The Harsh Reality of Data Privacy in Australia

Adam Cliffe: I just thought we could start if you could just explain to us how privacy laws are structured in Australia.

Nicole Stephensen: So, I guess a friendly term would be to call it “a patchwork quilt” here in Australia. So, we have our Commonwealth privacy legislation, which is called the Privacy Act 1988. And that one applies to our federal government agencies as well as organisations, and those organisations are set out in the context of that law, which ones it applies to and which ones it doesn't. And then at the state and territory levels we have our privacy laws that reflect what our government agencies can do in respect of handling personal information.

Adam Cliffe: Right, so with the state, so like Queensland for example, is there any requirement for business to comply with that, or is it all government?

Nicole Stephensen: Ah, okay. So, the way that it works is that government agencies are the ones that are required to comply with those state-based laws. But if you're a business that services those government agencies, there can be a catch, right? So, the government agencies are required to use their contractual provisions or their procurement processes to ensure that any personal information that another business manages on their behalf is done in accordance with the privacy rules that apply in that state.

That kind of language is going to make its way into a contract that a government agency has with a business. So, if a business doesn't already have a deep understanding of how privacy works and how it applies in their context and they want to do business with our state government agencies, and that includes local governments, they'll want to start thinking about privacy, what governance looks like for them, so that they can then do those contracts safely.

So, can you imagine if you sign a contract that says, “Yes, I'll manage personal information in accordance with the rules that apply here,” but then you actually don't know how? That could be a very risky situation.

Adam Cliffe: Definitely, and if those organizations were also required under the Commonwealth Act, is there a difference between the state-based and the Commonwealth? Like does one take precedence over the other or is one more, I guess, strict with their…?

Nicole Stephensen: Right. So, in the context of the business that's required to apply the Commonwealth legislation, those are the rules that apply to that business when that business is doing its job, undertaking its own functions.

But when it's operating on behalf of a government agency like Queensland government or one of the local governments and they have a contract in place that says they will act in accordance with the privacy principles in that jurisdiction, then they're in a bit of a tricky situation. They have to be able to demonstrate their ability to comply with that requirement. If they've already got their house in order, in terms of what the Commonwealth law says they must do, that law will be substantially similar to what we see at the state level. So, they should be able to comfortably say that they can comply.

The challenge will be if their house isn't in order and then they don't really know what to do with these state-based privacy provisions, because they've never really looked at anything like that before.

Adam Cliffe: Yeah, and what do you say or what are your thoughts on the fact that I get a lot of sort of comments from small, medium business, small medium enterprise, that the cost to comply with things like the Privacy Act and certain other cyber security standards and measures has such an impact on them? What is your response to that?

Nicole Stephensen: It can be costly.

Adam Cliffe: Yeah. Do they have an option?

Nicole Stephensen: Well, small businesses do, in the sense that if they're a small business and they're not expressly covered right now by the Federal Privacy Act, they're in this kind of no man's land in terms of whether or not they decide they're going to apply some privacy rigor.

But again, if they want to do business with a state government agency, or a Commonwealth government agency, for that matter, an organisation that is bound by privacy laws, or local government and they say we will manage personal information in accordance with these rules, they need to be able to demonstrate that they can.

So, this is their catch-22. Some of these businesses are really small. They could be a couple of people, micro-businesses even that are running some amazing online services or software products or managed services, and they're doing these things to less expense for themselves, and they're doing it in these remote and online environments, and that's fabulous.

But it doesn't mean that they don't have to comply. Just because they're small, right. It doesn't mean that they're going to get out of jail free if anything goes wrong. So, from a cost perspective, if you don't have a whole lot of money, there are a few things that you can do as a business. You can go to the regulator websites. So, say you're a small business, you're not expressly covered by the privacy rules at the Commonwealth level, so you're in that sort of no man's land, but you've signed a contract with someone who says you need to comply with the privacy rules. Go to the regulator in that jurisdiction, look at their website and see what kinds of guidance and information they provide. That stuff's all free. And then nominate someone within your business to understand that, to digest it, to try to fit it in with your business processes or design processes around that, and at least get a start, right?

Doing something is better than doing nothing but signing a contract saying you will when you can't and when you're not prepared, that's very risky territory.

