Speech by Karen Curtis, Privacy Commissioner, to the International Association of Privacy Professionals, Shangri-La Hotel Sydney, 27 August 2008

Introduction

I thank the ANZ chapter of the IAPP for the invitation to speak today.

While we may all come from different sectors, we are a group of people with one important thing in common. We are interested in privacy - or otherwise you wouldn't be here. Some of us have worked extensively in the area and some are relative newcomers to it.

Consistent with our Strategic Plan, I want to work with networks like the IAPP to ensure that the privacy of all Australians continues to be protected and respected.

This meeting of minds happens at a most opportune time for privacy, as this week is Privacy Awareness Week.

In my four years as Privacy Commissioner, I have maintained a common theme in all that I've written and said: that privacy is simply about balance, common sense, choice and respect. Privacy is something we can all identify with, but unfortunately, many do not value it until it's affected in some way. Privacy is too often taken for granted.
  But the fact is that privacy is an integral part of our day-to-day existence. Every day we make decisions that involve our personal information - whether it's how we interact with others, or how we receive goods and services from business and government. We manage the boundaries between our public and private selves, and we decide what information will we share about ourselves and when will we hold information back. But while it is integral to our very existence, we don't celebrate privacy like we should.
  So during Privacy Awareness Week, I say we should shout privacy from the rafters! Today I want to do four things:

• Give a brief overview of the law and my Office
• Outline some of the changes I have witnessed during my time as the Australian Privacy Commissioner
• Give you my views on what business should expect of
   future privacy regulation in Australia and
• Promote Privacy Awareness Week and the Inaugural Privacy Awards.

1. Overview of federal privacy law

Most of you are probably well aware of the law, but it never hurts to have a refresher, and for those not so familiar with Australian privacy, it will put some of my other comments in context.

Coverage

The Privacy Act covers all of us within in Australia.
  Very few of us wouldn't interact with the health, telecommunications or
 
 financial sector or the ATO or Medicare!
 
 

The legislation protects personal information that is handled by federal and ACT Government agencies, private sector organisations with an annual turnover of more than $3 million, and all health service providers (regardless of turnover).
 

The Act also regulates the reporting of individuals' credit information and tax file numbers.

Except for the ACT, the Privacy Act does not cover State or Northern Territory agencies (including universities).
  In some cases, these jurisdictions have their own privacy laws.

As I shall discuss later, addressing the complexities and overlaps between Federal, state and territory privacy laws is a key issue for privacy law reform.

The Privacy Principles

Except for the credit provisions, the Act is not prescriptive or black letter law.

The Privacy Act has two sets of general principles.

Since 1988, 11 Information Privacy Principles (IPPs) have governed the way Federal and ACT Government agencies have handled personal information including its collection, use and disclosure, security and destruction.

Since 2001, the Act has included 10 National Privacy Principles (NPPs), which regulate the way private sector organisations collect, use, disclose and store personal information.

The NPPs principles are similar, though not identical to the IPPs. For example, they include obligations about trans-border dataflows, data retention, and provide specific regulation of sensitive information, such as health information. Having two sets of principles is not ideal and the time has come for them to be merged into one set.

Meaning of 'personal information'

Privacy in Australian law is primarily about information or data protection, rather than bodily or territorial privacy. The boundaries of 'information privacy' are determined by the meaning of 'personal information'.

The Privacy Act does not list what is 'personal information'.
 The definition of personal information refers to:
 information or opinion about an individual whose identity is apparent or can be reasonably ascertained.
 

This idea of what can be 'reasonably ascertained' is significant.
  Clearly, whether an individual's identity can be ascertained depends on the context in which the information is held.
 

With newer, smarter technologies it becomes more difficult to assume that the identity of an individual cannot be ascertained from particular types of information that superficially may appear to be de-identified.

Indeed, in the digital age, information about individuals is now more able to be much more easily captured, aggregated and much more widely distributed than ever before.
 

The Role and Office

My role as Australian Privacy Commissioner is primarily to administer the Privacy Act 1988.
 
  My Office has 65 staff and most of those are in Sydney.

Our strategic plan articulates our vision as an Australian community in which privacy is valued and respected.

Our purpose is to promote and protect privacy in Australia.

Our functions are outlined particularly in section 27. Perhaps most fundamental for a regulator are our statutory functions in relation to complaint handling and investigation.
 

Where possible, my Office has a facilitative approach. We work with agencies and organisations to encourage compliance.
  In resolving the 1,200 or so complaints received annually, we attempt to conciliate an outcome that is acceptable to both parties.
 

The Privacy Commissioner also has an educative role - to encourage the adoption of privacy standards more broadly across our community, and an advising role - to give advice to federal and ACT Government agencies, and the private sector, about privacy.

