The National Privacy Principles, which form the basis of the government's reformed privacy legislation, came into force in December last year.
Are organisations seeing a tidal wave of enquiries and complaints?
Helen Dancer reports that while there may have been a few predictable flashpoints, the phones have not been ringing off the hook - so far.
Countdown to December 21, 2001: privacy compliance day.
As the days dwindled down to a precious few, the warnings grew increasingly dire. Pundits came out in droves, predicting that IT departments were not prepared for the new privacy legislation and would face major issues in the compliance race. Within the Big Five consultancies, privacy compliance practices popped up overnight like crocuses in spring. Legal eagles had a field day. The press more so.
Typical of the ilk of pronouncements, Computerworld, sister publication to CIO, reported in July: "The Australian Privacy Compliance Centre (APCC) director, Mark Sumich, said: Companies slow to act will lose customers and revenue, pointing out that compliance is too complicated to leave to the last minute . . . Come December, consumer interest groups will be looking for some showcase examples of privacy in different businesses and the current regulatory climate in Australia is unforgiving for corporate malfeasance.'"And, as a late as November another Computerworld story led with: "IT analysts are warning Australian companies racing to comply with the new privacy act next month that high-profile organisations will be targeted in the New Year to test the legislation."
Even these pages saw a head's up with "Getting Personal", CIO, July 2001.
But what if they passed a privacy act and nobody cared?
It appears that is exactly what has happened.
In a compliance-weary corporate world, the need to spend up big on making sure systems and policies were in place to meet the extra data security and data privacy obligations mandated by the new privacy provisions must have seemed like just so much more demand on the purse strings. But a report from the Privacy Commissioner's office as late as July last year revealed that if corporate Australia was worried about the latest impost on its IT budget, the strain was not showing. In fact, business was being very "She'll be right, mate" about the whole deal. With five months to go, fewer than 26 per cent of respondents had even started looking at whether their systems complied, and about 54 per cent admitted they were not entirely sure what their obligations were.
Which is odd in a way, because Australians have been largely characterised as being anything but "She'll be right, mate" about their privacy. As Roger Clarke's 1987 article published in Prometheus recalls, this was the population which in 1986 killed off the National Identification Scheme, aka The Australia Card, first mooted in early 1985 as a way of minimising social security fraud, illegal immigration and tax evasion, but demonised and ultimately defeated as an overwhelming invasion of personal privacy (see "Identification Marks", page 66).
Sixteen years later the National Privacy Principles (NPP) decree that citizens have the right to access information held about them in corporate databases but, far from experiencing a rush so far, all has been reasonably quiet. Gillie Kirk from the Privacy Commissioner's office notes that since the law came into force on December 21 last year, the office has received 20 complaints under the NPP, but overall activity has been in the form of contact from companies seeking written advice and interpretation of the new provisions.
An early report from Computerworld in January suggested that privacy compliance queries had caused meltdown at the call centre of Queensland energy supplier Energex, a claim public affairs communications manager Deborah McGoldrick dismisses. "We had a record heat wave and also a number of storms in the period immediately after the legislation came into force, both of which accounted for a huge volume of calls during that time. What our operators found was that as well as taking an unusually high number of calls relating to services and the extreme weather, they were spending a little extra time on each call, in the normal course of business, giving customers the extra information they needed to, to meet our new [compliance] obligations. But to say that we have had a huge volume of simply privacy-related queries since December is completely inaccurate."
Put It in Writing, Please
Jane Nash, ANZ Bank's head of government and regulatory affairs, says that as part of its preparations, the bank created a form for customers to fill out, either to request access to information held about them, or to modify that information. If a customer's relationship with the bank is complex, and spread over two or more business units, then providing them with the entirety of information held about them, while not impossible, is difficult. So far, she says, only one customer has made this written request, though the bank has fielded several enquiries about its information use and disclosureOverall, Nash says, most people are not anxious by the way their bank handles their information, and she says, post-implementation, nothing has taken the bank by surprise. "Our customers evidently don't feel they need to know every facet of information the bank holds about them, or how it's dealt with." Banks are, she says, probably better placed than other industry sectors as far as customer confidence is concerned, since "confidentiality has always been a cornerstone of the relationship between bank and customer".
