CIO

Invasion of Privacy

The advent of Australia's privacy Act for the private sector in December 2001 was going to create a significant impost for corporate IT departments. Six months before the legislation came into effect, industry analysts warned direly that just one in 30 companies was ready for the dawn of the new regime.

The Stories Continue

What were we thinking?

What were we thinking?

What was I thinking?

Back in May, I celebrated CIO's 100th issue by introducing a continuing series - CIO Retrospectives: Seminal Issues & Technologies - where CIO writers revisit seminal events, issues and technologies we've covered over the years.

If you're a new reader, or need a bit of a reminder regarding the "how's" and "why's" of this particular exercise, here's our premise. The writers are to kick off with "What were we thinking" - that is, why we all believed the selected story was important and the pervasive mind-set at the time among users, observers and (occasionally) vendors. Then, in some instances at least, the writer looks back and casts a jaded eye - that is, "What were we thinking?" - over the topic.

Thus far, we've covered a number of issues, including the likes of Y2K, "IT Doesn't Matter", the skills crisis (or lack thereof) and dotcom mania.

This month CIO writers cast their respective eyes backwards at that plucky tag-team of security and privacy. (While privacy is a one-off, the ever-changing nature of security means we'll be revisiting that particular topic more than once in this series.)

As always, I'm happy to entertain your suggestions for other "seminal" technologies or issues we should cover.

LK

linda_kennedy@idg.com

Page Break

Invasion of Privacy

Back in 2001 Peter Piper picked a pack of Privacy Principles, but thus far no one's found themselves in much of a pickle.

The advent of Australia's privacy Act for the private sector in December 2001 was going to create a significant impost for corporate IT departments. They would have to ensure that their computer systems were secure, that access to personal data stored on computers was rigorously controlled, and that all employees understood their obligations as far as keeping personal information secure and confidential.

They would also have to be ready to field complaints when their privacy regime failed.

Six months before the legislation came into effect, industry analysts warned direly that just one in 30 companies was ready for the dawn of the new regime. There was going to be a mad scramble to comply with the legislation.

Then . . . well, then very little actually.

Large corporations got on with it; created codes and policies, established education modules, and upgraded security and access controls on their databanks. SMEs were not as thorough, but they also were not particularly worried about sanctions.

Australia's first federal privacy commissioner, Malcolm Crompton, made it clear even before the law came into effect that he was operating a light touch regime, and was more interested in educating companies and consumers about their rights than riding roughshod over recalcitrants, ultimately making just a handful of determinations during his tenure. His successor, Karen Curtis, who has been privacy commissioner since July 2004, has a similarly light touch and is yet to issue a binding determination.

Sting, but No Bites

Professor Graham Greenleaf of the University of New South Wales focuses on the intersections and relationship between information technology and the law. The founding editor of the Privacy Law & Policy Reporter and a well-known privacy advocate, Greenleaf believes that five years on, Australia's federal privacy regime has thus far proved something of a fizzer. While arguing that the legislation itself is far from perfect, Greenleaf nonetheless believes that it does offer scope for enforcement, which has so far been largely ignored.

"There has been a lack of serious enforcement by the privacy commissioner," Greenleaf says, adding that the current commissioner, Curtis, has yet to issue any binding rulings on complaints at all, despite a stated intention to ramp up enforcement in last year's review of the privacy regime.

Although he would like to see the Act itself reviewed and significantly improved, he believes that the current enforcement provisions have enough sting in the tail for test cases to be mounted in order to send a message to the business community that it needs to pay more than lip service to the legislation.

As it is, Greenleaf suspects many companies weigh the risk of being caught out against the cost of compliance, and are doing little to put their privacy house in order given the low level of enforcement activity thus far. "The advice I would give as a privacy advocate is to comply with the spirit of the legislation - because in the long run it makes good business sense to comply with this legislation - as if it were being actively enforced. But accountants measure risk, and the business risk of not complying is probably pretty low to nil," he says.

In spite of this perceived lack of vigorous policing, Paul Cavanagh-Downs, CIO of Aristocrat, says that privacy is something that business does have to be aware of, and says that all of Aristocrat's managers are put through privacy education. However, privacy issues are not something that he concerns himself with day by day. As a company mainly in the business-to-business space, Cavanagh-Downs says that most personal information is held in HR and payroll systems, which were secured before the legislation came into effect in any case.

