Speech by Karen Curtis, Privacy Commissioner. Delivered to International Policing: Towards 2020 Conference 2007, 20 November 2007.

Introduction

It's 15 years from now - the 20th  of  November 2020.

What will be different?  How will our lives have changed?  As the Greek philosopher, Heraclitus, said around 500BC, nothing is permanent but change itself!

15 years ago the internet was born and the personal IT revolution took off.   Our working and personal lives changed dramatically with the IT revolution and advent of the digital age.  What will happen in the next 15 years?

It is likely the next revolution will be centred around a convergence of IT, biotechnology, nanotechnology and sensor technology.  But how do these technologies affect us from a privacy perspective?

I am not sure I agree with Albert Einstein who said technological change is like an axe in the hands of a pathological criminal!, but these technological changes will affect us simply and yet profoundly  - and you don't need 2020 vision to visualise the impact!

There will be increased electronic handling of information, and in particular personal information, and consequently the risk of losing our right to autonomy and choice will be tangible and real.  If we are not vigilant we will find ourselves in a society that does not respect our right to privacy.

Whether it is 2007 or 2020, the challenge we face as a society is how to protect the rights of the individual while recognising the collective needs of our community.  It is always about balance.

I firmly believe good privacy can be consistent with good business, good national security and of course good policing!  

Privacy and other community values on law and order are not mutually exclusive.

I said it when I spoke at the 2nd International Policing Conference in Adelaide in November 2004,[1] that I liked the heading on the CrimTrac website that ''good privacy is good policing' and they still have it and I know they mean it.

Indeed, the site states:

There is a convergence between the interests of Australian police services and adherence to the IPPs.  Police services need to be confident that:

• the information held on CrimTrac systems is secure and not open to unauthorised access, use or tampering;
• the information that they are accessing is accurate and up to date;
• their officers are using the information provided through the CrimTrac Agency for the purpose of law enforcement; and
• the systems, policies and procedures that the CrimTrac Agency is implementing will assist in achieving the twin goals of personal information privacy and good policing.[2]

So this presentation is not about the tensions between the needs of law enforcement and the individual's right to privacy, but rather, I'll outline how the information handling practices of the Privacy Act support and complement the important functions of Australian law enforcement, and how I think these will intersect in 2020.

Community attitudes

Crucial to that intersection will be the community's perceptions.

What will the community's expectation be of law enforcement in 2020?

My Office has conducted research into community attitudes to privacy in 2001, 2004 and again earlier this year.  1500 Australians were surveyed.

There were some interesting findings about government agencies and use of personal information:

• When asked whether they believed government departments should be able to cross-reference personal information in their databases for any purpose, some purposes or not at all, 15 per cent of respondents said ''any purpose', 65 per cent said ''some purposes' and 19 per cent said ''not at all'. [3]
• However 77 percent of respondents believed governments should be able to cross-reference personal information to prevent or solve fraud or other crime.[4]
• Among those aware of CCTV cameras (92 per cent), 88 per cent felt it reasonable for the police to have access to footage and 79 per cent were not concerned about their use in public places. [5]

These statistics give us an insight into people's current expectations when it comes to the use of their personal information.

So three-quarters of those surveyed supported the use of personal information to prevent or solve fraud or other crime. 

With the increased electronic handling of information that technology will deliver us by 2020, it will be a challenge for law enforcement agencies to maintain that high level of support. 

Given that potentially large amounts of personal information could become more available through biometric, DNA based, location detection, surveillance, wireless technologies and of course the internet, it will require a real commitment by law enforcement agencies to good information management practices to maintain that support.

Continuing to get the balance right in the face of technology ''push' will require restraint, respect and rigour.

I'm sure it has been addressed elsewhere in this conference, but apart from greater community awareness, there is likely to be increased media scrutiny as a feature of the landscape by 2020 and this will also impact upon people's expectations.

Coverage of law enforcement agencies under the Privacy Act

So, what is the existing legislative framework and how does that affect law enforcement agencies?

The Office of the Privacy Commissioner administers the Privacy Act 1988, a federal piece of legislation.

