Speech by Karen Curtis, Privacy Commissioner, to the Department of Broadband, Communications and the Digital Economy, Canberra,8 July 2008

Introduction

I thank Patricia Scott for the invitation to speak to the Department.  I also thank Kim Allen for his introduction.  Kim is the Department's Privacy Contact Officer and like all the PCOs across the 200 odd Commonwealth departments and agencies, he is our initial point of contact for a privacy-related inquiry or complaint.

I have been looking forward to speaking to you today for a number of reasons:

• I started my public service career a quarter of a century ago in the equivalent of this department
• as public servants you all have obligations to handle personal information in accordance with the Privacy Act
• but most importantly, privacy underpins the policy settings for the communications and digital world. As the Secretary General of the OECD said recently in Seoul at the OECD Ministerial meeting, "personal information is the currency of the Internet economy". Therefore, in developing policy on the Internet economy, you have a responsibility to consider the impact on the privacy of Australians.

In my four years as Privacy Commissioner, there has been one constant for me about privacy.  Privacy is simply about common sense and respect.

The most important thing to understand about having a good privacy culture in a department is to understand that privacy isn't complicated. 

This afternoon, I propose to give you the ''ABC of privacy' or if you like, everything you should know or learn about privacy within 45 minutes.  I will:

• give a brief overview of federal privacy regulation (some of you may already be familiar with this)
• discuss 4 different scenarios that may affect you as DBCDE public servants, and
• foreshadow what's coming in the privacy legislation field.

1.  Overview of federal privacy law

The Office

My role as Australian Privacy Commissioner is primarily to administer the Privacy Act 1988.  In practical terms, this is achieved through three functional units of my Office primarily located in Sydney, which deal with education, policy advice, and complaint handling and auditing.  The Office comprises over 60 staff. 

Our strategic plan articulates our vision as an Australian community in which privacy is valued and respected.

Our purpose is to promote and protect privacy in Australia.

Our functions are outlined particularly in section 27 of the Privacy Act.  Perhaps most fundamental for the role of a regulator are the specific statutory functions in relation to complaint handling and investigation. 

Where possible, my Office has a facilitative approach to its regulatory functions.  We work with agencies and organisations to encourage compliance with the Privacy Act.  In resolving the 1,200 or so complaints received annually, we attempt to conciliate an outcome that is acceptable to both parties. 

Where such an outcome is not possible, the Commissioner may make a determination that can, if necessary, be enforced by the Federal Court or Federal Magistrates Court.  The relatively small number of determinations that have been made is an indication of the success my Office has had in resolving complaints through conciliation. 

The Privacy Commissioner also has an educative role - to encourage the adoption of privacy standards more broadly across our community, and an advising role - to give advice to federal and ACT Government agencies, and the private sector, about privacy.

It was Parliament's clear intent, consistent with international instruments, when enacting the Privacy Act that the Privacy Commissioner recognises that the right to privacy is not absolute.  Instead, privacy must have regard to other important and sometimes competing rights and interests such as the right to free speech and the right of business and government to achieve objectives efficiently. 

In pursuing our functions, whether they be promoting, educating, advising or regulating, my approach as Commissioner has been to not over-complicate privacy. 

I try to administer privacy law so it is about common sense, courtesy and respect. 

Privacy should be an enabler and enhancer and not seen as a burden for either business or government.  Indeed, for all those with obligations, ''good privacy is good business'. 

Overview of the Privacy Act

Coverage

The Privacy Act in some way covers all of us within Australia.  Very few of us wouldn't interact with the health sector, the financial sector, the telecommunications sector or the ATO or Medicare! 

The legislation gives protection for personal information that is handled by most federal and ACT Government agencies, private sector organisations which have an annual turnover of more than $3 million, and all health service providers (regardless of turnover). 

The Privacy Act also provides protection for:

• Credit worthiness information held by credit reporting agencies and credit providers; and
• Personal tax file numbers used by individuals and organisations.

The Act imposes obligations on government agencies and business, not on individuals.  Recently, a call came through my Office's Enquiries Line, where the enquirer asked was is illegal under the Privacy Act to put up surveillance cameras to monitor her neighbours in their swimming pool and spy into their house.