At St.George Bank, where personal information is lifeblood, compliance with the new regime was more of an issue, although the bank had security and privacy on its agenda long before it was mandated by government. CIO John Loebenstein says that privacy and security is something they do in the bank as a matter of course. "You buy trust and security from your bank otherwise you'd keep your money under the mattress," he says. "For the financial services industry it was not a huge, radical change in behaviour or training."

Compliance with the new regime cost the bank "a couple of million dollars", which was "a pimple compared to Y2K, which cost $60 million, or the $20 million for GST, and Basel II was at least that big", Loebenstein says.

Varying Costs

The cost of compliance naturally varied according to the amount of personal information stored by organizations. In her review of the private sector provisions of the Privacy Act, last year, Curtis noted that the Insurance Council of Australia claimed its members had spent $10 million to $15 million on systems changes needed to comply with the new laws. Coles Myer had spent about $300,000 (a cost it claimed outweighed the benefit to customers), Suncorp $1.2 million, and NAB and MLC spent around $28 million over three years.

All very interesting and indicative of the disparate approaches taken, but the Australian National University's Professor Roger Clarke, a long-term privacy advocate, is not impressed by Australia's current legislation or the lack of enforcement. Clarke believes there are genuine benefits available to companies that take privacy seriously, and look beyond bald compliance with the current regime. He remains "appalled that we have still not got any real legislation or protection".

According to Clarke a "flood of instant experts merged" when the privacy regime was extended to the private sector, all eager to sell "expertise". (Clarke's own company, Xamax, was established in 1977 with privacy high on its agenda.) In the end many companies developed their privacy policies in-house, with limited external support, created education programs, tweaked their back-office systems and structured complaints processes themselves.

Page Break

Commissioner Curtis says Australia's law firms, many of which set up large privacy compliance practice groups in advance of the legislation coming into force, also found a trickle rather than the anticipated flood of business from companies wanting compliance support. She herself, when running the Australian Chamber of Commerce and Industry (ACCI) privacy initiative prior to becoming privacy commissioner, bought an off-the-shelf privacy compliance CD-ROM and established a privacy regime without any external support.

Privacy turned out not to be the lawyers' playground some had expected.

Although some privacy advocates argue that the present regime is soft on corporations and pays scant attention to complaints of consumers, Curtis claims for the most part they try to conciliate between business and the complainant. "Maybe there is an apology or the organization fixes the information. Sometimes the organization pays a sum of money. Few go to court," she says.

The Act allows for any determinations made by the commissioner to be enforceable in the Federal Magistrates Court. There have been nine determinations during the history of the Act, but none since Curtis became commissioner. "By and large we don't receive a lot of complaints," Curtis says. (There were 1275 complaints during the last financial year, 1276 the year before.) "The lack of complaints might not equate to complete happiness but you could not say there is a flagrant breach of privacy."

She says that in most cases it is in business's best interests to resolve complaints as soon as possible in order to keep a customer and avoid brand damage. "You've got the power of the shock jocks and the Current Affair-type programs - they can do a lot of brand damage", if a company flagrantly breaches its customer's rights.

While acknowledging that the financial sector remained the most complained about under the privacy regime, compared to the sheer volume of transactions, there were relatively few complaints, she says.

"I believe that larger businesses and those that deal with personal information have done remarkably well," Curtis says. "It's the SMEs that don't do it quite as well." As part of her review she has called for the scope of the Privacy Act to be expanded somewhat so that small businesses, which are currently exempt if their revenues are under $3 million, should only be exempted if they have fewer than 20 staff. She has also called for all ISPs to be covered by the Privacy Act given the amount of personal information that flows through them.

Review and Refresh

Although relatively pleased about the approach of big business to privacy, Curtis is concerned now that some organizations may take for granted their five-year-old privacy regimes, and not review and refresh them as regularly as they ought. Similarly she believes consumers should be reminded of their rights to privacy. There are, she believes, benefits available to corporations that pay better attention to privacy. In its submission to the 2005 review of the Act, Telstra agreed.

