Privacy Awareness week has come and gone and not much has changed
May 10, 2021 |
It is better to have Privacy Awareness Week than not. It is just that it is poorly promoted and the regulator has relatively little to say. That is a major pity.
This year the Commonwealth Information Commissioner in addition to an anodyne joint statement by information commissioners did put out a glossy tips for home, tips for work, tips for parents and carers, what to do if individuals receive a data breach notification and 10 steps to undertaking a privacy impact assessment. OVIC had a modest program. The media coverage was thin on the ground with the most notable coverage being ABC News Radio doing a 6.21 minute piece Does privacy still exist in 2021? It is little wonder Governments feel not much in the way of pressure to bolster privacy rights in Australia.
What is interesting is the recounting of the 2020 Australian Community Attitudes to Privacy Survey. It is something of a behemoth running to 121 pages. Some of the findings are:
- 70% of Australians see the protection of personal information as an important issue and a major concern in their life.
- 84% think identity theft and fraud, and data security and breaches, are the biggest privacy risks.
- Most Australians have a clear understanding of why they should protect their personal information (85% agree), but half (49%) say they don’t know how.
- 84% feel privacy of information and data is important when choosing a digital service.
- 87% want more control and choice over the collection and use of their personal information.
These figures are hardly surprising but always worth recounting because there remains a sub current of cynicism about privacy and unfounded statements that people have given up on their privacy and are prepared to sacrifice privacy for services or security, or both. As if it is a binary choice. Which it never has been.
The Information Commissioner delivered a speech on 7 May titled Fair, flexible, fundamental: the future of data protection in a digital world where she stated:
Introduction
Good morning and thank you for that introduction Michael. It’s great to be here with you at the end of what’s been our biggest Privacy Awareness Week yet, where we’ve called on the community as well as business and government to make privacy a priority.
And this morning I’m going to give you an insight into what our community thinks about privacy and where the community says we should put our priorities, but also from a regulatory perspective, with the review of the Privacy Act underway.
A decade of the OAIC
The OAIC has now been in existence for a decade. During that time, we have assisted hundreds of thousands of people with reviews, complaints and enquiries. We have:
-
- driven better practice through our advice and guidance, education and awareness
- held regulated entities to account through our compliance and enforcement work, audits and investigations
- and helped shape the information landscape through our submissions and policy advice, and our active program of regulatory engagement and collaboration, at home and abroad.
More recently, we have taken on responsibilities for enhancing consumer protection and improving personal information security through our oversight of the Notifiable Data Breaches scheme and the Consumer Data Right.
But as we acknowledge the achievements of that decade, we are firmly focused on the decade ahead, and a framework for managing information privacy and access that meets the challenges of our digital era.
Today, at the end of Privacy Awareness Week, I’m going to focus on our privacy regulatory priorities and the current review of the Privacy Act. But it’s also important to note that the FOI Act also has an important role to play when it comes to access to personal information held by agencies.
There were more than 41,000 FOI requests to agencies last year, and 81% of those were for access to personal information. The FOI Act plays an important role in protecting personal information from unreasonable disclosure, where that’s contrary to the public interest.
Privacy in a digital world
Reflecting on where we’ve come from, and particularly the past 18 months, we can see a transformation in where and how our personal data is used. It’s fair to say that the focus of our collective privacy interests has moved from an analogue to a digital world.
In the OAIC’s early years, privacy breaches of physical documents was the norm. There were occasions when staff went and retrieved records from where they had been dumped or discarded in back lanes– both to safeguard people’s sensitive information, but also to serve as evidence.
And privacy in the physical realm remains a concern. While cyber intrusion is the leading cause of data breaches, we still have instances of lost or stolen paperwork and devices and they are featuring in notifiable data breaches reported to my office.
But of course, the vast amounts of personal information now stored and shared across the globe, the countless ways our information is handled by governments and private sector business, innovation, research, and service delivery, and in our day to day lives, means data privacy is now the core concern.
So, learning from the experience of the past decade, and from our international counterparts, means we are in a unique position to offer the OAIC’s regulatory experience as Australia looks forward, and to plan for a privacy system that will address issues in the here and now, and serve us for the next decade.
Today, with the review of the Privacy Act by the Attorney General’s Department underway, I would like to talk with you about that opportunity from the regulator’s perspective: for a contemporary system of privacy regulation that assists Australia in the global digital economy.
And that’s a system that respects our fundamental human right of privacy and encourages entities to build in the privacy fundamentals from the ground up. A system that remains technologically neutral and flexible to suit entities’ different circumstances, but is able to deal with emerging challenges, and those we cannot foresee as we stand here now.