A member of my staff explained that the Privacy Act regulates the behaviour of organisations and agencies, not individuals, and because of that, her enquiry wasn't in our jurisdiction.  We referred the enquirer to other sources who may have been able to advise her about laws regulating these kinds of activities.

This enquiry shows that the general community may not have perfect knowledge of privacy laws and my Office still has a way to go to explain the coverage and jurisdiction of the Privacy Act.  It also demonstrates the weird and wonderful queries that my staff face on a daily basis.  Just last week we've had inquiries about surveillance cameras in ''adult entertainment' venues, a membership list of a sporting club being sold by an aggrieved ex-official and telephone orders at supermarkets. When in doubt always contact my Office - 1300 363 992.

The Privacy Principles

Since its enactment in 1988, the Privacy Act has set out 11 Information Privacy Principles (IPPs) for federal and ACT Government agencies that govern how agencies handle personal information, including its collection, use and disclosure, security and destruction.  The Act also has 10 National Privacy Principles which govern the private sector in their handling of personal information.

Meaning of 'personal information'

Privacy in federal law is primarily about information or data protection.

The focus is information privacy as opposed to other notions of privacy, such as bodily or territorial. [1]  In turn, the boundaries of ''information privacy' are determined by the meaning of ''personal information'.

The Privacy Act does not list what is personal information.  The definition of personal information refers to information or opinion about an individual whose identity is apparent or can be reasonably ascertained. 

This notion of what can be ''reasonably ascertained' is significant.  Clearly, whether an individual's identity can be ascertained depends on the context in which the information is held. 

As you would all be aware, with the emergence of newer, smarter technologies, it becomes more difficult to assume that the identity of an individual cannot be ascertained from particular types of information that superficially may appear to be de-identified.

Indeed, in the digital age, information about individuals is now much more able to be easily captured, aggregated and widely distributed than ever before. 

With the internet, electronic databases, mobile telephones, by email, credit cards, and interaction with road tolls and global positioning systems, we leave a trail of information about ourselves like never before.

2. Scenarios

You all have an important part to play in protecting the privacy of Australians.  You do this in terms of management and supervision of your own staff, and in policy development.  So you have responsibilities in the ''here and now' with people you know, and in the long-term with the faceless millions!

I will now discuss some areas which will demonstrate how important good privacy practice is in your daily operations.

I'm going to use 4 scenarios which everyone should be able to relate to.  Scenarios 1 and 2 will be useful to all of you and particularly for anyone who manages staff.  Scenario 3 will be of relevance to anyone who works on policy, particularly during the policy development phase.  And the fourth scenario is about protecting personal information from information security breaches. 

Scenario 1 - As an individual and a manager

Many of you would have the responsibility of supervising staff. As a supervisor, it's highly likely that you are privy to sensitive personal information about your team.  Someone may have a medical condition or be in financial difficulties.  You have an obligation to keep this information secure.  There are steps you should be taking, as outlined in the IPPs, to keep this information safe from unauthorised access.

As a supervisor, your staff need to be able to trust you, and your agency to do the right thing with their personal information.  Agencies and organisations have to take responsibility for the protection of personal information and to use common sense when considering issues such as collection and access - even for internal staff. 

I'd like to discuss a complaint which came to my Office this year.  

The complainant, a former employee of a government agency, complained that their personal record held by the agency had been accessed by a current employee of the agency.  The employee, for reasons unrelated to their employment, used the records to locate where the complainant was living. 

The complainant said this caused them to fear for their safety, and resulted in them changing their name and place of residence. 

The complainant raised the matter with the agency and sought compensation.  Although the agency acknowledged that an unauthorised access to the complainant's personal record had occurred, it rejected the complainant's claim for monetary compensation. 

The complainant was dissatisfied with the response from the agency and wrote to my Office.

Issues

The agency had an obligation to comply with the IPPs.

Information Privacy Principle 4(a) obliges an agency to protect the personal information it holds with reasonable safeguards.  Information Privacy Principle 10 requires agencies to use personal information only for the purpose for which it was collected.

