Privacy law: Making it stick

Brett Winterford, iTnews:

Australia's Privacy Commissioner Timothy Pilgrim. Source: AISA

One concern that a lot of readers had about the amendments to the Act was the systems impost when you are asked to ensure that all of the customer’s record is available. This requires, if you want to comply in a cost-effective way, a single view of the customer, or at least of their personally identifiable data.

They complained because it would be quite the nuisance factor if there were ten thousand Ben Grubbs seeking a copy of their personal data. They would need to have automated systems in place or some other way to meet that obligation without it being a significant overhead on the business.

Is there any room for an organisation being able to appeal to your good sense if individuals were to abuse that part of the Act?

Timothy Pilgrim, Privacy Commissioner:

Within the Privacy Act, I have the ability to handle complaints from an individual against an organisation – so if an individual was to go to an organisation stating ‘I want access to my personal information’, then we will now be able to determine what constitutes their [personally identifiable] PI and what they’re going to hand over.

But in addition, the terminology of the Act states that there is an ability for me to dismiss a case on the grounds that it is vexatious, or misconceived ---- so if you had an individual who kept going back to an organisation, saying ‘I want this piece of information’ and then coming back in a couple of days saying ‘I want this piece of information again’ – then we can close the complaint and choose not to investigate because it’s vexatious’. 

At the moment we haven’t had to use that for complaints about access to PI data yet, but there is that ability there to dismiss the case.

Brett Winterford, iTnews:

Have you seen any activity that suggests organisations are working to restructure their systems in such a way to create a single customer view, and that they are doing so in light of privacy legislation?

Timothy Pilgrim, Privacy Commissioner:

One of the issues with the whole concept around a person’s PI held in a large, possibly complex organisation, is where the disparate bits of information sit. Do they all sit on the one server or database?

One of the challenges will be for organisations to determine under the Act when that information is going to constitute personal information.

If a piece of data is sitting in isolation and even when drawn together with another piece of personal information or data about the same person, the person is not easily identifiable, it therefore is not going to constitute personal information in the terms of the Act. 

So there are going to be considerations from a compliance perspective about what organisations fundamentally want to do with the information they have on their customers.

If they choose to start bringing [disparate pieces of data] together, for the purposes of having a better client relationship, then generally speaking, it will constitute personal information. And on that basis, people will have a right to access it.

Should they have very specific needs for a small portion of information about a customer, then that’s all they should be storing. In those situations, the organisation is going to have to assess how easily that information can be brought together with other data to understand whether in fact it’s going to sit within the definition of personal information.

Brett Winterford, iTnews:

Do you have currently any means of accrediting third parties to help organisations with this?

Timothy Pilgrim, Privacy Commissioner:

I don’t necessarily think that we need to accredit third parties at this point in time to check on other organisations. But there are auditors within large accounting, legal and consulting firms that can be called upon when necessary.

For example, if I was to undertake an investigation and I form the view that there was a high chance that there was a breach, or in fact found a breach – one of the things I could do is require the organisation to employ an independent third party to undertake an assessment of their systems.

The changes to the Act did increase the powers I have to resolve investigations, one option being enforceable undertakings, that is to get an organisation to agree that it will do certain things. If an organisation fails to comply with those undertakings, I can have them forced.

As part of one of those undertakings I could say that I want the organisation to employ a company to come in and do an independent third party audit of their systems just as I would myself.

Brett Winterford, iTnews:

I was asking because I would posit that you don’t have the resources to audit the volume of breaches out there. The question is how to get enough warm bodies to make these laws stick.

Timothy Pilgrim, Privacy Commissioner:

That’s a fair point, and like all government bodies, we do have limited resources, so we do look at ways of being able to achieve our compliance outcomes.

And quite clearly one way of doing that could be to use the enforceable undertakings process to say work with an organisation that has been breached, to identify an independent third party company to come in and undertake an assessment of their systems and have them report back to me.

Around two years ago in New Zealand there was a significant data breach with one of their government agencies, and the New Zealand Privacy Commissioner required an agency to bring in an auditor to do a full independent assessment of their systems and to report back to both the Privacy Commissioner and the organisation. I think that is a very useful tool to have.

Brett Winterford, iTnews:

One of the presenters here at the AISA conference recommended that Australia needs to learn some lessons from the US mandatory data breach notification schemes before we head in that direction.

He claimed that naming and shaming and lawsuits levelled against breached organisations aren't as productive as privately compelling them to share data with their peers and the government on how they were breached, so the lessons can be shared more broadly.

Is there a way this might tie in with privacy compliance? Can you enforce an obligation to help your peers not suffer the same fate as a company that is breached?

Timothy Pilgrim, Privacy Commissioner:

It’s an interesting approach but its an approach that goes beyond just privacy issues. It obviously impacts on personal information but goes a step beyond to broader IT security issues.

If hackers are going to go to a particular type of organisation, they may go for a whole group within the sector. My understanding is that the government, via the ASD and others, already encourage the sharing of this sort of information. I think that could be encouraged more broadly. 

Where I come from is this: whether data breach notification is mandatory or voluntary, I want to ensure that an assessment is done about the potential harm to the individual as a result of that breach, and what steps need to be taken to notify them. 

I think what we would all agree in situations such the hacking of credit card data from a company we do business with, we would expect to be notified. Going back to our survey, close to 95 percent of respondents said they should be advised if there’s been a breach of your personal information.

It’s a very complex debate about data breach notification. There is that line between how often, or when should you notify individuals of a breach. We have a voluntary data breach notification guide, recognising that you can get notification fatigue if we’re getting something every day.

We don’t want to see that happen, because that can have the effect of people not taking it seriously in situations whereby they should.

So it’s going to be an ongoing issue that organisations need to keep reflecting - determining when to notify a person.