Above all, a system that requires our personal information to be handled fairly, and reasonably, and that will support Australia’s investment in the Digital Economy Strategy as part of this year’s budget.
Community expectations
In approaching privacy regulation now and in the future, we are informed by the concerns of the community and their expectations. Our recent survey of community attitudes to privacy told us privacy is a major concern for 70% of Australians and 87% want more choice and control over how their personal information is handled.
Identity theft and fraud, data security and breaches, and digital services such as social media sites are seen as the biggest privacy risks, and the concerns are based on experience. Nearly 60% of Australians experienced a problem with the handling of their personal information in the previous year.
Of interest to agencies, government is generally more trusted than businesses with the protection of personal information, and certain uses of personal information are considered more legitimate than others, such as public safety.
As government seeks to use personal information and technology for more efficient and effective service delivery, to inform public policy and enable research, retaining the trust of the community is going to be central to its success. Critically, trust and confidence that personal information is protected and respected.
Regulatory priorities
In line with what the community is telling us, my office is focused on four priority areas to focus our privacy regulatory actions, minimise the risk of harm to individuals and provide consistency and certainty for regulated entities. They are around:
-
- online platforms, social media, and high privacy impact technologies.
- security of personal information
- regulating the Consumer Data Right, and
- personal information handling practices that have arisen in the context of COVID-19.
I am also pleased to report – in terms of individual complaints – that over the past year we have eliminated a backlog of complaints through initiatives made possible by additional funding.
And we are determining more complaints than ever, and that provides you as practitioners with some important precedents to guide your advice to agencies. Cases, for example:
-
- where the complainant’s online records were linked with her former partner, and who had experienced domestic violence, demonstrates the importance of taking reasonable steps to ensure the accuracy of personal information before it’s used
- sending sensitive health information to the wrong email address highlights the need to safeguard personal information
- determinations emphasising the importance of private sector respondents, and there are some lessons there for health practitioners, around providing access to personal information, and
- Commissioner-initiated determinations that draw out the issue of privacy policies and notices – that they should be a transparency mechanism not a notice and consent mechanism.
Declarations from those determinations have required payment of compensation, changes of practice, and also government agencies and businesses to conduct audits and report to my office.
Online platforms, social media, and high privacy impact technologies
So looking at those four regulatory priorities in a little more detail: in terms of online platforms, the global digital economy brings opportunity. It also creates privacy risks.
Our goal is to shift the environment so that organisations are providing consumers with a greater degree of choice and control, but also, that entities are building in systems upfront to protect personal information, and that of course includes Australian Government agencies.
We have regulatory actions and investigations on foot including those that seek to hold global digital businesses to account. That includes our Federal Court action against US-based Facebook Inc and Facebook Ireland. AGS is representing us in that matter.
You may be aware that in September the court granted us leave to serve the initiating court documents. Today the full Federal Court will hear Facebook Inc’s application for leave to appeal that decision. The primary issue is whether the Privacy Act applied to Facebook Inc at the relevant time.
Internationally, with our UK counterpart, the Information Commissioner’s Office, we are jointly investigating Clearview AI over its use of ‘scraped’ data and biometrics for its facial recognition app.
And the online environment is also an area where regulatory frameworks intersect, both domestically and internationally: privacy and data protection, consumer protection, competition, online safety, as well as the role of financial and corporate regulators in protecting the public interest. That’s why we have MOUs in place including with the ACCC to guide our regulatory co-operation, including for the Consumer Data Right.
In terms of government, we are also engaging and auditing government online initiatives, such as the Digital Transformation Agency’s expansion of the Digital Identity system.
Security of personal information
Security of personal information is also a fundamental element in the ring of defence for Australians engaging in the digital environment and is a regulatory priority.
Along with the Cyber Security Strategy 2020 and the Online Safety Bill, measures that protect personal information give citizens the confidence to participate in the digital economy. Privacy built into the design of tech and systems helps realise the benefits of digital and data.
We report twice yearly on the Notifiable Data Breaches scheme, including causes, and identify areas where entities need to do better, and I urge you to consider those reports. Across most of the 1050 data breaches that we received us last year we continue to see a human element.
We are prioritising regulatory action for significant failings to protect personal information, particularly where we have called out the risks and mitigations in our six-monthly reports.
In our last NDB report, it’s worth noting that the Australian Government entered the top 5 industry sectors for the first time. Agencies reported 33 data breaches – all but 4 caused by human error.