Outcome

My Office opened an investigation into the matter.

The agency advised that it had investigated the matter internally, and found that there had been an unauthorised access by an employee to the complainant's personal record. 

In the circumstances, where there were inadequate protocols and training about access to personnel records, I took the view that the agency had not taken reasonable steps to protect the complainant's personal information in accordance with Information Privacy Principle 4(a). 

Also, based on the evidence, the complainant's personal information had been used for a purpose for which none of the exceptions in Information Privacy Principle 10 applied[2]. 

The agency advised that it had since applied additional protection to the complainant's personal record, and had terminated the employment of the individual who was identified as being responsible for the unauthorised access to, and use of, the complainant's personal record. 

The agency however did not consider that the complainant had provided sufficient evidence to substantiate the complainant's claims for monetary compensation.  [It is also worth noting that, in some cases where unauthorised access occurs, an agency may not be liable for the act of their employee, where it was not done in the performance of the duties of the person's employment.]

The fact that someone's employment was terminated and that a financial remedy was sought indicates the potential seriousness of a privacy breach.

My Office conciliated an agreement between the parties. The complainant accepteda confidential settlement for costs associated with the complainant's change of name and place of residence.

This matter was closed on the grounds that the agency had adequately dealt with the complaint.

This example shows how important it is to safeguard information.

The case also highlights that it is important for all in government to know their privacy obligations. There are risks and consequences if appropriate safeguards are not in place.

The Privacy Act is not an inhibitor

I am aware that some people are falsely under the impression that the Privacy Act is an inhibitor, and I would like to dispel that myth. This misunderstanding has arisen because sometimes organisations use privacy laws as a way of avoiding giving out information.  In my Office we call these ''BOTPAs' which stands for the erroneous use of the excuse ''Because Of The Privacy Act'!

For example, a market researcher calls an individual and asks them to take part in a survey.  The individual asks the market researcher which organisation they are undertaking the survey on behalf of and the market researcher responds "I'm sorry ma'am, but I can't give you that information because of the Privacy Act"!

The fact is that information privacy laws are not intended to be a block. Their purpose is to protect individual privacy not organisational privacy.

Scenario 2 - As a manager under a Code of Conduct matter

How much information do you provide to a complainant about the outcome of an APSC code of conduct review or an internal review?  Complainants have a legitimate interest in knowing that alleged ''wrongs' have been addressed. Complainants should be given sufficient information to provide assurance that the agency:

• has taken the allegation seriously
• does not tolerate behaviour that is inconsistent with the APS Code of Conduct
• has imposed an appropriate sanction where a breach has been found, and
• has taken appropriate steps to ensure the problem will not recur.

But when considering what information to provide to complainants to ensure confidence in public administration, agencies need to balance the:

• protection of personal information about individual employees and the agencies' obligations under the Privacy Act; and
• need to take reasonable steps to be transparent and accountable to other parties involved.

Agencies can provide general information to complainants about the outcome of investigations.   However, it should be possible in most circumstances to give a complainant adequate information about the way their complaint has been handled without disclosing personal information about an employee.

The primary consideration for agencies should be that disclosure of personal information (under IPP 11) regarding misconduct is managed in such a way that an employee's identity is not revealed unless it is necessary, appropriate and reasonable to do so. This is particularly important where the complainant is employed in the same agency.

Scenario 3 - Policy development

The third area where many of you would need to consider privacy is in policy development.

My Office has a strong policy advising role on government proposals which may impact on the privacy of Australians.  We do this in a number of ways.  We provide informal comments and advice; we have MoUs either with agencies on discrete projects; we provide Cabinet comments and we make public submissions to departments or to parliamentary inquiries.  For instance we will be making a submission to the AGs /DBCDE E Security Review.

My firm view is that it is much easier and more productive to influence the development of policies and initiatives in the formative stage rather than trying to add privacy considerations on at the end.  

Considering privacy at the conclusion of a process may often require a combative, rather than constructive, approach and does not result in better privacy outcomes for Australians.  Much better public policy outcomes are achieved when privacy is ''built in' rather than ''bolted on'.

Sound policy development helps to maintain a sound reputation and community trust for an agency.