Adam Cliffe: Yeah, and it's been a very busy, I'd say week or two in the privacy sort of world with the reforms and the draft legislation and the first reading of it that's come through and they've done what's called a first tranche of the reading and I'd like to get your thoughts on is it enough of what came out of the reforms? Have they included enough in the first tranche, and have they gone far enough? Do they need to do more? What are the next steps with this?

Nicole Stephensen: Right. So, every privacy advocate everywhere in Australia would say we need to do a lot more than we're currently doing. The privacy reforms which have been ongoing, right, in terms of consultation and research and drafting, that's been a really long process. So, we've all been waiting to see just how many of those agreed or agreed in principle recommendations that came out of the Privacy Act review would make it into the current draft bill. Not as many as we would have liked made it into the current draft bill, but some did and some really powerful opportunities for privacy improvement made it in. There are those several of those agreed and agreed in principle recommendations that we now need to wait for the second tranche for them to come through and to see really whether we're going to get a fit for purpose privacy regime for the modern times that we're experiencing in Australia dealing with the digital economy, dealing with proliferation of technology and that fast advancement of certain types of privacy invasive technologies.

Adam Cliffe: Yeah. Is there one particular reform that didn't make it into the first tranche that you felt should have?

Nicole Stephensen: Well, just thinking back to the question earlier that you raised about what do businesses do. There was a hope that several of us in the privacy industry had, which was that the current exemption for small businesses would be removed entirely. Exemption for small businesses would be removed entirely. It doesn't seem to make sense in today's day and age, where many businesses are operating online and a bulk of businesses deal in personal information in some way, that there's this whole body of them that are not covered by any law whatsoever. The risk that that places on the community is quite immense, and I would consider that that's the one that I really wish had got more traction.

Another one that I had hoped to see gain some traction was, and we may see this in the second tranche, is creating an environment around consent and the use of consent by organisations and our government in a way that is purposeful, meaningful, and designed to protect the community we serve. Right now, the way consent is applied does not really meet the test for what should be a consent, and that creates a risk to the community.

Adam Cliffe: Yeah. Just speaking of consent, what is the gold standard and how far off are we on that?

Nicole Stephensen: Right. So, for consent to be a proper consent, it needs to meet what's called the VICS test, and VICS stands for Voluntary, Informed, Current and Specific. And then there's an additional element, which is that consent needs to be made by someone with capacity. Now, meeting the VICS test in many of our online environments, you will have seen this is really hard. So, a classic example is when you go to a website, and you want to download some software or you want to engage with a platform in some way maybe you want to buy a book or play a game often you see consent used in a way that's actually erroneous. So, you will see language like by continuing to use this site or this platform, or by continuing to purchase this thing, you agree to what we have set out in our privacy policy. Now, probably someone hasn't read the privacy policy, so in order to make their agreement, they need to divert to the privacy policy and do that. Most folks don't do that. But secondly, you can't agree to a privacy policy.

A privacy policy is a transparency mechanism. It's intended to inform you and me about whether or not we want to engage with this business based on their information practices. So, a privacy policy is not a vehicle for gaining consent. But what we also see is that that sort of tick box, tick your way through a process to achieve your end goal, that's not the makings of a proper consent. It might be voluntary, but it's certainly not informed. It's probably not current, in the sense that once you do it one time, these particularly online platforms are treating that consent to apply forever. And then it's not necessarily specific either. Consenting to all of an organisation's information practices for a very specific purpose that you're intending is not actually right. That's not how consent is intended, and what several privacy advocates are saying is that, look, people are abrogating their privacy rights every day simply because consent is being treated as a vehicle by organisations to sort of get around making better decisions when it comes to information handling. I would really like to see that change. I'm not sure how quickly that will change. I think it requires a major cultural shift, and it's also expensive. To implement real-time, well-managed consent processes isn't cheap.

Adam Cliffe: And is that why, in my opinion, I think we're moving quite slowly in this? Is it a case of, you know, there's a lot to weigh up from a government perspective in terms of the impacts, and going back to that $3 million exemption, is it a case of that would impact a lot of business within Australia, considering a lot probably fall under that umbrella, and would it place a massive burden on these businesses to then, you know, shape up their sort of controls to be able to comply with that direction?