About half involved personal information being emailed or mailed to the wrong person. So agencies need to make sure they are mitigating those risks with processes and systems, and in terms of training of our people.
We also expect timely assessments of suspected eligible data breaches and notifications where there is a likely risk of serious harm.
Regulating the Consumer Data Right
Our third regulatory priority is co-regulating the Consumer Data Right, and working with Treasury and the ACCC as it rolls out across the economy. This reform is a clear example of how privacy safeguards and consumer protections work together, in the public interest.
Consumer Data Right gives individuals more choice and control over their data and encourages competition and innovation, and it is founded on a privacy-by-design approach.
There are also lessons to be learned from CDR. The CDR privacy safeguards have got additional protections that are not present in the Privacy Act, and we need to look at that in light of the review. Consumers have a clear right to delete their CDR data, to take action in courts for breaches of the privacy safeguards.
We also have an opportunity to ensure the CDR privacy safeguards are interoperable at the global level, and that is also an objective of the privacy review from my regulatory perspective.
Personal information handling practices arising from COVID-19
The last regulatory priority is the impact of COVID-19 on personal information handling.
Our community attitudes survey from last year did tell us that Australians agreed some concessions must be made to privacy protections during the pandemic, so long as they are not permanent. Three-quarters believe COVID does not excuse business or government from meeting their usual obligations under privacy laws.
So, we have an ongoing role to play to ensure the responsible handling of personal information to support strong public health initiatives and outcomes.
We supported amendments to the Privacy Act to legislate strong privacy protections and expand the OAIC’s regulatory role and powers in relation to the COVIDSafe app. We have also published extensive guidance on COVIDSafe and contact tracing and we are engaging with COVID privacy issues as they arise, including the vaccine roll-out, and its implications for employment and travel.
Of course, we continue to oversee the privacy aspects of the My Health Record system, which the government plans to update to integrate certain COVID-19 health information.
Shift in privacy regulation
These regulatory focus areas illustrate the shift that is already taking place in the way we protect personal information, and it is in response to the community’s expectations.
The public has sought stronger safeguards for their information considered higher risk, in situations like COVIDSafe, My Health Record and also CDR data. The Notifiable Data Breaches scheme provides greater accountability for organisations handling our personal information.
And in line with the Digital Platforms Inquiry recommendations of the ACCC, we are expecting to see a draft bill from government to enable a new Online Privacy Code, infringement notices to be issued by my office, and an increase in the value of penalties that I can seek in the Federal Court to align with competition and consumer remedies.
Privacy fundamentals
So, what further change is needed to make our privacy law fit for purpose in the digital era?
From the OAIC’s perspective, the foundations of the Privacy Act are sound. It implements Australia’s international obligations in relation to the fundamental, although not absolute, right to privacy. As the regulator we promote privacy fundamentals to the agencies and organisations the Act covers.
Flexible and technologically-neutral
However, our regulatory experience, international developments, community expectations – all tell us that more is needed.
As you know, the Privacy Act is principles-based, so it is technologically-neutral, and flexible and scalable to suit different organisations across the economy. We think it is important to retain that scalability. But we do see the need for binding codes or rules that provide greater specificity or clarity for sectors, including in areas of higher risk, to give more certainty.
Fair and reasonable
We are also recommending a broader change to create what we say, based on our regulatory experience, is required: to have a new standard or benchmark of fair and reasonable handling of personal information right across the information lifecycle.
More than 30 years ago, when the Privacy Act was introduced, we could not have predicted the complexity of the information flows that are happening now. We can no longer navigate the system by relying so heavily on notice and consent – as individuals or indeed as regulators.
Recent research shows social media privacy policies, for example, run to an average of more than 6,000 words. Our own attitudes to privacy survey tells us that only 31% of people normally read online privacy policies, usually because they are too long or too complex. When they do, more than half say they are not confident they’ve understood it.
So, it is not realistic nor is it fair to expect individuals to absorb long and technical policies, decipher complex practices, and to give their meaningful agreement in all cases, and it does impact consumer trust and confidence.
Trust in personal information handling
Our survey shows trust in information handling practice is continuing to decline. For the Federal Government’s it is down by 14% since 2007, and about 13% for businesses, and a strong majority – 83% of Australians – want government to do more to protect their information.
So, we see a need for this new baseline for privacy practice that meets community expectations and helps to restore that trust; requiring entities to not just collect our information by fair and lawful means, as is the current legal test, but to use and disclose it fairly and reasonably.
