Graeme Samuel has launched a last ditch bid to head off mandated data breach notification laws and what he describes as “heavy-handed federal regulation”.
The former competition tsar and newly appointed chair of Data Governance Australia, has urged the government to hold off on its mandated data breach notification and give the industry a chance to self-regulate.
It’s a bold bid, given that the industry has had decades to put such a regime in place and still does not have its code of conduct formalised.
The government’s Bill to amend the Privacy Act in order to mandate serious data breach notification meanwhile has bipartisan support and seems set to become law.
The DGA’s efforts – at least in terms of heading off data breach legislation – seem to be too little, too late.
According to the Attorney General’s Department there are no changes in the timetabling of the legislation. “The Government has announced it intends to introduce and pass mandatory data breach notification legislation in the Spring sittings of Parliament.”
Mr Samuel has been appointed the inaugural chair of Data Governance Australia (DGA), an organisation first canvassed by the Australian Data-Driven Marketing and Advertising association in April this year.
ADMA itself has already produced guidelines about the handling and applications of consumer data for marketing and advertising. DGA is intended to develop guidelines to cover broader, multipurpose applications of consumer or citizen data.
Membership of the DGA will be voluntary but not free. Membership fees have yet to be revealed but Mr Samuel said they would not be prohibitive to smaller organisations which wanted to join.
Members will be expected to follow the code of conduct which will promote “integrity, trust, accountability and transparency.” Members that fail to comply with the code would be “outed” and in the worst case forfeit their DGA membership – which seems a relatively small stick to wield against serious offenders.
While the DGA’s code has yet to be drafted (and could take another four months to emerge according to Mr Samuel) he indicated to InnovationAus.com that it would feature data breach notification, saying “I would have thought that was a fundamental element of any code.”
He said that such a code would be preferable to legislation as it could be more rapidly updated and not subject to interpretation by the Courts. “We are not talking about lawyers thinking ‘can I get around by this loophole.’ Codes don’t operate this way.
“I am a strong advocate for codes rather than government regulation. I am hoping we can say to the government ‘give industry a chance to regulate itself. If they fail, then you can jump in.’ Failure would open the door to government regulation.”
The industry has, however, had decades to regulate itself and is only now doing so with the legislative clock ticking down to midnight.
The DGA may also compete for oxygen with other industry groups which have been formed for similar intent. Information Governance ANZ for example was established earlier this year, based on a US model, as a forum for organisations looking to maximize the value of data held and minimize the risks of holding it. Unlike the DGA membership of IGANZ is free.
Susan Bennett, co-founder and director of IGANZ, met Jodie Sangster the CEO of both ADMA and the Institute of Analytics Professionals of Australia, last month.
She said that IGANZ welcomed any efforts to bring awareness to the issue, and that DGA would be welcome to affiliate itself to IGANZ in order to avoid silos of activity being established.
“Information Governance is an umbrella for all information management activities undertaken throughout an organisation by a diverse range of professionals. There are eight key disciplines… including information management, records management, cybersecurity, data analytics, data governance, eDiscovery, privacy and risk and compliance,” she said.
Mr Samuel said that he did not see DGA as being in competition with IGANZ.
Despite the DGA’s late start Mr Samuel said that is goals were to create a self-regulating environment that met industry and community expectations regarding integrity, accountability, transparency and trust surrounding data collection and use.
Mr Samuel said that the organisation intended to consult widely before drafting its code in order to meet the “reasonable expectations” of both industry and consumers.
“This will not meet the extreme views of those in the industry or those in the community,” he warned. Instead the code would seek to strike a balance. “There are reasonable consumer expectations, but there are other imperatives. It’s a question of striking a reasonable balance.”
One area where there is a striking lack of balance is in the composition of the initial board of 13 – only two of whom are women. Mr Samuel acknowledged the skew, said that he was aware of the importance of diversity and said he was sure that the imbalance would be addressed in the future.
The founding board members of DGA include representatives from Quantium, NAB and Westpac, Veda, Woolworths and Coles, Data Republic, IAG, Allens Linklaters and Qantas Loyalty.