Privacy Awareness Week runs this week from 3 to 9 May 2015. This morning the Australian Privacy Commissioner, Timothy Pilgrim, and a panel of academic and industry speakers discussed the issue of 'Privacy – living in the future'. Below we look at 5 of the topics covered:
1. Regulator focus
The Privacy Commissioner's focus for this year is on 'privacy everyday'. In other words, the regulatory focus has shifted from implementation of privacy practices, to embedding those privacy practices into the everyday practices of an organisation or agency. To this end, the Privacy Commissioner has released a 'Privacy management framework' to assist compliance and encourage good practice and comply with Australian Privacy Principle 1.2.
In the coming year, the Privacy Commissioner said he will work with telcos to help them comply with the new data retention laws. Additionally, the Privacy Commissioner expects to engage with the Attorney General on new legislation to introduce mandatory data breach notification.
2. The concept and legal definition of 'personal information'
Technology and 'big data' will change how we approach 'personal information'. Personal information has traditionally been understood as information about an individual. Yet information about a device (such as the location of a smartphone) is not information about a person but can still reveal personal information (eg. an individual's location and the places that they frequent). Aggregating information from different sources can reveal even more details about an individual.
While the definition of 'personal information' in the Australian Commonwealth Privacy Act 1988 (Cth) captures information or an opinion 'about an individual who is reasonably identifiable', there is little jurisprudence on how far this definition extends.
3. Biometric data
The use of biometric data for identification verification purposes can elevate the damage to individuals in respect of identity theft. Computers and phones increasingly use biometric data, such as fingerprints logins. As biometric data cannot be changed or replaced - unlike a credit card or drivers' licence – once its integrity is lost, it is lost forever. The collection of this information and, more significantly, the loss or unauthorised access to such information, has serious ramifications for identity theft.
Difficult privacy issues arise when handling children's personal information. For example, in the US, Mattel recently came under fire for its 'Hello Barbie' - a wi-fi enabled product that recorded the voices of children, designed to learn about a child's likes, dislikes and ambitions in order to respond to the child's questions. The doll was withdrawn after parents and advocacy groups expressed concern that the technology would gain access to private conversations.
The participation of children on social media sites also raises the issue of how to accurately verify an individual's age.
5. International guidance
The EU Directive on Data Protection is becoming increasingly important. One observation made was that many large organisations have established significant corporate activities including data management, in Ireland in response to the advantageous tax regime in that jurisdiction. As Ireland's Data Protection Act 1988 is in line with the EU Data Protective Directive 95/46/EC, US companies establishing associated companies in Ireland which store large amounts of personal information need to apply the EU directive to the companies' management of personal information. Consequently, US companies will be increasingly looking to Europe's privacy protections.
Visit the Office of the Australian Information Commissioner www.oaic.gov.au for more details about Privacy Awareness Week.