What is interesting, she says, is that the bank is now required to be more transparent, disclosing all of the third parties with which it might exchange customer information. "That third-party disclosure list has been the source of some enquiries," she says, adding her opinion that "prior to actually being proactively told though, people didn't really think too deeply about it."
Internally, there's a different focus of activity, as the ANZ's 16 discrete business units strive to make sure that the data security policies already in place adequately meet the recently enforceable data privacy obligations as well .
Just Say No
Kirk says that while the Privacy Commissioner's office has not received an avalanche of calls since the beginning of the year, of the ones it did get, most had the same focus. "People have been asking how they can gain access to their records, especially medical records," she says. "Additionally, a lot of companies have been issuing notices and seeking consent, especially consent for reuse or disclosure of data other than primary data, that is, information which falls outside the Act. People have been responding to [these requests for permission], asking whether they have to give their consent, or explaining that they don't want to, and wanting to know the implications of refusing consent. Under those circumstances our advice has been to say: No.'"While Kirk admits that it is well within the company's prerogative to refuse to continue the customer relationship if customers reject the terms of the privacy and information use policies outlined, she says customers need to be aware of their right to refuse, and suggests if there are particular elements of the policy that are unacceptable, there is always room for negotiation.
The privacy principles are, however, causing headaches in the normal course of providing health-related services - especially relating to newly mandated disclosure. In a written response to questions, medical insurer Medibank Private told CIO that it had not had to make any "significant" changes either technologically or culturally, but that it had modified both its information management systems and collection practices in line with its new obligations. In part, this includes rewording all the company's customer-side documentation, including application and claim forms.
But one of the new mandated policies is causing some problems for Medibank Private's customers. Staff are now banned from giving out information about a person over 16 to anyone but that person, causing problems for spouses whose partners are away on business and who need to access that partner's health records, or carers of people not physically or intellectually able to seek the information themselves. In addition, Medibank Private has received a number of enquiries from divorced couples where only one parent has custody of children. "In such circumstances," says the statement, "it is our policy that only the custodial parent with a Court Order may access the information of children under the age of 16."
All of these situations, however, can be addressed by filling out an Authority Form which gives permission for medical records and other related information to be released to a person other than the records' owner.
It is a similar story in the medical services sector. While the IT manager of a leading private NSW pathology laboratory says that the company did not have to tweak a single system in anticipation of the legislation - since its information security and privacy policies were already stringent and secure - at the coalface, particularly the results enquiries line, the duty manager describes the impact as "somewhere between a storm in a teacup and a pain in the neck".
Providing information to a doctor about a patient is now far from straightforward, he says. While once it was considered normal for a doctor to receive pathology information in advance of seeing a referral patient, patients must now give their consent regarding where test results are sent, even if it involves their own doctor.
All of this permission needs to be handled by results enquiries operators, which the duty manager says is creating additional workload for each operator. To make the process more straightforward, the results enquiries desk has a guidelines document that sets out procedures. For example, if a patient refuses permission or a call does not follow standard form, it is escalated to a specially-appointed privacy officer.
It's now three months since the Privacy Act came into force. Are Australians fussed about their privacy? Do they feel that too many computers are massaging their personal information without their consent? If all indications are correct, the answer is probably yes, but they appear to care somewhat less than they did 16 years ago. Today people are willing to reveal a great deal about themselves - if it serves their self-interest - and are somewhat inured to the notion that companies seem to know almost more about us than we know about ourselves.
