In search of privacy excellence


By Helaine Leggat
Thursday, 24 May, 2018


In search of privacy excellence

Australia’s narrow focus on compliance is detrimental to global privacy objectives. What’s needed is ethical leadership.

Against the backdrop of Australia’s Notifiable Data Breaches scheme (NDB) and the preparation for the soon to be effective General Data Protection Regulation (GDPR), and at a time when many proffer advice on ‘privacy’, I am reminded of Australian businesses’ slow uptake of interest in the subject.

I had been tracking changes regarding privacy and personal information (PI) since 2003 when I wrote in a 2014 article, “[T]here is no doubt in my mind that the value attached to personal information or data privacy is not properly understood. In my view, it is the most important category of information that there is today — it provides access to almost anything. Good and evil.”

Despite increased risk to individuals, businesses and nations, resistance to change and lack of interest has persisted. Last month, the general counsel of a multinational organisation asked me why privacy was getting so much attention, and what, if anything, had changed? This, from a leader whose organisation would incur penalties of $200,000-plus under the GDPR regime.

Many years’ experience tells me PI — information that could identify an individual — is the most important kind of information, on par with national security. The Facebook surveillance machine, Cambridge Analytica and the persistent psychographic targeting debacle supports this opinion.

So it was heartening that a Facebook cybersecurity executive urged transparency on (Russian) disinformation. It was reported that the security team had pushed for more disclosure about how nation states had misused Facebook, but the legal and policy teams generally prioritised business imperatives.

I have worked in cyber warfare for well over a decade. We have moved beyond debates about its existence to accepting it’s real. Cyber warfare goes beyond outdated kinetic impact to ransomware hostilities such as those waged against the health sector. The result of monetising data in that sector (currently the highest attack vector) is that PI becomes a matter of life and death.

Forward-thinking organisations know that nation states are on the list of attackers they must consider and counter. They plan for a future where assessing director liability regarding care and diligence has ratcheted up. We are way beyond ‘check lists’ and ‘top 10’ action summaries — the question of global stability linked to the commercialisation and criminalisation of PI requires ethical leadership.

Australia’s 30-year-late adoption of mandatory breach notification is symptomatic of other ‘Lucky Country’ behaviours. Why do we insist upon legislation as a pre-curser to action? While the business world looks to technology for the next financial boom, attackers are working on cyber weaponry. Organised criminals, terrorists, hacktivists and hackers will be harder to counter than before, their activities disregarding both physical and legal jurisdictions.

Privacy and PI are vital for stable world economies and foreign relations. The breakdown of legal structures that societies have relied upon for centuries, an increasingly punitive regulatory environment and inadequate security solutions have led to instability. Ethical business leadership involves alignment of business types and processes with the reasons for which law affords protection to PI.

The GDPR is designed to harmonise data privacy laws across Europe, to protect and empower EU citizens’ (and non-citizens’) ‘data privacy’ by better protecting PI and to reshape the way EU organisations approach data privacy. Petabytes of information have been produced on GDPR, but the issue is identifying quality resources and their proper application to the business sector via pragmatic and ethical responses.

Head-and-shoulders portrait image of Helaine Leggat

Helaine Leggat

Multi-jurisdictional businesses must emulate the GDPR objective of harmonising data privacy laws across Europe. This means businesses must set their bars to compliance and risk across all jurisdictions. In turn, this means understanding more than just the NDB Scheme and GDPR — security, data sovereignty and other laws must be in the compliance and risk mix. The most common mistake — and biggest waste of resources — is treating privacy as a standalone issue.

The situation in Australia is compounded by a statute unlike any in the world. Its terminology, concepts and content are inadequate in relation to the European Union (EU). As a result, Australian businesses are required to work harder to compete globally and win trust.

The concept of ‘privacy’ is related to PI, but different. Some privacy laws, like the Australian Privacy Act (Cth) 1988, are not concerned with privacy. Australia does not currently recognise the right to privacy (tort). In fact, Giller v Procopets [2004] VSC 113 is the only Australian Appellate authority for the recovery of compensation of emotional distress in a breach of confidence action, not privacy.

The EU approach recognises the right to privacy and seeks to protect individuals whose PI is ‘processed’. Importantly, it provides legal recourse to individuals whose rights have been infringed. The concept of ‘controllers’ of PI (who determine use) and processors (who process PI on behalf of controllers) is particularly useful for identifying responsibility and accountability regarding PI flow. Australian privacy law lacks this clarity. Sadly, it has also failed to adopt some of electronic model laws’ most empowering provisions, and Australian business consequently must work harder to achieve international parity.

Existing mechanisms and standards that provide trust in global privacy are neither understood nor commonly used in Australia. Australia’s trading relationship with the EU has not resulted in the Australian Government providing the assurances that the Unites States Government has in relation to the Privacy Shield, effectively ensuring individual rights of recourse.

Overall, the lack of consistent terminology and the use of and differences between contractual clauses and corporate binding rules (CBR) is neither well understood nor employed in Australia. The interaction between privacy and surveillance is rarely, if ever, mentioned in corporate policies, to say nothing of complex Australian federal telecommunications laws governing switched networks, and state laws governing internet protocol data surveillance.

Mistakes in the reading of statutory instruments abound, to say nothing of how some provisions might be interpreted. Of greatest concern is Australian businesses’ failure to identify when the GDPR applies. Its ambit is wide and, admittedly, there are interpretation and application nuances. Time will tell how courts decide, but there is no excuse for dumbing-down possibilities.

Privacy and PI is much more than a compliance issue; businesses must do more than the basics, they must strive for excellence. If they do, I am confident of a return on their investment. One clue (by no means legal advice) is to engage a multidisciplinary team. Public pronouncements in the form of published privacy policies speak volumes. Make sure you do what you say you do.

I prefer not to be a ‘doubting Thomas’, but a report last week surprised me: “Nearly all (96%) Australian IT decision-makers feel confident that their employees are equipped to comply with both regulations”. I sincerely hope I am wrong.

Helaine Leggat is a Principal Lawyer with Sladens, and one of a few lawyers in the world to hold the CISSP, CISM, CIPP and CIPP/IT credentials. She has specialised in policy, cyber law (information/TMT), cyber security, data privacy and governance since 2000, and has provided services to public and private sector organisations globally across all sectors. Her appointments include as a Member of the Expert Network for the Australian Department of Industry and Science, inclusion in the Ducere Global Faculty of thought leadership, and participation in an industry working group for the Prime Minister’s Advisory Council on Cyber Security.

Image credit: ©iStockphoto.com/Vlad Kochelaevskiy

Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.

Related Articles

Is the Australian tech skills gap a myth?

As Australia navigates this shift towards a skills-based economy, addressing the learning gap...

How 'pre-mortem' analysis can support successful IT deployments

As IT projects become more complex, the adoption of pre-mortem analysis should be a standard...

The key to navigating the data privacy dilemma

Feeding personal and sensitive consumer data into AI models presents a privacy challenge.


  • All content Copyright © 2024 Westwick-Farrow Pty Ltd