Commissioner Curtis says Australia's law firms, many of which set up large privacy compliance practice groups in advance of the legislation coming into force, also found a trickle rather than the anticipated flood of business from companies wanting compliance support. She herself, when running the Australian Chamber of Commerce and Industry (ACCI) privacy initiative prior to becoming privacy commissioner, bought an off-the-shelf privacy compliance CD-ROM and established a privacy regime without any external support.
Privacy turned out not to be the lawyers' playground some had expected.
Although some privacy advocates argue that the present regime is soft on corporations and pays scant attention to complaints of consumers, Curtis claims for the most part they try to conciliate between business and the complainant. "Maybe there is an apology or the organization fixes the information. Sometimes the organization pays a sum of money. Few go to court," she says.
The Act allows for any determinations made by the commissioner to be enforceable in the Federal Magistrates Court. There have been nine determinations during the history of the Act, but none since Curtis became commissioner. "By and large we don't receive a lot of complaints," Curtis says. (There were 1275 complaints during the last financial year, 1276 the year before.) "The lack of complaints might not equate to complete happiness but you could not say there is a flagrant breach of privacy."
She says that in most cases it is in business's best interests to resolve complaints as soon as possible in order to keep a customer and avoid brand damage. "You've got the power of the shock jocks and the Current Affair-type programs - they can do a lot of brand damage", if a company flagrantly breaches its customer's rights.
While acknowledging that the financial sector remained the most complained about under the privacy regime, compared to the sheer volume of transactions, there were relatively few complaints, she says.
"I believe that larger businesses and those that deal with personal information have done remarkably well," Curtis says. "It's the SMEs that don't do it quite as well." As part of her review she has called for the scope of the Privacy Act to be expanded somewhat so that small businesses, which are currently exempt if their revenues are under $3 million, should only be exempted if they have fewer than 20 staff. She has also called for all ISPs to be covered by the Privacy Act given the amount of personal information that flows through them.
Review and Refresh
Although relatively pleased about the approach of big business to privacy, Curtis is concerned now that some organizations may take for granted their five-year-old privacy regimes, and not review and refresh them as regularly as they ought. Similarly she believes consumers should be reminded of their rights to privacy. There are, she believes, benefits available to corporations that pay better attention to privacy. In its submission to the 2005 review of the Act, Telstra agreed.
"The significant financial cost to Telstra in taking steps to comply with the Privacy Act has been offset by the value to Telstra of the improved systems and processes and from a brand perspective," Telstra reported. That said, Telstra is not keen to make further changes as it believed any significant changes to the 10 National Privacy Principles that underpin the privacy regime would increase the cost of compliance, and as a consequence changes arising from the commissioner's review of the Act should be kept to a minimum.
Changes are, however, now being considered. One of the 2005 review's recommendations was for an inquiry into the current regime, to explore whether it was effective given rapid technological advances such as ubiquitous Internet access, and the rise of offshore processing centres that collect personal information. That recommendation has been accepted and in January this year the government announced that the Australian Law Reform Commission (ALRC) would investigate the current regime.
Before CIOs get all hot and bothered about another round of privacy compliance costs, however, bear in mind that the ALRC is not due to report to the federal government until 2008.
Until then it is business as usual.
SIDEBAR: Turn of the Smartcards
Big Brother is set to watch over you
Australia's big new privacy bogey is the government's access smartcard, which from 2010 will be the only way to access health or welfare services benefits. Progressively phased in from 2008, the smartcard will replace 17 existing card or voucher systems. While some estimates suggest the system could save $3 billion over 10 years, that is dwarfed by the $92 billion a year currently paid out each year in health and social security benefits.
Visible on the card will be the name, photo and signature of the holder, along with the card number. Stored on the microchip will be the address, date of birth and details of children or dependants. Card holders will also be offered the option of storing information such as emergency contacts, allergies, immunization details and donor status.
The government has costed the system at $1.09 billion over four years. While most of the infrastructure will be built by the public sector, private sector business such as medical centres, pharmacies, insurance companies and banks may also be impacted as part of the service chain.
Privacy Commissioner Karen Curtis has acknowledged the inherent privacy risks with the system, and called for strategies to minimize those risks. Curtis, however, will not have oversight of those strategies. In May, Allan Fels, a former head of the Australian Competition and Consumer Commission, was appointed to head a smartcard consumer and privacy task force, which will report to government on the most appropriate privacy regime. (The Australian Law Reform Commission is separately conducting a review of the scope and operation of the Privacy Act, which will also explore the implications of the access card, but that group is not scheduled to report to the government until March 2008.)
Curtis says that her office will work with the Office of the Access Card in the Department of Human Services and recommend a range of legislative and technical protections be incorporated into the design and implementation of the system. She says it is important to ensure privacy protection for back-end systems, separation of governance of the regime from the agencies that use the database, and clarity on who will be able to access what information on the card - for example, will emergency health or contact details be available to anyone who swipes the card?
Curtis also believes legislation will be needed to guard against tampering with the photo or chip and information on the card or chip, and to prevent unauthorized use of information on the card for data matching beyond the original intention of the system. This also applied to private sector organizations, which might swipe the cards.
Broader Plan in the Cards?
While the government has steadfastly denied any suggestion that the access system represents an identity card, some analysts question whether the health and social services access card will prove to be phase one of a much broader plan. Bruce McCabe, principal of S2 Intelligence, believes other government ministers are considering how such a system could be used more extensively. He warns, though, that the government must guard against any form of "function creep" or it "could compromise the entire process".
McCabe says it is essential the government fosters a level of trust with Australians so they feel that the benefits of more streamlined access to services "justify the privacy risks". These, he says, are real risks, especially with the storage on the card of biometric information, namely digital photographs. He says that if that biometric information is stored on centralized databases that are not properly secured, then there are risks of identity theft that need to be carefully managed.
Commissioner Curtis agrees function creep must be avoided. "While the government has stated that the access card will have limited cardholder information on it, and that that information will be subject to strict protections and only accessible by authorized people, it will be important to ensure that as the proposal is developed the uses and safeguards are clearly identified and legislated. This will help to ensure that the government's stated intention that this not be a national identity card is met," she says.
Cyrille Bataller, a biometrics expert based in Accenture's research centre in France, agrees with McCabe and Curtis. He says best practice regarding information systems containing biometric information involves creation of a privacy impact assessment, which would identify whether the application would be privacy enhancing or destructive.