Nicole Stephensen: Yeah, look, I can sense, with the way that these privacy reforms are rolling out, as well as the consultation process that has come before and is still ongoing in many cases, that there's a real need, as part of meaningful regulation, to bring everybody along for the journey. And there are several organizations, including small businesses, that privacy hasn't been top of mind for them and, again, it requires a cultural shift and an understanding that when we're dealing in personal information, that's the most significant kind of data we could be dealing with and it's the place where we have the most risk. So as organisations we think the data is our greatest asset. It's our food, it's our gasoline, it's whatever you want to call it right. But the data is also a liability.

Once you have it and you have to secure it through its life cycle, it becomes risky for you as a business. Not every business is prepared to deal with that risk in the same way. You see well-resourced government departments or well-resourced large organisations, they can create the privacy programs that are necessary to be compliant and they can do that quite quickly. Your smaller businesses to your point earlier might really struggle if maybe personal information handling is ancillary to what they do. So, it's kind of not top of mind privacy, but then also maybe they have limited staff, limited budget, and so who's going to do the work and who's going to pay for it?

Adam Cliffe: Yeah, spot on. I think they're very used to just dealing with their core business or whatever the daily sort of primary functions are, and then privacy is kind of a bit of an afterthought, and sometimes cyber security as well. I feel like that's slightly changed. But yeah, I feel like the privacy thing is not by design and it's not a mindset they adopt early and it's kind of not a core function, in my experience.

Nicole Stephensen: I actually would like to sort of change gears a little bit, because your point about cyber is interesting to me, because when I started in privacy almost a quarter of a century ago which is really wild to say that information security was the thing there was no such thing as cyber yet. It wasn't even a twinkle in someone's eye. It didn't exist. Information security existed and information security was already quite a well-developed discipline and, you know, while it may not have dealt with security in technical spaces or digital spaces as much, it certainly was dealing with security in your analogue information management spaces as well as aspects of physical security, right. So really protecting whatever it is, the documents at that time that you wanted to protect Privacy was like a public policy kind of nice to have initiative, right. That was, you know, the brainchild of academics and you know some world leading thinkers, but it wasn't well entrenched in terms of business.

I want to hear your thoughts on now, because I'm in privacy, you're in cyber, we collaborate. Do you think that that's the way that we're going now in terms of compliance with, in terms of privacy rules, but also all of the other things, the cyber security standards and so forth that you deal in. What's our role? Is it a shared thing or are we still poles apart?

Adam Cliffe: I personally think that cyber and privacy are two sides to the same coin. I think that we should really be bridging that gap. I think there's such a missed opportunity for not involving each other's teams when things happen like data breaches. I recently did some training and it was quite interesting to see that out of all those privacy professionals in that training, not one of them had been involved in a data breach response and it was all looked after by cyber. Wow, and I just thought you know, for such a key, critical stakeholder in that privacy aspect, having them at the table discussing a data breach would just be invaluable, like the experience and the privacy lens you can put on that. And how do we improve things and how do we actually, you know, instead of just focusing on protecting the data, how do we start talking about why do we even collect the data, and what do we do after when we don't need the data? And things like that. And I think we are our best allies, but often underutilised.

Nicole Stephensen: Yeah, and underutilized together.

Adam Cliffe: Yes, instead of separately and just independently doing a siloed…

Nicole Stephensen: Yeah, especially if you think about if cyber teams are tasked with managing responses to data breaches. The definition of a data breach relates to the unauthorised access, disclosure or loss of personal information. It's not the same as a cyber incident or a security incident. Yeah, but if only security people are looking at it, you're missing this critical opportunity to involve that other side, that other layer of thinking that focuses on things like potential for privacy harm, right? Because you have to determine whether a breach is notifiable. How are you going to do that without a privacy person to walk you through what privacy harm could look like in this circumstance? Yeah, I would tend to agree with you.

Nicole Stephensen: Yeah, and underutilized together.

Adam Cliffe: Yeah, yeah, definitely. And I think it's also interesting too, because when I walk into a prospective customer or client and they're very quick to show me what's like cyber security standard they've adopted and how they've done this firewall and this endpoint security and this, and you know we've ticked all those boxes, we're now compliant with this standard, and then I go you know that's really good, I'm glad you've done that, yes, but can you show me your data inventory or your data mapping and what's your data minimisation strategies or what's your retention policy?