It was Parliament's clear intent, consistent with international instruments, when enacting the Privacy Act that the Privacy Commissioner recognises that the right to privacy is not absolute.
 

Privacy must have regard to other important and sometimes competing rights and interests such as the right to free speech and the right of business and government to achieve objectives efficiently.
 

In pursuing our functions - promoting, educating, advising or regulating - my approach as Commissioner has been to administer privacy law so it is about common sense, courtesy and respect.
 

Privacy should be an enabler and enhancer and not seen as a burden for either business or government.
 

Indeed, for all those with obligations, 'good privacy is good business'.
 

Reflections of the Privacy Commissioner

So now I've given the overview, what have I seen in four years.
 

Now four years is long enough to do a double degree at University and indeed enough time to invest in sport to make sure we beat the UK at the 2012 Olympics!

On reflection there are four things that I think are worth noting about the last four years.

Advances in technology

Technology - its development and uptake - is a significant change.
  Even in just four years, the way in which we exchange personal information has grown to an unprecedented level.
 
 Some examples:

Internet subscribers In September 2003, there were 5.2 million active internet subscribers in Australia, and in December 2007, there were 7.1 million.

The rate of Broadband Internet connections increased from 16% of Australian households in 2004-05 to 43% in 2006-07.

Mobile telephones At the end of 2003, there were 14.3 million mobile telephone subscribers in Australia and at the end of 2007, there were 21.1 million mobile telephone subscribers.

SMS messages In 2003-04, 13.7 million text messages were sent in Australia.  In 1987 there were none (when mobile phones were first introduced and cost over $4,000).

In 2006, 10.2 billion text messages were sent in Australia. 

Seven years ago, when text messaging began, only 642 million were sent (2000-2001).

Social networking sites Facebook has 132 million visitors worldwide.  MySpace has 113 million.  Facebook has experienced a 153% growth rate in the last year.  Global usage of social networking sites has grown 25% since June 2007.[1]

Skype (software that allows users to make telephone calls over the internet) Six people download Skype every second. Skype to Skype minutes in Q4 2006 alone totalled 7.6 billion minutes. Founded in 2003, in September 2005, Skype had 54 million registered users and today it has over 171 million registered users worldwide.

We could go on but I'll just mention one more.

With developments like Google Streetview, you can see the Prime Minister's home, rather than his official residence. In fact, if you picked up The Australian a few weeks ago you could also have seen where I live. You may also have noticed that my gardener was on holidays.

You can go on a social networking site such as MySpace or Facebook and befriend someone on the other side of the globe with the click of a mouse and share your personal information with someone you may not know that well at all, without even leaving your house.

Our personal information can be spread at such an unprecedented rate that sometimes we are unaware of any risks and consequences.

But while the developments have been occurring particularly on-line, our Community Attitudes Surveys in 2004 and then again in 2007 show that people are also becoming more savvy.

People are taking steps to secure personal information. The rise and recognition of 'phishing' attacks make many of us take extra care when banking online. More of us use anti-spyware, anti-spam and anti-virus software on our computers. We change passwords regularly and don't leave them lying around.
 We cut up credit cards once they have expired. We shred our receipts and accounts.
  We value privacy and safety from identity theft, and we take steps to protect ourselves.

But there's still more that individuals can do to take responsibility for themselves!

2. Cultural change in the Public Sector

Without doubt, the Office has been increasingly seen by Government departments and agencies as part of a solution rather than as part of the problem.

We have been asked for advice by many departments - we've been involved in the policy development and cabinet processes in a much more coherent and regular fashion.

The release of our draft Privacy Impact Assessment Guide in 2005 and the final in 2006 has had a very positive effect.

Privacy has become more embedded in the culture of departments.
  Indeed I think more senior people are aware of privacy and are keen to meet their obligations than ever before.

The celebration of Privacy Awareness Week (now for the third year) has probably been most successful in the public sector.
  We find many departments and agencies having events and distributing material to staff.
  Indeed, this year we had orders for over 50,000 Privacy Principles bookmarks.
 

3. Cultural change - Good privacy is good business

The third area is a change in perception and reaction by business.

It is probably fair to say that since 2004 business has better embraced privacy regulation.
  Witness today's launch of the IAPP!

In July 2004, it had only been 2
½ years since the private sector provisions had come in.
  So regulation was relatively new.
 

While new regulation is generally seen as a burden or a hurdle, I feel the business community is increasingly seeing 'good privacy as good business'.
 

Again the launch of the ANZ chapter of the IAPP is indicative of the greater commitment by organisations to meeting their obligations, and the recognition of privacy as part of meeting their customers' expectations, achieving brand advantage and improving the bottom line!

I don't think an IAPP would have been viable in Australia in 2004.

4. Robust relationships

The fourth area of change is I think our Office has more and better networks with our stakeholders.
  It is easier to do because we've really virtually doubled in size, but it is also a key focus of our strategic plan.