Duncan Giles, partner in the technology, media and communications group at Andersen Legal, agrees that with the passage of time "glorious cynicism" has largely replaced the jealous guarding of personal privacy as a national characteristic. "There's a more pervasive attitude of: I've done nothing wrong, so I don't care what information they collect about me', which is a wonderful thing," he says.
"I do think, however, that once a few more high-profile cases [of information misuse] start to surface, people will become more aware, and that [attitude] might change." The distinction implicit in Giles' observation is instructive: while we might not care so much under all the circumstances about the collection, we still care deeply about the disclosure.
Although it is early days, inevitably there will be challenges to the as yet not fully explained privacy policies, and the issue of what companies are, and ought to be, certifying to each other, Giles argues. To date, he says, most published privacy policies outline the three basics: what's covered; what the exemptions are; and who to contact. But there are contractual obligations between companies under the Act, which if pushed, might expose that those basics are not really good enough, and "it could turn out to be a bit more complicated than first thought".
And the price for getting it all wrong? Unlike the GST, for which the extra dollar in the government's pocket was the bottom line and the watchdogs were barking at the gate, the people CIO canvassed on this issue were of tentative but hopeful accord. "It seems likely that the Commissioner will not choose to be vicious in punishing infringements, especially in the early days. There will be consideration of whether the company has made appropriate' and extensive' efforts to do the right thing," says Giles. "But that's only one side of the argument, the other of course is the consumer reaction and commercial damage aspect."
He recalls the case of US company Harts which suffered commercially when it was discovered to have inappropriately dealt with clients' personal information, disposing of it by throwing it, unshredded, into a dumpster, thus exposing it to be found and used by third parties who had no right to have it, in ways which were detrimental to the customers involved. When the incident was exposed, the commercial retribution stung far more than a regulatory reprimand could have. Harts' share price plummeted. This is the more dangerous zone, Giles says, "[It's] a very immediate public disagreement with the company's treatment of private information".
Standard 4360 set in 1999 provides the guidelines for risk management, but complying with the Privacy Act is made the more difficult by the terms it uses. "The Act can't tell you whether [implementing] a certain tool is taking reasonable measures' under the specific circumstances," he says.
NPP 4 is thus rendered very subjective, relying on subject matter expertise in every case to adjudicate whether reasonable is in fact reasonable. Nassiokas' department has also adopted information security management principles based first on the AS4444 set down in 2000, but updated to comply with the 2001 International Information Code of Practice ISO17799, which supersedes the AS4444. The differences in specification, he says, are not substantial.
Trans-border information flow (NPP 9 in the Australian implementation) is an issue that continues to trouble privacy regulation authorities, and one that has begun to be addressed globally, notably in the data protection updates announced by the European Commission's Data Protection Working Party. PDFs of the various clauses and decisions can be downloaded from the EU's advisory Web site*, but in brief, set down stricter procedures and guidelines which go so far as suggesting that the importer of the information be subject to the jurisdiction of the country of the entity exporting the information.
Pride and Prejudice
Duncan Giles, partner in the technology, media and communications group at Andersen Legal, says the developments recognise the post-implementation reality that apart from the US Safe Harbour provisions, the rules governing the security of third country information transfer "don't work terribly well", and that there is a need for compliance and corresponding penalties to be much more onerous.
On the home front, Giles has observed some interesting "left of centre" consequences of the legislation's introduction, notably the issue of employee records or, more specifically, records kept about those who never became employees. Employee records are, of course, exempted from the legislation. But in the case of a prospect who was interviewed by a company and not subsequently employed, the issue of notes, which may have been made about him or her in the interview process by members of the interview panel or referees, makes for a sticky situation.
Legally speaking, says Giles, the rejected candidate now has the right to challenge the company to produce all the records it may hold about him (or her) and his candidature, and see what personal and potentially prejudicial observations have been made about him in the candidate selection process. "While it's incumbent on any company not to record any incorrect information about a person as a matter of course, the issue of hearsay or the formation and then storage of prejudicial opinion becomes all the more pertinent in this context."