Nicole Stephensen: Yes.

Adam Cliffe: And then I often get blank stares.

Nicole Stephensen: Oh no.

Adam Cliffe: Yeah, unfortunately, and I think that's why I personally have really over the last few years put a privacy lens on the cyber security aspect and tried to incorporate that a little bit as well so we can actually have those conversations and bring that privacy conversation into the wider scheme.

Nicole Stephensen: Yeah, look, I agree, and you think of things like privacy compliance broadly. Information security is just one of many privacy principles that apply to an organisation you know, or to a government agency. So, when they say, yes, we've got privacy covered because we're certified under a particular security standard, that's not actually true. Privacy and security are not the same thing, but they do work together hand in hand and they're complementary.

Adam Cliffe: Yes, I think it's very hard to achieve privacy without security. Yes, if you're not protecting, you know, the POI data or the sensitive data then you're not going to have privacy.

Nicole Stephensen: Yeah, where conversely, you can have security without any privacy. In certain parts of the world, we just need to go there, and you know, see CCTV cameras, you know, following citizens in the street and credit cards being tracked sort of as a mainstream activity. But here there's a different expectation, and that comes with understanding that if you don't collect personal information that you don't need for your business functions, you don't have to secure it for its life cycle.

Nicole Stephensen: Exactly right, and I think that's the really complementary thing with the cyber security teams as well is that if they understand that they can be having conversations around data minimisation, that's just one less thing you have to put controls around to secure. So, I think it kind of goes into that security by design as well as privacy by design element.

Adam Cliffe: Yeah, and I like that because security by design is actually reflected in our privacy by design principles. It's talked about security by design and by default throughout the journey of personal information, for whether it's for the agency broadly or whether it's in relation to a particular project or a service, and so I like that. Security is there and it's embedded, and the idea of designing for it as part of designing for your larger privacy ethos. I think that's just so critical, and you do need people security people at the privacy table and likewise privacy people at the security table. It's almost as though we need each other to be our ticket to play.

Nicole Stephensen: Absolutely yeah.

Adam Cliffe: What do you think of the innovation budget and the initiatives coming out from the government?

Nicole Stephensen: So, I'm all for innovation. All for innovation. I love the idea that we can be leveraging technology and data in myriad ways, right, to serve our community. I think that that's tremendous, and I feel that the innovation budgets that are coming out of government are intended to do just that. We particularly see that in the smart city space, yes, where you see lots of Australian cities that are able to deploy some pretty fantastic technologies as part of making life cleaner or faster or more equitable for the community. So, on the face of it, I'm a really big fan of innovation.

My challenge is that, from a policy perspective and from a consistent public policy perspective, we clearly have a high cyber risk landscape right now in Australia. Likewise, we have a high privacy risk landscape. We just have to look at the Medibank and Optus and Latitude issues of recent days, or even just the Office of the Australian Information Commissioner's most recent data breach report, right? We can see that we have a risky landscape, that we're working in.

And then over here we have a bunch of innovation people whom I agree with. Innovation needs to happen in Australia so that we can compete with the world and also serve the expectations of our community. But they are not requiring that, in order to access that budget to build the technology or deploy the technology that you want to deploy or innovate in some other way, that our privacy and cyber security programs are well in place in these organisations first. So, what you see is small local governments getting amazing innovation packages to deploy smart cities technologies like CCTV cameras and sensors and scooters, but there isn't the underpinning cyber or privacy architecture to make sure that they can manage the personal information involved safely.

Adam Cliffe: That's being collected by these, yeah.

Nicole Stephensen: Not just being collected by the cities but being collected by those private sector partners that are working with them.

Adam Cliffe: Yeah.

Nicole Stephensen: So, you know, when you deploy scooters or e-bikes in a city, they require that a person pays for the service and there's a payment architecture that's associated with that and payment goes to a third-party provider. I like to see that there's privacy and cyber security underpinnings to ensure that that one tiny transactional relationship is underpinned by something bigger, so that, foundationally, our cities can say hand on heart, we are taking care of the personal information that's provided to us.

Adam Cliffe: Yeah, and is there a reason why they currently aren't doing that? Is it because, like, from a legislation perspective, they don't have to or…?