The Privacy Act covers the information handling practices of most Australian Government agencies, credit providers and credit reporting agencies, health service providers and businesses with a turnover of more than $3 million.

Intelligence agencies such as ASIO are exempt from the Privacy Act.

In general, federal law enforcement agencies and agencies with enforcement functions are covered such as the Australian Federal Police, the Australian Customs Service and CrimTrac.

State and territory law enforcement agencies are not covered by the Privacy Act. Some states and territories have privacy laws for their public sectors, however operational matters relating to law enforcement are generally not covered by those laws.

Australian federal law enforcement agencies comply with the Information Privacy Principles (or IPPs).  These principles regulate how an agency may collect, use, disclose, grant access to, keep accurate and store personal information. Essentially the eleven privacy principles provide a framework for personal information management.

These principles were developed to meet Australia's obligation under the International Covenant on Civil and Political Rights and to implement the OECD Guidelines on handling personal information.

The Privacy Act provides exceptions that recognise the special needs of law enforcement agencies, allowing them to collect personal information broadly and use and disclose it for law enforcement needs.

These exceptions provide an appropriate balance between the needs of law enforcement and respect for privacy.

The Privacy Act also contains another set of privacy principles which covers much of the private sector - the National Privacy Principles (or NPPs).

Amongst other things, the NPPs guide organisations on how they are permitted to release information to law enforcement agencies.

As an aside, it is worth noting that currently there is a review of privacy laws by the Australian Law Reform Commission. It will submit its report to government in March 2008 and so we would expect by 2020 to have a new generation of privacy laws.

Technological challenges

I foreshadowed technological advances, indeed as Commissioner Mick Keelty said in June:

If the pace of change continues at the current rate, then the extent to which we embrace technology between now and 2030 is likely to be beyond our current comprehension.[6]

How does the Privacy Act keep up with all the technological changes? 

While technologies might change, the stages of the information lifecycle seem to remain the same: that is, information is collected, stored, used, disclosed, possibly corrected and at some stage destroyed. 

Currently under the Privacy Act we have broad based principles and technological neutrality which means as technologies change, the principles can be applied appropriately.

For example in relation to storage, where the privacy obligations include "security safeguards as it is reasonable in the circumstances to take", once this might have meant a physical lock on a safe.

Today, with the increasing availability of technological security measures "reasonable security safeguards" might now include encryption.

In addition to the broad based principles, the Privacy Act is technologically neutral. 

An example of technological neutrality can be found in the Privacy Act's definition of personal information:

personal information means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.[7]

Excluding the database reference which is a bit anachronistic, the rest of this definition can be applied to many technologies.

If you want to know whether or not the bits of data you have gleaned from your various sources meet the definition of ''personal information' you have to ask yourself: "Is an identity apparent or can the identity of an individual be reasonably ascertained from this?

If the answer is yes, then you have personal information.

It may be that when a law enforcement agency collected the original information, for example a mobile phone number, it wasn't personal information but when it was combined with other pieces of information, that mobile phone number became personal information because the identity of an individual could reasonably be ascertained from it.

The Privacy Act does not list what is personal information.  With the advent of newer technologies it is increasingly difficult to conclude that the identity of an individual can never be ascertained from particular types of information that superficially appears to be de-identified or not identified.

By 2020 with DNA and biometrics technologies, in particular, there will be increasingly more information available that will make it easier to reasonably ascertain the identity of an individual.

Privacy is integral to policing

Personal information handling underpins all aspects of law enforcement because information is the life-blood of investigation, and I'm sure that will continue to be the case in 2020.

A large proportion of this information will be personal information. This means that the information has significance for an individual and therefore it needs to be treated with care.

Decisions based on poor information can have adverse impacts for individuals and the reputation of law enforcement agencies.

It is obvious a key element of good decision-making is good quality information.  This applies to all agencies, businesses and no less to law enforcement.

Implementing high standards of personal information handling will help maintain information quality and deliver better outcomes for law enforcement agencies and the public.

