Has Australia outlived its approach to privacy?

Many countries have legislated how their businesses conduct their day-to-day operations. However, for privacy, Australian businesses rely on a principle-based approach using the Australian Privacy Act’s 13 Australian privacy principles.

BUT given today’s data-hungry businesses – has this approach had its heyday? Do the principles and guidance cope with the complexity of today’s world?

In the 20th Century world, it was difficult to share large quantities of data.

The data an organisation had on an individual was largely known, or sensed, using the Office of the Australian Commissioner’s (AOIC) guidance.

That was before today’s mobile phone-dependent, millennial-driven and multi-tasking world, with its data lakes and often indiscriminate sharing of information.

The ease with which data is stored and shared, and the huge value that can be derived from that data, has transformed today’s landscape.

The pace at which data is increasing is astonishing.

Improved data storage models such as cloud, sophisticated analysis tooling, automated decisioning (including AI), and new business models are all driving this. As are platforms and mobile apps that capture data and produce even more.

A scary story

A recent investigative series by Simon Elvery from ABC News’ Interactive Digital Storytelling Unit uncovers some of the challenges. He recorded every time his phone was asked for data over a week – it turned out to be more than 300,000 times. On a single night Simon’s phone made contact with 46 domains!

One search for health information on a state government health site resulted in 14 separate servers run by a variety of companies receiving data about his interest, none of which he consented to. The agency immediately amended its policy once notified.

No wonder that there are daily headlines of breaches in Australia and around the world!

Troy Hunt, a world renown Australian aggregator of data breaches, runs the free service ‘Have I Been Pwned’ which allows users to check if they an account that has been compromised in a data breach. As of early 2019, the number of records in his database runs into the billions.

Can a principle-based approach really counter this?

The speed at which data and new business models that co-operate and share information with each other have proliferated has caught everyone on the hop.

Organisations that used to manage their technology, data access and repositories centrally have had their power usurped in many ways by cloud and Software-as-a-Service (SAAS) solutions.

Employees can often directly use cloud solutions that circumvent traditional control points. Data sharing arrangements can be entered into by many within an organisation, knowingly and unknowingly, by adding features, advertisers and data aggregators/crawlers to organisational websites.

On the consumer side, there is an app for everything. The plethora of apps that we use for business activities, interacting with friends, having fun, listening to music or just chilling collect information on our every move. How this information is disseminated and used, is not well understood.

Consumers at the same time are lifting their expectations of what they expect given the increasing knowledge derived from data breaches and misuse.

So are principles sufficient to safeguard an individual’s privacy, in a world where business and consumers have lost sight of their data and how it’s being used?

GDPR

The European Commission has tried to tackle this issue by bringing in the General Data Protection Regulation, which provides significantly more depth and challenge to collecting, using and sharing data than the guidance principles Australia currently adheres to.

It is clear that privacy cannot be left to the generalist using the existing principles. It needs capability that understands local and global regulation, and how it needs to be applied at a granular level. It needs to cope with the complexity we will in.

It also requires an organisation to have a clear understanding of where personal data are collected and stored, who is processing them, how they’re being used, and how they are shared. And, critically, what the customer has consented to.

Only then can privacy compliance be assessed.

Today this requires the co-operation of privacy, cyber security, and technology specialists, including web, cloud and data specialists, as well as business data consumers and users, and those in the organisation working with third parties. This needs a greater level of understanding and knowledge of how data is being shared and used by third parties.

Finally, the customer needs improved access and user experience to consent and control their future.

If we are to continue to use privacy principles as the main driver of privacy compliance, there will need to a broader remit, with extended guidance to cater for today’s world and the full gambit of data sharing.

This must happen before providing the Office of Information Commissioner with greater powers to ensure the principles are enforced.

Tommy Viljoen, Deloitte National Lead Partner Cyber Risk Strategy and Governance


Want to stay up-to-date?

Stay on trend and in the know when you sign up for our latest content

Subscribe