Nicole Stephensen: I think it can, you know, and look, I'm not. I'm not an expert in all the in all the conversations that are happening across all the levels of bureaucracy in our government, right, but I can say that oftentimes there are so many compliance burdens that are placed on our government departments, including those that are tasked with pushing things out, such as innovation budgets and various reforms like the national urban policy and various things like that.

We're not necessarily connecting the dots across all of these different spaces and saying, look, there are these five or ten key public policy drivers that intersect with these five or ten other key public policy drivers, with cyber and privacy probably being an intersection point that gets missed.

Adam Cliffe: Yeah, yeah, and it probably wouldn't be a podcast in 2024 if I didn't mention AI. So, from a privacy perspective, what are your thoughts on AI? Where we're headed, what businesses can do, I guess, to implement either large language models or generative AI within their organisation. What would you say would be a good first step for them?

Nicole Stephensen: Right, so before I started talking about deploying, developing and deploying the technology, I would be talking about is my house. In order to develop and deploy this technology, do I have the privacy and information security architecture that is necessary for this to happen safely? That's the first step. Say you get a tick for that, the next step is all right, well, quite apart from the nature of the technology itself, and AI is part of a variety of technologies right that are being developed and onboarded and deployed at the moment. It just happens to be the most exciting or the sexiest one we're all talking about right now.

Adam Cliffe: Yes.

Nicole Stephensen: But I think if we both put our cyber hats on for a second and even privacy, you know how we've talked previously about the concept of reasonable steps and what that looks like? If you think about, if you are designing or deploying any technology, you need to be thinking about, “What are the reasonable steps I'm going to need to take to deploy this in a way that the personal information will be secure?” So, quite apart from having the privacy and cyber foundations, then you need to start thinking about what's going to happen to the information in this context and have I got all my ducks lined up there. And, as you would know, several reasonable steps are technical ones, but there are other ones too.

Adam Cliffe: Correct, yeah, and I think it's very dependent too. I think what is reasonable for one organisation might not be for another, and I think you've got to factor in quite a few things with that, such as, I guess, the data and the types of data that you're holding, whether that just be, you know, PI or sensitive, and then what's the risk of that data being breached and what's the risk of the harm to those individuals, and then I think your controls or your reasonable steps should reflect that, or should be robust enough to reflect that.

Nicole Stephensen: Yeah, absolutely, So, you know how we were talking before about cyber and privacy, people needing to be at the table?

Adam Cliffe: Yes.

Nicole Stephensen: This is one of those moments. So, going back to the question about if you're going to deploy AI, what do you need to do? You have to have your structure, privacy and cyber structure in place, your house in order. You need to be mindful that there are steps you're going to need to take in terms of securing that information through its life cycle, and then you need to do an overarching risk assessment.

So, if you decide you're going to develop and deploy an AI technology, you need to get you and me back at the table to talk about what are the particular privacy and information security concerns and risks that are associated with doing this in a really systematic, detailed, and deliberate way, and then, once you've unpicked what those risks are, putting steps in place to remediate the risks before you take the next step with deploying the technology. We talk about AI all the time, but it could be any technology, right? So, AI is the flavour of the day but, these rules apply to any technology.

Adam Cliffe: And just on the reasonable steps, I do recall that in the first tranche there is actually a thing in there to clarify what reasonable steps is. I personally, from a cyber and IT background, I'm used to prescriptive, you know, and when we say reasonable steps, because it's such a sort of grey area and you've got to relate it back to risk and sensitivity of data and stuff like that, do you think the clarification will become more prescriptive or they'll change their language about reasonable steps?

Nicole Stephensen: I would have liked to have seen the clarification in this round of privacy reform be a little bit more prescriptive. I would have liked to have seen that. Right now, the clarification is that reasonable steps need to involve technical controls and organisational controls or “measures” they call them.

Now, what's technical? What's organisational? That hasn't really been borne out super well in the legislation or in the explanatory notes that we saw in this tranche of reform, but the Office of the Australian Information Commissioner has a really good guide already out called in relation to securing personal information, and they actually step out organisational measures, but that could be broken into two things. It can be broken into physical security controls and administrative security controls. Those are your things like policies and procedures and training and overarching governance.

And then there's the technical measures, which are things that you're used to, right, the very prescriptive systemic information security controls that you would see every day.

Adam Cliffe: Yeah, absolutely, and I think it comes down to that, you know, administration versus technical versus physical controls.