My Office's 2007 Community Attitude survey revealed that 73% of Australians consider government departments to be trustworthy, an increase from 64% in 2004 and 58% in 2001.

Privacy-friendly policy development is an important factor to increase trust and transparency.

To help achieve this, my Office released a Privacy Impact Assessment Guide (PIA Guide) in 2006.

The PIA Guide assists Australian and ACT Government agencies in determining the impact new proposals could have on privacy.  

A PIA is an assessment tool that describes the personal information flows in a project, and analyses the possible privacy impacts that those flows, and the project as a whole, may have on the privacy of individuals.  Put simply - a PIA tells the story of a project or policy initiation from a privacy perspective and helps to manage privacy impacts.

The purpose of doing a PIA is to identify and recommend options for managing, minimising or eradicating privacy impacts and indeed enhancing privacy outcomes.

A project which underestimates privacy impacts, and as a result makes privacy mistakes or simply gets privacy wrong, can place its overall success at risk by breaching privacy legislation or by not meeting the test of trust and acceptance by the community.

It is therefore in an agency's interests to do a PIA for any projects which involve the handling of personal information.

The Guide has proven itself to be a valuable assessment tool for government agencies.  My Office is seeing more and more policy proposals which have clearly and logically considered privacy implications.

One example is Medicare Australia which is an agency that, as a core part of its business, deals with personal, and often highly sensitive, information.  As they hold the personal information of 21 million Australians, they have established a knowledgeable group of privacy practitioners.  To maintain its culture of good privacy practice, the Chief Executive Instruction requires that:

"A Privacy Impact Assessment must be completed for all new projects, and for any other activities involving significant changes to the way we collect or use personal information, unless otherwise authorised by the Chief Executive Officer or Deputy Chief Executive Officer".

From my Office's experience of working with agencies like Medicare Australia, we have seen that PIAs enhance good privacy practice - not just compliance with the Privacy Act.  From a business perspective, personal information is seen as a valuable ''resource' - therefore it should be appropriately protected and properly managed.

Consistent use of a PIA can evolve an agency's privacy culture, as has been the case with Medicare Australia.  The use of PIAs has made the agency more privacy savvy - privacy is now built in, rather than bolted on.

Generally, it is the significance or scope of a project, and the extent to which a project involves the collection, use or disclosure of personal information, which will indicate the importance of doing a PIA, and the level of detail that may be required.

Not every project will need a PIA.  Agencies will be in the best position to assess whether a PIA is necessary or desirable, and the level of detail that may be required.  Sometimes a number of PIAs may be needed throughout the development of a project.   

It is always better to assess and address privacy at the beginning of the project - it can avoid costly retro-fit such as redesigning systems, retraining, implementation delays, and legislative amendments. 

While there is no formal role for my Office in the development, endorsement or approval of the PIAs, we may be able to assist agencies with advice on privacy issues arising throughout the PIA process.  The PIA Guide is available on the Office's website.

PIAs are a powerful resource for the prevention of a privacy complaint, but sometimes even the best prevention efforts don't stop data breaches from occurring.

... Which brings me to the fourth scenario:

Scenario 4 - Information Security Breach

The mishandling of personal information is not a problem to be taken lightly.  That's why I place so much importance on policy development - it offers a preventative measure to make agencies and organisations aware of the ways they can avoid the mishandling of personal information.

Unfortunately sometimes information security breaches can, and do, occur.

Recent high profile data breaches around the world have also brought the issue to the fore, and when they happen they can attract significant media coverage.

In October 2007, Her Majesty's United Kingdom Revenue and Customs Department lost two disks containing the personal information of 25 million individuals while transferring the disks by courier to another agency.  The disks contained a full copy of the department's database on recipients of a government benefit, including names, addresses, dates of birth, and bank account details.  The disks were password protected but not encrypted.[3]

This breach should give anyone who handles personal records at work pause for thought.  It reminds us just how serious information security is for our agencies and for consumer trust.