Privacy - in terms of personal information handling - is not peripheral to, but rather integral to all aspects of investigation and law enforcement.

Specific IPPs

I want look at a few key privacy principles - manner and purpose of collection, storage and security, accuracy, and limits on use and disclosure - that are particularly relevant to law enforcement agencies and suggest how these can be embedded into the operations of a law enforcement agency.

While these principles form part of the Australian Privacy Act they are common across privacy legislation internationally and domestically, and have broader application as a best practice model.

Data quality

Data quality is often the ''forgotten principle'.  Discussions about law enforcement and privacy often revolve around the collection and security principles while the principle that requires law enforcement record keepers to check the accuracy of personal information often receives little attention.

But data quality is of particular importance for law enforcement agencies.

In the context of the Australian Privacy Act, IPP 8 essentially says: only use accurate, up to date, and complete information[8] and take reasonable steps to check the information.

If an agency has only fragments of information of unknown accuracy, possibly collected a long time ago and not updated, its decisions based on that information may not always be ideal. 

Law enforcement officers frequently have to make critical decisions in tight timeframes and rely on the accuracy of the information they have at that time. 

Therefore to be really valuable, the information that is stored should be as up-to-date and as accurate as possible for use at a moment's notice.

What is reasonable when it comes to checking information?

The extent to which an agency must check the quality of personal information it intends to use depends  -  the more serious the consequences of the personal information being inaccurate, out of date, or incomplete, the more reasonable it is for the agency to check the information before using it.[9]

What information is complete?

Complete information gives a true picture of the facts and helps agencies to make correct decisions (for example, when providing benefits or services to people). Without the proper context, incomplete information is likely to mislead people.

For example:  a law enforcement agency has produced an intelligence report showing that on several occasions in June 2007, Mr Big, a major target, phoned a certain individual. Let's call this individual ''Harry'. 

Harry now appears on the system linked to Mr Big.

Further checks on Harry would reveal that:

o      While the phone is in Mr Big's name, Mrs Big also uses it. 

o      Harry is a local vet.

o      Mrs Big has a dog that was run over in June 2007.

If this additional information is not added to Harry's records, you can see how a mistaken inference might be drawn about the known relationship between Harry and Mr Big (or possibly Harry and Mrs Big).  

The accuracy of the information should travel with the information

When undertaking an investigation, law enforcement agencies are likely to draw on a range of different information from a range of different sources, and some pieces of information will be more reliable than others.

Agencies should ensure that the level of reliability of the information stays with the information as it passes through the hands of different investigators.

For example, if the source of the information is a somewhat unreliable informant, then this fact should travel with the information wherever it goes and should be apparent even when put together with other known facts.

This is particularly important as Australia moves towards interconnectivity of databases between law enforcement agencies.

One can imagine how easy it would be for a piece of hearsay to be taken as more reliable than it really is because the status of the information - its accuracy, completeness or reliability - has been lost.

Poor old Harry the vet could suddenly find that there are reports floating around to other agencies in Australia and abroad, in which he has been positively identified as a ''known criminal associate of Mr Big'.  Now he can't get a visa to visit certain countries.

This is why it is vital for law enforcement agencies to use accurate, up to date and complete information - because frequently the possible adverse impact on the individual of acting on inaccurate information is great.

Storage and Security

With the move to ''interconnectivity' between law enforcement agencies, appropriate storage and security of personal information increases in importance.

To ensure that the information is stored and handled in a secure way and remains accurate and of high quality, appropriate mechanisms including continual reassessment and destruction schedules should be in place to protect information against loss, unauthorised access, use, modification, disclosure or other misuse.

Again, in the Australian context, the Commonwealth Protective Security Manual also sets out standards for protective security including physical and computer security.[10]

Staff should be trained in good security practices and the agency should have a detailed security policy.[11]

Collection

A law enforcement agency does not always have to know exactly what it will use personal information for when it collects it.  It can collect personal information that is generally related to intelligence purposes, not just a specific purpose.  However, it must have good grounds for believing that this kind of information will help it in its functions.