Nicole Stephensen: But they all need to work together.

Adam Cliffe: They do, yeah.

Adam Cliffe: Does the government need to move faster, like, on this? Like I know, you know the first tranche, and we don't even really know, I guess, when the second one's going to come out. I know we all had high hopes that there'd be more. Do you feel like it is too slow? Like if you compare it to say like GDPR or something like that, where, and it was two years, and this is how long you've got to comply or get your business up to shape. I feel like, personally, we're a bit too slow.

Nicole Stephensen: I think we have been dragging our feet a lot in Australia. I think, in fairness to the government. I do take the position that good regulation takes time. I do take that position. But we have had a lot of time, and this round of privacy reform is the most substantial and potentially most meaningful that we've had in all the time the privacy law has been in operation and it has, you know, there have been countless thousands of hours of, you know, reporting and consultation and involvement from civil society and privacy advocates and public policy professionals to try to get to this place.

Adam Cliffe: Do you think it's enough, like overall, like considering if we did implement all the agreed and agreed in principle reforms, would it still put us on the world stage? Would we still be a GDPR? Like, would we become a GDPR?

Nicole Stephensen: Ah, now, that assumes that you want to have a GDPR-like model.

Adam Cliffe: The only reason I say that is because it's often used as the gold standard and based on the OECD stuff. So, everyone points to GDPR. So, I guess that's why everyone kind of tries to use that as the gold standard.

Nicole Stephensen: I think Australia has a real opportunity to create our own flavour of what works best for us, but we can't keep dithering. We have to do it, and there's many reasons for why we want to do it quickly. The biggest one is meeting community expectations. The second biggest one is ensuring that our government agencies and our organisations understand what is expected of them and can just get on with doing it.

The next one, though, is our ability to compete at international levels and to be able to move personal information across borders seamlessly so we can do our jobs in the digital economy without putting personal information at risk.

So, we want to be able to achieve all of those three things, and quite quickly. To your point, it does look like we're, not wasting time, but we're certainly taking time. The flip side, though, is that, for some of the things that are proposed for our privacy legislation, there are interest groups like our small businesses that need to be taken on the journey and to go through this cultural shift. I can say hand on heart when GDPR was rolled out, small businesses were captured under that regime with no trouble. I have not seen small businesses going under. I haven't seen any evidence or a whole lot of discussion about small businesses really struggling. They just got on with it within the resources that they had.

Adam Cliffe: Is that a cultural element between Australia and Europe?

Nicole Stephensen: Maybe and it could also be a little bit of a hanging on to a good thing If I had an exemption that allowed me to manage personal information like a cowboy, I might want to hang on to that, particularly if I was working in a field where I was using personal information in a way that might not meet community expectations otherwise.

Adam Cliffe: Good points.

Adam Cliffe: And just before we wrap up, I just want to ask you, in the privacy world, do you have, do you see, any trends or predictions in the next, say 12 months? Obviously, you know, we've got the legislation, you know, sort of there, but is there anything else that from a privacy perspective, you see?

Nicole Stephensen: Yeah, I see us continuing to try to get on top of hairy privacy issues that are caused or exacerbated by new technologies and emerging technologies. So, I see us perhaps even focusing less on big picture privacy and that public policy issue and coming down into some granular areas like what do we do about AI or what do we do about facial recognition technology. And this is because we tend to focus on what scares us and things should scare us where they're unregulated or where there are cowboys in the industry doing things that they shouldn't be doing with personal information, and we know we need to get a hold on that. So, things like facial recognition technology and AI, those are areas where we can see the wrong thing potentially happening or already happening. And so that's an area where I think we're going to have a lot of focus, and then the other area will be this free flow of information across borders in a manner that is considered trusted and compliant with the various different regulations around the world. I think that that's going to be another area. It's not as sexy and exciting as the technology stuff, but I think it's really important.

Adam Cliffe: Yeah, it's still important from a business perspective, right? Like in today's, you know, digital economy, Like, yeah, I think it's very important we get that right.

But yeah, thank you so much for joining us today. I really appreciate the chat and the conversation. I think I even got a lot out of this. Thank you very much.

[music]

Nicole Stephensen: Thank you, it's been wonderful.

Adam Cliffe: No worries.