In the case of the two missing Revenue and Customs disks, an assessment undertaken by the University of Portsmouth revealed that 50 percent of the data sent on the two disks was not required by the recipient agency and removing the unnecessary personal and banking details on the disks would have cost just
£650 (approximately AUD $1,370).[4]  This relatively small preventative cost could have saved the huge costs incurred by the UK Government to contain and respond to this breach.

In January, another data breach rocked the UK.  A laptop left in a parked vehicle overnight was stolen. It contained the personal information of 600,000 individuals who joined, or expressed an interest in joining, the defence force.  The information included bank account, passport, drivers licence and family details.[5]

There are a few important points to be made about these incidents.  First of all, both of the UK information security breaches involved the loss of a portable device such as a disk or a laptop.  I think many of us think that a security breach involves a criminal hacking into a system and stealing information.  These examples tell a different story.

Studies done in the UK show that lost or stolen laptops and other mobile devices actually account for 36 percent of data security breaches while actual technical attacks (such as hacking activity or malicious code) accounted for just 9 percent.  Surprisingly, 24 percent of data security breaches related to lost or stolen paper records and 12 percent involved data lost by contractors or third parties.[6]

What can we learn from these breaches?

Examples of information security breaches are not limited to the UK - Australia is not immune.  There is a lot that we can learn from these incidents.  

• Personal information shouldn't leave the premises unless absolutely necessary.
• Measures should be in place to stop such large amounts of information being downloaded onto a single disk.
• Protocols should cover how personal information is transferred and how portable storage devices are used and staff should be trained in these protocols.
• Personal information held on portable devices should be encrypted.

Measures like these are likely to fall within your agency's obligations under the Privacy Act to take reasonable steps to safeguard personal information.

New technologies, such as mass storage devices, allow ever greater amounts of information to be stored, transported and transferred.  The convenience of these technologies has a down side though.

As in the case of the UK data breaches, a disk or laptop containing large amounts of personal information can be lost or stolen much more easily than a whole warehouse of paper files.  So a trend we are seeing is the emergence of extremely large information security breaches the likes of which would not have happened in a world of paper records.

This is not to say that paper records are safe from loss, theft or misuse.  As the statistics indicate, security breaches involving paper records account for 24 percent of all information breaches.  While the scale of these breaches will often be smaller, the impacts on affected individuals can still be significant.

Breaches can result in financial loss and identity theft but also can result in the embarrassment or humiliation of the individual, or violence towards the individual.

The mishandling of personal information is a serious problem, with consequences for the individuals affected as well as the agency or organisation involved.  

Voluntary Information Security Breach Notification Guide

In response to requests for advice from government and business and the high profile overseas breaches, my Office has developed a draft Voluntary Information Security Breach Notification Guide. 

The draft was released for consultation in April.

It draws on similar guidelines produced by privacy authorities in Canada and New Zealand.  However, there are some differences.

In our draft guide, we suggest a working definition of ''information security breach' as being an incident in which personal information is exposed to unauthorised access, use or disclosure as a result of a breach of an agency or organisation's information security arrangements.

Another difference is that our Guide highlights the importance of preventative measures to ensure a breach doesn't happen in the first place.  I hope that DBCDE has protocols in place for handling portable devices and has measures in place to contain a breach.

Although there is some uncertainty as to the prevalence of information security breaches, a recent survey of IT manager and executive attitudes from a range of countries showed that 46% of respondents expect a serious data loss at least once a year.[7]

These kinds of figures indicate that, although prevention should be the primary aim, with the apparently high risk of information security breaches, agencies and organisations need to be prepared.  Proper breach management, including notification where appropriate, will assist agencies or organisations to retain the trust of the individuals whose information is improperly released, and help those individuals to protect their information.  Where poorly handled, the damage to customer trust can be serious and irreparable.

The Guide is available on my Office's website.  We are reviewing the consultations and hope to release the revised Guide in Privacy Awareness Week which is the last week in August.

When it is finalised, the Guide will assist those with privacy obligations to be prepared and to respond effectively to an information security breach and to determine when it is appropriate to notify affected individuals about a breach.

Breach notification - to notify or not to notify...