"The significant financial cost to Telstra in taking steps to comply with the Privacy Act has been offset by the value to Telstra of the improved systems and processes and from a brand perspective," Telstra reported. That said, Telstra is not keen to make further changes as it believed any significant changes to the 10 National Privacy Principles that underpin the privacy regime would increase the cost of compliance, and as a consequence changes arising from the commissioner's review of the Act should be kept to a minimum.

Changes are, however, now being considered. One of the 2005 review's recommendations was for an inquiry into the current regime, to explore whether it was effective given rapid technological advances such as ubiquitous Internet access, and the rise of offshore processing centres that collect personal information. That recommendation has been accepted and in January this year the government announced that the Australian Law Reform Commission (ALRC) would investigate the current regime.

Before CIOs get all hot and bothered about another round of privacy compliance costs, however, bear in mind that the ALRC is not due to report to the federal government until 2008.

Until then it is business as usual.

SIDEBAR: Turn of the Smartcards

Big Brother is set to watch over you

Australia's big new privacy bogey is the government's access smartcard, which from 2010 will be the only way to access health or welfare services benefits. Progressively phased in from 2008, the smartcard will replace 17 existing card or voucher systems. While some estimates suggest the system could save $3 billion over 10 years, that is dwarfed by the $92 billion a year currently paid out each year in health and social security benefits.

Visible on the card will be the name, photo and signature of the holder, along with the card number. Stored on the microchip will be the address, date of birth and details of children or dependants. Card holders will also be offered the option of storing information such as emergency contacts, allergies, immunization details and donor status.

The government has costed the system at $1.09 billion over four years. While most of the infrastructure will be built by the public sector, private sector business such as medical centres, pharmacies, insurance companies and banks may also be impacted as part of the service chain.

Privacy Commissioner Karen Curtis has acknowledged the inherent privacy risks with the system, and called for strategies to minimize those risks. Curtis, however, will not have oversight of those strategies. In May, Allan Fels, a former head of the Australian Competition and Consumer Commission, was appointed to head a smartcard consumer and privacy task force, which will report to government on the most appropriate privacy regime. (The Australian Law Reform Commission is separately conducting a review of the scope and operation of the Privacy Act, which will also explore the implications of the access card, but that group is not scheduled to report to the government until March 2008.)

Curtis says that her office will work with the Office of the Access Card in the Department of Human Services and recommend a range of legislative and technical protections be incorporated into the design and implementation of the system. She says it is important to ensure privacy protection for back-end systems, separation of governance of the regime from the agencies that use the database, and clarity on who will be able to access what information on the card - for example, will emergency health or contact details be available to anyone who swipes the card?

Curtis also believes legislation will be needed to guard against tampering with the photo or chip and information on the card or chip, and to prevent unauthorized use of information on the card for data matching beyond the original intention of the system. This also applied to private sector organizations, which might swipe the cards.

Broader Plan in the Cards?

While the government has steadfastly denied any suggestion that the access system represents an identity card, some analysts question whether the health and social services access card will prove to be phase one of a much broader plan. Bruce McCabe, principal of S2 Intelligence, believes other government ministers are considering how such a system could be used more extensively. He warns, though, that the government must guard against any form of "function creep" or it "could compromise the entire process".

McCabe says it is essential the government fosters a level of trust with Australians so they feel that the benefits of more streamlined access to services "justify the privacy risks". These, he says, are real risks, especially with the storage on the card of biometric information, namely digital photographs. He says that if that biometric information is stored on centralized databases that are not properly secured, then there are risks of identity theft that need to be carefully managed.

Commissioner Curtis agrees function creep must be avoided. "While the government has stated that the access card will have limited cardholder information on it, and that that information will be subject to strict protections and only accessible by authorized people, it will be important to ensure that as the proposal is developed the uses and safeguards are clearly identified and legislated. This will help to ensure that the government's stated intention that this not be a national identity card is met," she says.

Cyrille Bataller, a biometrics expert based in Accenture's research centre in France, agrees with McCabe and Curtis. He says best practice regarding information systems containing biometric information involves creation of a privacy impact assessment, which would identify whether the application would be privacy enhancing or destructive.