The IAPPANZ (International Association of Privacy Professionals, Australia New Zealand Chapter) held its annual summit in November, titled ‘Trust in Privacy’. I really like this conference which gets the top privacy brains talking to the community. Amongst other things there were updates from Privacy Commissioners on their jurisdiction which inter alia (have I been at a legal focussed conference?) allowed me to glean the following interesting issues:
- 83% of FOI requests at Commonwealth level are for personal information
- The Privacy Amendment (Re-identification Offence) Bill 2016 has been referred to committee which is anticipated to report in February 2017.
From NZ, some of the top issues reported by John Edwards Privacy Commissioner were:
- Discussion of mandatory data breach reporting, which surely is coming to Australia in one form or another pretty soon
- The introduction in Latin America of the concept of ‘Habeas data’ – a right to seek to know what information is held about a person in a data source (manual or automated), with remedies which vary between jurisdiction.
Beyond these very useful and interesting updates on specific jurisdictional issues I was really engaged by the presentation by Malcolm Crompton, himself a previous Privacy Commissioner. My musings are only part of his presentation, available here: http://iispartners.com/Publications/index.html (under Privacy regulation and reform). In particular I was struck by:
- A very interesting diagram of data types and individual awareness, categorising data as provided, observed, derived and inferred from Abrams ‘The Origins of Personal Data and its Implications for Governance’ (2014) http://informationaccountability.org/wp-content/uploads/Data-Origins-Abrams.pdf
- The observation that privacy (particularly managing personal information) is really a question of implementing an implicit social licence. If that social licence is not observed or deliberately broken, then there will be backlash. Observing a social licence isn’t the same as compliance with the law.
- A questioning of whether the privacy framework as currently conceived is really working all that well. It is operating at an incredibly granular level – individual consent to specific information; so much information; managing inferred data rather than data supplied directly by an individual. Is the current framework really feasible as a way forward, and if not, what alternatives might exist.
The discussion during the day reinforced the absolute synergy with recordkeeping issues, as you would expect. But interestingly there was NOT ONE reference to recordkeeping made!!! None the less, information governance is certainly on privacy professionals’ agendas. And so, too, were the problems of getting appropriate attention from senior decision making levels of organisations. Much synergy but not much appreciation of the need to think outside disciplinary silos – always work in progress.