and determination system that I am pleased to say is now running more effectively and efficiently than ever before — providing timely and fair outcomes for complainants, as well as clear guidance to businesses and agencies on regulatory expectations.

For example, one of our top sources of complaints is about giving access to an individual’s own personal information. We want to make it easier for business and agencies to get this right, so we’ve developed a new access and correction resource, which you can also find in your show bags.

More broadly, last financial year our office received some 12,241 privacy enquiries, opened nearly 3000 (2,838) complaints and closed close to 2000 (1,976), as well as handling 117 voluntary data breach notifications. We also conducted 19 assessments involving 101 entities across government and business.

Our average resolution time for formal complaints has also come down significantly.

If that were not enough privacy interest for the year ahead then I also note that, in August, the very definition of personal information — arguably the most important term in the Privacy Act — will be considered by the full bench of the Australian Federal Court.

As many of you will recall this definition was explored by the Administrative Appeals Tribunal, in an appeal of my determination in the matter of Grubb v Telstra.

The AAT’s decision presents, potentially, a new and different scope to what constitutes personal information under the Privacy Act.

I firmly believe that clarity and certainty around that definition are critical to the operation of the Act and to the fair and reasonable expectations of any business or agency which is required to be accountable to it.

Accordingly, I am of the view that consideration of this issue by the full bench of the Federal Court is essential for both our Office, and the entities we regulate.

So! There is much for us to talk about this year in the Australian context.

But for now, let me turn to the international perspective.

This Privacy Awareness Week has taken on a decidedly international perspective, thanks to the involvement of our keynote speaker today, the United Nations Special Rapporteur for Privacy, Professor Joseph Cannataci.

Professor Cannataci’s appointment is, in itself, a significant milestone in the international recognition of privacy as a fundamental human right.

And his remarks on privacy and data protection concerns in various jurisdictions have already generated significant new interest, awareness and debate on the international stage.

So, unsurprisingly, when my colleague, John Edwards, the New Zealand Privacy Commissioner, and I mentioned Privacy Awareness Week to him in passing last year, he was keenly interested.

When that interest converted into a potential joint invitation by Australia and New Zealand to visit our respective nations for Privacy Awareness Week 2016, I was delighted that the mt Office could participate. 


The speech is well written.  And well typed.  The problem is the content. There isn’t much.  Something of a fog; its visible, has form but no substance.  The broad sentiments are laudable, privacy is important, it has grown in public consciousness and that privacy by design is the best approach,  And trite.

The main problems are:

  1. the continuing reference to collaborating with the private sector is admirable but no substitute for the use of the full panoply of powers available to the regulator.  The Commissioner states “This collaborative approach is our preferred model to regulation..”  It would be more accurate to say it is the only, flawed, model.  The regulator has an almost pathological aversion to actually using his enforcement powers.  At the moment, as has been the case for many years, the focus is to educate until you nauseate.  Of course it won’t change the culture.  Without incentive poor culture will be the norm;
  2. identifying an impending inspection and assessment of loyalty schemes is more about process than action. It is like the police giving advance notice of a raid.  In this case the Commissioner can say an assessment shows compliance.  This has no impact on the many organisations that do not even come close to compliance but would if they saw action being taken which results in penalties, injunctions and media attention.
  3. the establishment of the Consumer Privacy Network has very little in the way of focus.  It’s aims are vague to the point of anodyne.  The office rarely has regard to submissions to its draft guidelines so there is scope for scepticism.  More to the point, resources should be directed to enforcement.
  4. the listing of figures means very little.  The speech states”..12,241 privacy enquiries, opened nearly 3000 (2,838) complaints and closed close to 2000 (1,976), as well as handling 117 voluntary data breach notifications. We also conducted 19 assessments involving 101 entities across government and business.”  A closed complaint can be anything from a mediated resolution to the Commissioner deciding to close it, whether the complainant likes it or not.  There is no indication of any action taken relating to voluntary data breach notification, even if the breach was caused by negligence of the organisation.  The assessments are easy work but does very little to change culture.  Enforcement does that.

The Commissioner’s speech, especially about his big plans for loyalty schemes, are covered in itnews at Privacy commissioner puts Australia’s loyalty schemes on notice. The reportage that the customer databases are in the Commissioner’s cross hairs is, to put it mildly, overblown.  Giving a long lead time warning is a way of ensuring the rifle stays in the locker.  Which is consistent with weak regulation.

One Response to “Privacy Commissioner speech at launch of Privacy Awareness Week”

  1. Privacy Commissioner speech at launch of Privacy Awareness Week | Australian Law Blogs

    […] Privacy Commissioner speech at launch of Privacy Awareness Week […]

Leave a Reply

Verified by MonsterInsights