Generally, the principles that agencies need to keep in mind when it comes to collection are:  collect information in a lawful and fair manner and only collect the information that you need.

The ''lawful and fair manner' aspect of collection is relatively straightforward, but determining ''what you need' can be a lot trickier. 

In an age where technology makes the collection of ''data' quicker and easier, it would be tempting for law enforcement to gather as much of it as possible.  The problem of turning it into usable information and intelligence is the real challenge. 

If you think of law enforcement in business terms, that is, of producing a high-quality product, you need the right information, at the right time, at the right cost. 

Collecting vast amounts of raw information, while having limited resources to analyse it, in the hope that it might one day be useful is not cost effective and is going to decrease the chances of producing high-quality products today, and in 2020. 

Certain types of personal information have a limited shelf life. Hanging on to unprocessed personal information will inevitably reduce its quality. 

I understand that new developments in the field of data analytics will be soon be able to automate the analysis of raw data into useful information.  But that time has not yet arrived.

So ask yourself:

o      Do we really need it? and

o      If we collect it how are we going to handle it?

o      And now that you know he's the local vet, do you need to keep all that information about Harry's phonecalls?

Use and Disclosure

As I mentioned earlier, our community attitudes research showed people's expectations about the use of personal information by government agencies.

Law enforcement agencies are empowered to collect information under their enabling legislation and other related laws.  With these powers comes the responsibility to handle this information sensitively.

Many law enforcement agencies can collect information without adhering to the usual notification requirements. 

Therefore, if law enforcement agencies want to continue to build and enhance community trust, it is important that they only use personal information for well-defined purposes and only disclose to authorised entities.

Under the Australian Privacy Act, disclosing personal information is covered by IPP 11 - information can not be disclosed to any entity (except the individual) unless one of five exceptions applies.

For example, many of the uses and disclosures used by law enforcement agencies fall under the ''required or authorised by or under law' exception. 

Another exception to the instances in which personal information may be used and disclosed by law enforcement agencies is where the use or disclosure ''is reasonably necessary for the enforcement of the criminal law or of a law imposing a pecuniary penalty, or for the protection of the public revenue.'[12]

Conclusion

I have tried to demonstrate that good privacy is good policing, now and into the future.

Incorporation of privacy principles by law enforcement agencies into the information handling process enhances data quality and the reliability of decision-making.  

Against a backdrop of technological advances, adherence and commitment to privacy will at the same time minimise the privacy impact on individuals, and law enforcement agencies will continue to enjoy the trust and respect of the community.

So in 2020, we will all have evolved.  I think both privacy protection and law enforcement will continue to be co-existing and that ''achieving the twin goals of personal information privacy and policing' as articulated by Crimtrac will be ingrained and well-established.

Both law enforcement and privacy will be valued for after all, as Charles Darwin said:

It is not the strongest of the species that survives, nor the most intelligent, but the ones most responsive to change.

Thank you.

[1]http://www.privacy.gov.au/materials/types/speeches?sortby=60

[2]http://www.crimtrac.gov.au/privacy.html

[3]Community Attitudes to Privacy 2007, Wallis Consulting, available at http://www.privacy.gov.au/aboutprivacy/attitudes/#1b, p 40.

[4] Ibid.p 41.

[5] Ibid. p 74.

[6]http://www.afp.gov.au/media/national_media/national_speeches/2007/pearls_in_policing_conference

[7]Privacy Act 1988 (Cth), Section 6, Interpretation Part II, p. 15

[8] A wallis record-keeper who has possession or control of a record that contains personal information shall not use that information without taking such steps (if any) as are, in the circumstances, reasonable to ensure that, having regard to the purpose for which the information is proposed to be used, the information is accurate, up to date and complete.

[9] See Plain English Guidelines to Information Privacy Principles 8-11, pp 15-16.

[10]Plain English Guidelines to the Information Privacy Principles 4-7, p4.

[11]Plain English Guidelines to the Information Privacy Principles 4-7, p5.

[12] See IPP 10.1(d) and 11.1(e)