So when is it appropriate to notify customers of a breach?  Is it always appropriate?  Notification will not always be the appropriate response to an information security breach, and agencies and organisations will need to assess on a case-by-case basis whether notifying customers is the best course of action.

This is not always an easy judgement to make.  Notifying customers of every tiny ''blip' in the overall security of their personal information would generate undue anxiety among customers when actual risks to the information are minimal. Frequent reporting of low risk breaches could cause customers to become de-sensitised to information security breaches and blasé about taking further steps to protect their information.

On the other hand, notification could give individuals an opportunity to take positive steps to lessen any risk, such as changing bank account details or checking credit reports. 

Failing to notify customers of a serious breach to the security of their personal information could leave individuals vulnerable to fraud, theft or humiliation.  So agencies need to be circumspect in their response to a security breach.

My Office is not seeking to quantify a threshold number of records which should be used to indicate when notification should occur.  Depending on the type of personal information involved, even breaches of a small number of records may pose large risks to affected individuals.

Once again, for agencies, the issue remains one of trust.  As I mentioned earlier, my Office's community attitudes research showed that government departments enjoy high levels of trust amongst individuals when it comes to the handling of personal information.  A major information security breach could erode that trust in an instant, when handled in the wrong way.

It is important to note that this draft guide is a voluntary data breach notification.

Mandatory breach notification is being considered by Australia's Law Reform Commission (ALRC), as well as being a hotly debated topic currently in other countries and jurisdictions.

3.   The future law for privacy law

The past 20 years has seen technological developments and the increased interconnectedness of the global economy, through to changing social attitudes and ever better informed consumers.  Our personal information can be transferred at a much more rapid and global rate than anyone would have anticipated in 1988, when the Privacy Act was introduced.

2008 marks the 20th anniversary of the Privacy Act, so it seems fitting that it is also the year that the Australian Law Reform Commission (ALRC) has finalised its report on its review of privacy laws in Australia.  After 2
½ years, the ALRC has delivered its final report to the Government, and we are waiting for it to be tabled in Parliament and publicly released. Any actual changes to the law are likely to be some way down the track.

However, there are some things that are certainly likely to be recommended by the ALRC which will impact upon the public service.  Whether these are adopted by Government and then the Parliament is another matter.  But these include:

• One set of principles - ie, the IPPs and NPPs will be combined
• Mandatory breach notification to individuals in certain circumstances
• PIAs to be mandatory for all federal government projects or policy proposals that involve significant amounts of personal information.

During the review, the ALRC has supported the idea of mandatory notification of information security breaches and in its discussion paper, proposed that the Privacy Act be amended to include a new Part on data breach notification. This new Part would require agencies and organisations:

...to notify the Privacy Commissioner and affected individuals when specified personal information has been, or is reasonably believed to have been, acquired by an unauthorised person and the agency, organisation or the Privacy Commissioner believes that the unauthorised acquisition may give rise to a real risk of serious harm to any affected individuals.[8]

In principle, my Office has agreed with the ALRC's proposal. However, rather than create a separate part in the Privacy Act for breach notification, we have suggested that breach notification provisions be incorporated into the proposed security principle in the Privacy Act.

Another matter in privacy law development has to be recognition of the Internet economy.

As most of you know, Communications Ministers from OECD member countries met in Korea recently to discuss the future of the Internet.

We all know how the Internet has impacted on the day-to-day lives of Australians, as well as the global community. The global transfer of information is, quite literally, at our finger tips. The impact the Internet has had is unprecedented.  Privacy was also a major theme.

As one of the Privacy Commissioners present at the conference, I wasn't surprised that privacy was consistently mentioned in any stream of discussion.   Senator the Hon Stephen Conroy chaired the main conference session on "Building Confidence' and emphasised privacy issues as a factor in holding back the take-up of e-commerce.

I understand that for online identity management and general online consumer protection, privacy is a key consideration for people - perhaps even the main consideration.  I understand that, if a consumer trusts a website and has confidence that reasonable security measures are in place to protect their personal information, they will likely participate in the online interaction.