There is a clear implication that companies need to be circumspect about the way they collect, and what they do with, information about prospective employees, and particularly failed candidates, in this new privacy landscape.
- H Dancer
* http://europa.eu.int/comm/internal_market/en/dataprot/modelcontracts/index.htm and http://europa.eu.int/comm/internal_market/en/dataprot/news/clauses2.htmIdentification MarksCollecting customer information is one thing, getting it right is anotherBack in 1985-86, the National Identification Scheme project was deemed not only politically and personally controversial but technically demanding because it might have involved the establishment of a central information repository, to which 20 or so hitherto unrelated databases might have had to contribute. In today's intensive info-farming environment it seems gloriously unsophisticated, but then it was heady stuff, just 12 months on from the Orwellian year of 1984. To minimise public concern, it was mooted that only "non-sensitive" data be held initially, but that an option to increase the amount and type of information about the citizenry remain open.
Fast forward to 2002 and any last vestiges, on the collection side, of such pussyfoot pandering to personal sensibilities have been swept away with a spoonful of pragmatism, but concern remains. While there is, generally speaking, a wider consumer acceptance of the trade-off between convenience of service and the need to supply enough personal information about ourselves to make such processes possible, we are all too well aware of the highly sensitive nature of the personal information held about our health, employment and financial situation; the ease of transfer of such information between not only companies but also countries; and the opportunities for such information to be mistakenly disclosed or maliciously hacked.
Detrimental information disclosure can, after all, be as simple and unintentional a matter as an over-tired data entry operator putting information in the wrong database field, and there being insufficient internal audit procedures in place to pick up the error. Such a case was recently taken before the Canadian Privacy Commissioner's office, where a woman in a small town was judged to have had her privacy violated by her bank, which sent her a statement which mistakenly included information about her bankruptcy in the address field of the form, meaning that it was then visible in the envelope window, rather than being further down in the letter and thus concealed by the folds of the paper.
The woman's privacy was deemed to have been violated because the bank had unlawfully and unnecessarily disclosed highly personal financial details to other people of her acquaintance, notably the postmaster and anyone else who had handled the envelope. The bank's original verbal apology and a $20 gift voucher was deemed inadequate compensation for the bank's inadvertent but inappropriate handling of her personal information and the woman later settled for a more substantial ($C1000) payout.
While the sophistication of collection and storage has increased significantly over time, interestingly, many of the same data integrity issues that supported objections to the Australia Card remain. Indeed, Clarke writes in Prometheus, one of the concerns inherent in the National Identification Scheme was that collating the information on the disparate databases would first of all require some skill in deciding which of the conflicting details about a person might best be deemed the most complete and reliable. This is an echo of the recently enacted NPP 3, which mandates that a company must take all reasonable steps to ensure that the information it collects, uses and discloses is accurate, complete and up to date.
The issue of rationalising databases was, and remains, no small concern. Clarke recalls that at the time of the Medicare card issue, cards covering 15.8 million people were issued, when Australian Bureau of Statistics data suggested that the total population fell well short of that number, and was in fact closer to 15.2 million, highlighting the extent of data duplication.
But the problem of data entries including out-of-date addresses and mistakes as simple as spelling and other errors in primary data - name, age, address and so on - which create multiple shadow entries, have not dissolved with time and, interoperable as Australia's info-repositories have become some 16 years on, such inaccuracies remain.
In the run-up to enforcement day on December 21, many companies sent circulars to their customers outlining their position on information use and disclosure. Along with the advisory notification, many also required customers to "confirm" certain aspects of their personal information, "for authorisation purposes".
Peter Sandilands, former MD of CheckPoint Software, suggests such a confirmation requirement was nothing more than a tacit admission that their database integrity was not up to scratch, and that companies were scrambling to clean up their information repositories ahead of e-day.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.