The 2016 Australian census has caused much debate about data security and data privacy - with far reaching implications for digital government into the future.Timothy Pilgrim is the Australian Information Commissioner and Australian Privacy Commissioner. In these roles he is responsible for regulating the Privacy Act 1988 and the Freedom of Information Act 1982 — two key pieces of legislation outlining the responsibilities of government agencies and numerous businesses in information handling and management.
In this capacity, he will be participating in a panel discussion at CeBIT Australia 2017. We had the chance to catch up with him to chat about the latest developments in data privacy.
The 2016 census brought a number of privacy and security issues to light. What do you think government agencies could learn from this example?
Pilgrim: This incident served to highlight the importance of addressing community privacy concerns and obtaining community support to the success of projects involving personal information.
As the Census gained public attention, numerous individuals expressed concern about the extended retention period for name and address data. The ABS’s communications emphasised data safety measures, an area which the ABS has a well-deserved reputation after many years of successfully protecting personal information.
The problem was that increasingly the questions being asked by the Australian community about the Census were not about the what, when or how of data security, but ‘why’ questions, including ‘why do names and addresses have to be retained at all?’
As the two halves of this conversation failed to meet, privacy concerns grew and came to dominate perceptions of the 2016 Census.
This incident is therefore a salutary lesson in just how community expectations around the use of personal information are shifting — and how meeting these expectations is integral to the success of a project involving personal information.
A key theme that emerged from the fallout was a concern that sensitive data was being compromised, yet, people have no problem putting up more personal information on social media sites. Why, do you think, is there a distinction between the way the public perceives government handling of data and what they decide to share publicly?
Pilgrim: The personal information that government agencies collect is usually through an individual’s dealing with government, for example, to receive a social security service or through paying taxes. In many instances, individuals must provide their personal information, and this is supported by legislation.
That is vastly different to the circumstances in which individuals share their information on social media platforms. Individuals can post a variety of personal information if they choose to on social media, because that’s their choice. Remember; privacy law is not about keeping everything secret, it’s about protecting people’s choices about what they reveal, to whom and when.
Turning back to transactions with Government agencies, there is often no real choice but to provide the information. It’s not as if, for example, customers of the ATO can go to a different tax office to lodge their returns. So collection of personal information by Government agencies is often a type of compulsory acquisition.
This, in my mind, really reinforces the importance of government agencies implementing privacy management that is best practice. In fact, I’d argue it means that they need to be, and be seen as, the national leaders in this regard.
What should agencies be doing to protect their data?
Pilgrim: Technology will continue to rapidly develop, and as these new technologies are integrating into data handling practices and management, it will be important to address privacy and ensure the minimisation of privacy risks.
That is why my office advocates for a privacy-by-design approach for both businesses and government agencies. Privacy-by-design refers to putting privacy first in any data handling practice and project. That means considering how privacy may be impacted by a change in processes, or a new project, and working to eliminate or minimise any negative impacts with a range of strategies.
Part of implementing privacy-by-design is completing a privacy impact assessment, or PIA, which involves reviewing a project or change in process for potentially negative impacts on individuals’ privacy. Under Australian Privacy Principle (APP) 1.2, it is an obligation of entities covered by the Act to take reasonable steps to implement processes and procedures that make sure you comply with the APPs — a PIA is a key tool to enable this.
Do you think that our notion of privacy is going to change as technology evolves?
Pilgrim: Our understanding of privacy has recently undergone a significant transformation — once thought of as being synonymous with ‘secrecy’, privacy is increasingly about ‘transparency’. Generally speaking, Australians appear happy to share their personal information in order to access these goods and services, provided they know how their personal information is managed. So, privacy is increasingly about transparency, and being clear and open about information handling practices so that individuals can make informed decisions about how their information is used, and who has access to it.
What excites you most about the latest technological developments?
Pilgrim: It is fantastic to see community awareness and interest in privacy growing, and to see increasing discussion of privacy in both the public and private sectors. Working in privacy combines technological advancement with the endless variety of human behaviour – so it’s always evolving and it never ever gets dull!
Do you have any recommendations on how professionals can become more involved in the privacy debate?
Pilgrim: My office is hosting the 47th annual Asia Pacific Privacy Authorities forum this year, and as part of this we are holding a major conference on the 12th of July called ‘Data Privacy Asia Pacific’. The conference provides an opportunity for interested professionals to engage with data innovators and privacy professionals on the front line of emerging technologies and data projects.
It may also be of interest to know that our 2017 Australian Community Attitudes to Privacy Survey will be released during Privacy Awareness Week (PAW) this year — between the 15th and 19th of May. The survey reveals changes in community attitudes to privacy and the handling of personal information, emerging privacy trends, and key areas of community concern. Businesses are still able to sign up as a partner for PAW 2017.
Are you interested to learn more about managing data privacy in government? Register for eGovernment @ CeBIT 2017 today!