So in your policy developments I urge you to remember that:

"Personal information... is the stuff that makes up our modern identity.  It must be managed responsibly.  When it is not, accountability is undermined and confidence in our evolving information society is eroded."[9]

Conclusion

Managing individual privacy in a changing world is not new. The technologies may have changed, but what hasn't changed is that we continue to value privacy as a necessary condition for living an independent, fulfilling and dignified life.

I've talked about the challenges that we face in ensuring that the privacy of all Australians continues to be respected, but the reality is that I am encouraged by the measures organisations and agencies take in promoting good privacy practice.  This trend has been a driver in my Office launching a new initiative this year - the Australian Privacy Awards and Australian Privacy Medal.

The Awards are aimed at encouraging, recognising and rewarding agencies and organisations that engage in good privacy practices. There will be four Award categories: Government, Corporate and Large Business, Small-Medium Business and Community.  A Grand Award will be given to the most outstanding entrant from one of these categories.

The Government category will be open to any government agency in Australia at a local, state or national level.  The agency must be able to demonstrate a high standard of privacy practices and/or promotion of privacy messages through a project or initiative it has engaged in, or an organisational system it has adopted.

The winners will be announced at a gala dinner during Privacy Awareness Week, which occurs from the 24th to the 30th of August this year.

Privacy Awareness Week is an annual promotion by the Asia Pacific Privacy Authorities (APPA) group which includes privacy commissioners from Australia (including New South Wales, Victoria and the Northern Territory), Canada (including British Columbia), Hong Kong, Korea and New Zealand.

The week is an opportunity for governments, business and individuals to promote privacy awareness.  I encourage you to visit the website http://www.privacyawarnessweek.org/ to see how you can promote Privacy Awareness Week in your department.

But finally I conclude by noting privacy is something we all can identify with and unfortunately often we do not value it fully until it's gone.

The Australian Bureau of Statistics recently released a survey which showed that Australians lost almost $1billion to fraud and scams in 2007 and that nearly 6 million Australians were exposed to email scams.  This was consistent with my own Community Attitudes Survey which found that over 9 per cent had been the victims of identity theft.

As public servants we have a duty to ensure that we balance a growing and vibrant digital world with appropriate privacy protections.  Australians deserve that we get the policy settings right.

Thank you.

 

 

[1] A well established typology of different forms of ''privacy' is:

• Information privacy - involving rules for the handling of personal data
• Bodily privacy - protection of our physical selves against invasive procedures
• Privacy of communications - security and privacy of mail, telephones etc
• Territorial privacy - setting limits on intrusions into domestic and other environments.

See Banisar D, 2000, Privacy and Human rights: an international survey of privacy laws and developments, Electronic Privacy Information Center, Washington DC. Available at www.privacyinternational.org/survey/.

[2] IPP 10 - Limits use of personal information. In this case, there was no consent; the information wasn''t necessary to prevent or lessen a serious threat to the life or health of an individual; wasn''t required or authorised by a law; wasn''t needed to prevent a serious crime or protect public revenue; and the information wasn''t directly related to the purpose for which is was collected.

[3] See BBC Online, Timeline: Child Benefits Records Losshttp://news.bbc.co.uk/2/hi/uk_news/politics/7104368.stm (accessed 28 February 2008).

[4] University of Portsmouth, Removal of sensitive child benefit data would have cost
£650, 19/12/07  http://www.port.ac.uk/aboutus/newsandevents/frontpagenews/title,73969,en.html

[5] See BBC Online, More MoD laptop thefts revealedhttp://news.bbc.co.uk/2/hi/uk_news/politics/7199658.stm (accessed 28 February 2008).

[6] Computerworld, Lost laptops, mobile devices account for most UK data leaks, 26/2/08, http://www.networkworld.com/news/2008/022608-lost-laptops-mobile-devices-account.html.

[7] Symantec Corporation, IT Risk Management Report 2:  Myths and Realities-trends through December 2007, Volume 2 (January 2008) http://www.symantec.com/riskreport 

[8] Proposal 47-1, Australian Law Reform Commission, Discussion Paper 72: Review of Australian Privacy Law, September 2007.

[9] Cavoukian, A; Privacy in the Clouds - A White Paper on Privacy and the Digital Identity "Implications for the Internet " 2008, page 3