It is also relevant as we look at growing the artificial intelligence sector. Of course, new technologies such as AI can have positive impacts for innovation and society, but they can also have a high privacy impact. A fair handling obligation will help to close that gap between the expectation and the practice.
No-go zones
We have also recommended that we consider as a community whether some data practices should be limited, or indeed prohibited. To give you an example, 84% of Australian parents believe their children have a right to grow up without being profiled and targeted with advertising online.
In March, the UN Committee on the Rights of the Child recommended that the profiling or targeting of children of any age for commercial purpose should be prohibited in the digital environment.
In the US, the Children’s Online Privacy Protection Act prohibits behavioural advertising to children – where they are served ads based on monitoring of their past online behaviour – without parental consent.
Internationally, we have seen strong regulatory action to protect children in the digital environment.
Other areas of concern include inappropriate surveillance, tracking, monitoring or recording of individuals, and scraping of personal information from online platforms.
Smart regulation
Our privacy framework also needs a regulator who has the right tools and capabilities to support entities to comply, and to enforce the law where it is required.
We’ve also asked government to consider providing us with more discretion to identify and address the most serious situations before greater harm occurs.
Data and digital
Data, digital and smart regulatory design are seen as key to our recovery from the COVID-19 pandemic and our continued economic success.
For the OAIC, the future of privacy is regulation that:
-
- gives certainty to business and government while providing for fairness and accountability
- supports global interoperability and minimises regulatory friction to help drive economic growth and innovation, and
- fosters confidence and encourages digital participation by all Australians, while protecting their fundamental rights.
I look forward to talking more with the panel about these and other opportunities and taking your questions. Thank you.
It’s something of a meh speech. Long on overview, from a great height to a small target, and full of aspirations and short on action. The Commissioner’s office is better than it was but it remains a very timid and weak regulator. It is far from certain than additional powers in the Privacy Act review will change that culture.
Just to highlight how privacy and data security remain key issues today the Australian Cyber Security Centre released an alert on vulnerabilities on the Exim mail server. On 26 April 2021 the REvil/Sodin successfully attacked Uniting Care Queensland shutting down its digital and technology systems. Given the increasing use of My Health Records, with its problematical privacy protections, this is disastrous. Uniting Care Queensland gave a better than some but not as good as others statement of what happened on 5 May stating:
On Sunday 25 April, UnitingCare Queensland (UCQ) was impacted by a cyber incident. As a result of this incident, some of the organisation’s Digital and Technology systems have since been inaccessible.
The health and safety of the people we serve and our employees is our number one priority as we work to resolve this issue.
We can confirm that the external group claiming responsibility for this incident has identified themselves as REvil/Sodin.
As soon as we became aware of the incident, we engaged the support of leading external technical and forensic advisors. We also notified the Australian Cyber Security Centre of the incident and are continuing to work closely with them to investigate it.
Since the outset of the incident, we have been in pro-active regular contact with all relevant regulatory and Government departments.
Due to the recency of the incident, it is not possible to provide a resolution timeframe at this stage, however we can confirm that we are making significant progress towards securing, cleansing, and recovering our systems. Some systems have already been reinstated with cyber security testing now underway.
With the assistance of leading experts and advisors, we are conducting a thorough investigation into whether patient, client, resident or employee information has been breached. This investigation is continuing and we will continue to keep the people we care for updated in this regard, in addition to employees, regulators and other stakeholders.
Since the incident occurred, as part of our business continuity plan, back-up and downtime procedures have been in place to ensure continuity of our clinical and care services, and these procedures have been working very well.
At this point in time, we do not have any evidence that the health and safety of our patients, residents or clients has been in any way compromised as a result of this cyber incident.
All employees have continued to be paid on-time as usual, however if any pay issues do occur we have established an employee payroll hotline and rapid-payment solution to address these. We are regularly communicating with our employees about this process.
We have been working very hard to keep our people, patients, clients and residents informed as we work to resolve this incident. We remain strongly committed to providing regular relevant updates.
As previously advised, updates on this matter will be posted to the media section of this website (UnitingCare Queensland) as we gain greater clarity on the incident and the likely resolution timeline.
In Australia organisations remain keen on defaulting to vague. In the United States organisations are often prepared to provide more detail. This statement is much better than many Australian organisations hit with a cyber attack. Often the statements are meaningless guff. Here Uniting Care did set out what it was doing and was able to give some reassurance on the impact on patients. The ABC did a piece on the attack, borrowing heavily from the media release.