This week was privacy awareness week (PAW) in Australia, which the OAIC runs in conjunction with State and Territory privacy regulators, government agencies & the private sector to highlight the importance of appropriate protections of personal information to all Australians as well as the digital economy. The theme this year has been “Privacy: The Foundation of Trust”, with a number of events organised around Australia and freely available online on the OAIC’s PAW site.
As the Australian Information Commissioner and Privacy Commissioner, Ms Angelene Falk, explained at the launch of PAW on Monday, trust is central to personal information handling practices. This has been seen during the COVID-19 pandemic – consumers trusting the Government with their personal information sufficiently enough to hand over their personal details and location data was critical to supporting public health outcomes. As the digital economy grows and we engage further in the online world, trust will only become more important.
On the flipside, times when it goes awry can seriously undermine public confidence in an organisation’s ability to handle personal information. There are probably a number of examples we can all think of, but a prominent one that came up in one of the PAW sessions was the case of Robodebt – where there were allegations that personal information may have been improperly handed over to debt collectors. While in the case of Government services clients do not have the option of going to an alternative provider, in a commercial setting, there is a significant risk that this would simply result in consumers not dealing with the organisation anymore. As Ms Falk pointed out, 45% of respondents to a recent global survey said they would stop using a company’s services if they had suffered a serious data breach.
So what can organisations do to build trust with consumers? This is an ongoing conversation and as businesses grow and evolve and technologies change, they will need to revisit how best to ensure that consumers have faith in their data handling practices in the context of their own businesses. However, some key themes that have emerged from this week’s discussions include:
- Privacy by design
The OAIC defines privacy by design as “a process for embedding good privacy practices into the design specifications of technologies, business practices and physical infrastructures. This means building privacy into the design specifications and architecture of new systems and processes.”
Putting individuals at the centre of product design practices will only become more important as more transactions occur online, including ongoing upgrades to technologies and allowing for changes to technologies to stay contemporary and consistent with community standards as they shift as well. At Monday’s launch of PAW, Apple’s Chief Privacy Officer gave the example of facial recognition in iPhone Photo Albums being limited to each Apple device via on device processing rather than any data being sent back to Apple servers, as an example of minimising data collection and use to the purpose it is required for.
As the OAIC highlighted, having the right privacy protections in place can give rise to a company having a competitive advantage that the community will respond to – which of course is also an issue that ACCC has noted and that is currently being worked through in the context of the Privacy Act and other reviews in terms of achieving the right balance between protecting consumer privacy on the one hand, while also ensuring a healthy business environment on the other.
- Importance of consumer controls and ‘privacy hygiene’ for consumers
Another key theme that has come up is the importance of consumer controls and education which promotes and allows consumers to engage in ‘privacy hygiene’ and adjust settings to their own personal preferences – which will of course differ depending on their own experiences and perspectives.
Consumer surveys consistently show that most Australians consider that there should be transparency and choice for consumers around the collection, use and disclosure of personal information. Transparency and control are key to privacy protection, the validity of a consumer’s consent to use of their data, and to enabling consumers to make informed choices in selecting services that process user data in a way that meets their individual privacy preferences.
Of course, the other issue that came up was that of shifting some responsibility for privacy away from consumers towards organisations – which is the opposite of providing consumers with more control, however again, the two competing interests need to be appropriately balanced (no easy task!).
From a commercial perspective, consumer privacy rights and information handling practices are increasingly factors in purchasing decisions alongside quality, convenience and price.
- Security of PI
As always, security has consistently come up as paramount in discussions at PAW. Security is of course essential to gaining consumer trust. Privacy of information does not exist without security and it’s critical that companies invest in appropriate security measures.
In summary, privacy issues are not going away anytime soon. This is an ongoing discussion and regardless of where we end up with the Privacy Act review; responsible, transparent and accountable data handling practices will ensure businesses’ meet the expectations of their customers and promote trust in their products and services, which ultimately is essential for the strength and sustainability of our industry.
For more detail about these and other privacy issues discussed at PAW, as well as access to videos of some of the sessions, see Privacy Awareness Week 2022 | Privacy Awareness Week 2022 (oaic.gov.au)