We call them our robust relationships.

It means for the most part we can disagree, and the relationship doesn't break down irretrievably.

These relationships occur in a number of ways :

• a well-functioning and active Privacy Advisory Committee
• in the form of non financial and financial MOUs with key departments
• MOUs with like bodies such as the NSW and NZ Privacy Commissioners' Offices and also with the Ombudsman
• virtual networks created through our website
• public consultation on the development of key material like our recent guide on handling personal information security breaches; and targeted consultation on information sheets
• twice yearly meetings with privacy and consumer advocates
• a vibrant PCO network for the public sector
• our privacy connections network where we hold forums for the private sector
• Recently, my Office tried something new. We conducted a series of workshops with the insurance sector about
   privacy obligations. It proved to be successful and we hope to now work with different sectors
• commitment to the APPA forum including providing the Secretariat
• Active involvement in the implementation of the APEC Privacy framework ; and finally
• the establishment of the IAPP ANZ Chapter is another
   example of engagement with networks.

Working with others - either informing or influencing - helps us achieve our vision - an Australian community in which privacy is fully valued and respected.

The future for privacy law

I've just reflected on how much change I have seen in just over four years as Privacy Commissioner.
 Imagine the changes since the Privacy Act was enacted in 1988.

With 2008 marking the 20th anniversary of the Privacy Act, it was timely that it is also the year that the Australian Law Reform Commission (ALRC) has finalised its report on its review of privacy in Australia.
 

After a two and a half year review, the ALRC's report was released by Senator the Hon. John Faulkner on 11 August.

The review is a once-in-a-generation opportunity to review the effectiveness of privacy regulation in Australia and I welcome the release of the final report.

I know that David Weisbrot is going to give you a comprehensive overview of the ALRC recommendations, so I don't want to encroach on that.

However, what I want to do, is give you some food for thought.

Privacy law is evolutionary. In the 21st century, we live in an age of developing technology, globalised information exchange, ease of travel, increased public surveillance and heightened national security.

Laws must be kept up-to-date and relevant to ensure that proper protections are afforded to the privacy of personal information. In a modern democratic society like ours, it is unlikely that any privacy protection would be diminished.

I want you as privacy professionals to start thinking about what the implications could possibly be for your business or agency.

I make it clear that I am not pre-supposing the deliberations of the Government as it develops its whole of Government response, nor am I wanting to usurp the role of Parliament and its committees, but I do think the following is inevitable.

Any laws, including privacy law, should evolve to reflect society's expectations and needs.
 Laws should also reflect a recognition that the cost of regulatory burden needs to be weighed carefully. The benefits to our community from having privacy laws must outweigh any costs.

To that end it seems to me that the following are sensible, likely and necessary to privacy reform.

One set of principles

The first eminently sensible idea is a unified set of privacy principles for the public and private sectors.
 As I mentioned earlier, it is important not to over complicate privacy regulation. One way that regulatory complexity can be reduced is through the creation of a single set of privacy principles in the Privacy Act.

There is no value in having two sets of principles - the IPPs and NPPs - and there are real potential benefits to be gained by merging these into a single set of obligations.

For example, where an agency undertakes commercial activities, the agency could find it has obligations under both the public and private sector principles and may need to invest significant time and effort in ensuring that its activities meet the requirements of the appropriate set of principles depending on which activity it is engaging in.

Likewise, where a private sector organisation is contracted to undertake work for an agency, it needs to comply with both sets of principles.

Accordingly, having initially made the call for one set of principles in March 2005, I strongly support the ALRC's proposal that the IPPs and NPPs should be brought together into a single set of 11 principles, that would generally apply to both agencies and organisations.

The creation of a single set of privacy principles will reduce compliance difficulties, particularly for those businesses contracting to agencies. Consistency and simplicity of regulation will also empower individuals to understand and exercise their privacy rights.

It seems to me that there are few voices against this sensible proposal. The down side is that those with obligations will need to re-engineer their compliance systems and processes, but overall there is much to be gained for all if we can achieve one set.

National consistency

Secondly, I am pleased to see that the report recommends national consistency in privacy law across all levels of government.

National consistency with other Commonwealth and State laws would minimise government and private sector compliance burdens while maximising privacy outcomes, and allow individuals to exercise their privacy rights without confusion or difficulty.

I note that the ALRC has not proposed that state government agencies should be covered by the Privacy Act.
  What the ALRC has proposed, and what I support, is a cooperative federal-state approach in which the amended Privacy Act would form the basis for privacy legislation at the state and territory level.

The ALRC has proposed that this model be given effect through dialogue held within the Standing Committee of Attorneys-General.

I am hopeful that the states and territories can work together with the Commonwealth.
 If it does, it certainly will make it easier for businesses that operate across state boundaries.

Breach Notification

Thirdly, I think it is part of the evolution of privacy law that breach notification in certain circumstances is appropriate.

It is consistent with engendering trust with customers and it is also consistent with individuals' expectations.
  It also reflects to a large extent what is currently common practice.

I support the idea that if there has been a breach of an individual's personal information, that the individual should be notified if there is a real risk of serious harm.
 Serious harm can also include non financial harm.
  How to determine whether there is a real risk of serious harm will be the challenge.

To that end, my office has outlined in its voluntary Guide to Handling Personal Information Security Breaches which was released on 25 August, some steps which may assist in determining when and how to notify.

I hope that this guide will help inform any future legislative response and I urge you all to use it as appropriate.
 

Statutory Cause of Action / Tort

Again I think it is inevitable that a tort of privacy or something similar will develop in Australia.
  It already has been recognised in lower courts.

The recommendation of the ALRC to have a statutory cause of action for privacy only hastens the development that would have occurred over time.

The ALRC's recommendation has high thresholds:

An action would only exist where there is a reasonable expectation to privacy, where the act or practice would be highly offensive to a reasonable person and where the public interest in maintaining the privacy of the plaintiff outweighs other public interests including freedom of expression.

Whether it ends up being legislative or developed by the courts, I think there will an action for breach of privacy in Australia - at least before the next ALRC review!

Again I stress, I'm not pre-empting the Government and Parliament response, but given international directions and the support in principle by most for change, my Office expects these four issues are likely to become law at some stage, albeit some years away, and are necessary to ensure Australia's privacy law meets the challenges of the years ahead.

My Office will be assisting the Government in its response to the report's recommendations. I note that the Minister has said the Government response will be phased, with phase one within 18 months to work on a unified set of privacy principles, new technologies, and health and credit.

The challenge for privacy professionals like IAPP members is to be ready for the changes, if and when they come.

The Australian Privacy Awards and Australian Privacy Medal

There are challenges that we face in ensuring that the privacy of all Australians continues to be protected and respected, but the reality is that I am encouraged by the measures many organisations and agencies take in promoting good privacy practice.

To recognise such achievement, my Office launched a new initiative this year - the Australian Privacy Awards and Australian Privacy Medal. And tonight is the gala dinner event (which many of you are attending, indeed some of you are nominees) where the winners will be announced.

The Awards are aimed at encouraging, recognising and rewarding agencies and organisations that engage in good privacy practices.
 

There will be four Award categories: Government, Large Business, Small-Medium Business and Community.

A Grand Award will be given to the most outstanding entrant from one of these categories.

From businesses to government to NGOs, the range of nominations that we've received for the Australian Privacy Awards has been impressive.

I believe it shows that organisations are increasingly recognising the value that good privacy practices play in building customer relationships.

The dinner will also feature the presentation of the Australian Privacy Medal to an individual who has shown an outstanding level of achievement in the privacy field.

The keynote speaker will be Senator the Hon John Faulkner, Special Minister of State and Cabinet Secretary.

The Awards are sponsored by Symantec (Major Sponsor), Microsoft (Major Sponsor), Clayton Utz (Executive Sponsor), and Australian Finance Conference (Sponsor).

Privacy Awareness Week

All this is part of this year's Privacy Awareness Week. Privacy Awareness Week is an annual promotion by the Asia Pacific Privacy Authorities (APPA) group, which includes privacy commissioners from Australia (including New South Wales, Victoria and the Northern Territory), Canada (including British Columbia), Hong Kong, Korea and New Zealand.

The week is a fantastic opportunity for governments, business and individuals to promote privacy awareness.
  See website www.privacyawarenessweek.org for ideas.

This year we also ran a competition for school students to create a two minute video about any aspect of privacy, such as their opinion of its relevance in today's society, how it does or doesn't affect them in their daily life, or perhaps the influence that the internet has had on privacy.

We received some great entries and it was fascinating to get a youthful perspective on privacy. The winner will be announced on Thursday and their video will be available on our website.

In 2009, Privacy Awareness Week will be from the 4-10 May. I encourage you all to start thinking of ways you can promote this event within your own offices.

And I hope that the ANZ Chapter of IAPP will also participate in PAW 2009.

Conclusion

This is a dynamic time for privacy, driven by increased awareness of rights and risks, and new opportunities and challenges posed by technology.

Managing individual privacy in a changing world is not new. The technologies may have changed, but what hasn't changed is that we continue to value privacy as a necessary condition for living an independent, fulfilling and dignified life.

As a group, I want us to rise to the challenges of a changing world and think creatively about how we can encourage a society in which privacy is protected and respected.

Thank you and Happy Privacy Awareness Week. Spread the word!

[1] (Source:  TechNewsWorld, 13 August 2008) http://www.technewsworld.com/story/64154.html

Return