The government’s planned privacy code for the public sector is a “smokescreen” to cover its series of failures in the space, and has no hope of preventing similar failures in the future, the former chair of the Australian Privacy Foundation has warned.
The government said in May that it had agreed to a push from Australian Privacy Commissioner Timothy Pilgrim to develop a new privacy code for all departments and agencies subject to the Privacy Act.
Mr Pilgrim said there was an “urgent need” for the code following a series of high profile bungles by the government when dealing with sensitive data, including the census and robo-debt controversies.
“The code will be a key privacy protection mechanism which will help to facilitate the success of the Australian government’s broader data, cyber and innovation agendas,” Mr Pilgrim said.
“I believe that the code will symbolise the APS’s commitment to the protection of privacy and build public trust and confidence in the Australian government’s information-handling practices and proposed new uses of data,” Mr Pilgrim said.
But long-time privacy consultant Roger Clarke said the code would not prevent these same problems in the future and would “achieve nothing positive”.
“The code is nothing but a smokescreen for failures by government agencies to comply with their longstanding obligations,” said Mr Clarke, who is also a board-member of the Australian Privacy Foundation and its former chair.
“The sole purpose of the announcement is to deflect the media’s attention away from the reality of dismal performance by government agencies, the desperately weak protections for our data and over a decade of failure by the Privacy Commissioner to exercise the available powers to bring agency practices into line.”
Criticism of the privacy code centre on the fact that does will not implement new and stringent obligations for agencies and their use of data, but rather provide a practical means to meet existing rules set out in the Privacy Act.
“It will make explicit minimum expectations of all agencies under Australian Privacy Principle 1.2 which requires reasonable practices, procedures and systems in place to comply with the APPS,” Mr Pilgrim said.
“The Privacy Code makes requirements of practices that many agencies, and businesses for that matter, already have in place. Indeed, if you’re an agency that has a privacy-by-design approach, and has been implementing our guidance, then the code will mean little net change.
“It is about ensuring that a single, clear, high standard is created across the APS. It is about making best practice the only practice for the APS.”
The privacy code will include the establishment of a privacy management plan, a dedicated privacy content officer, a ‘privacy champion’ and a written privacy impact statement for all “high risk” projects, which will be made public.
The privacy code is just a copy of what the Privacy Act already sets out, and won’t make any real impact, Mr Clarke said.
“The announcement is essentially that agencies will now perform basic activities that they already have an obligation to perform. The privacy code initiative is a complete joke, at the public’s expense,” he said.
“The public service doesn’t even take its limited obligations seriously enough to do a professional job of respecting them, and the Privacy Commissioner has had too little success in addressing his primary objective – protecting the public service from embarrassment – and needs to be seen to be doing something.”
The Privacy Act already sets out a number of the initiatives included in the proposed code, including a privacy content officer, which has been a requirement since 1990, and privacy impact assessments, which have been government policy since 2005, Mr Clarke said.
“Agencies have long been required to have a privacy officer and a privacy management plan, to train their staff in privacy matters, and to include tests of their compliance with privacy law in their audit programs,” Mr Clarke said.
“That’s all been necessary since the Privacy Act came into force way back in 1990,” he said.
“They’ve been subject to a government policy requiring PIAs for significant initiatives since at least 2005, when Philip Ruddock was Attorney-General. This includes an obligation to publish the reports arising from PIA processes.”
But with the increasing use of personal data by public agencies and the privacy risks associated with it, the new code is a step in the right direction,: UTS Business School associate professor Bronwen Dalton said.
“In an age where personal and surveillance data will inform future government decisions, affecting us individually and collectively, the challenge will be to ensure personal information does not extend to information that can reasonably identify an individual,” Ms Dalton told InnovationAus.com.
That is why the proposed Australian Public Service privacy doe covering the data citizens give to the federal government is critical and timely.”
“Governments need information to inform how to best serve Australians, but in the process of collating and analysing should never compromise our right to privacy, and our rights to be protected from those who wish to use information against us.”
A draft of the privacy code is expected to be made public next month, with two months of public consultation to follow. Code documentation and supporting resources will be published by the end of the year, with training courses for public servants on offer from February.
The official privacy code will come into effect from July next year, with a failure to comply with it constituting a breach of the Privacy Act.
The announcement of the new code follows a sustained series of high-profile privacy blunders from the government when dealing with sensitive data, including last year’s census crash and the ongoing robo-debt debacle.
It also comes as the government is increasingly focusing on making public data open to the private sector, Mr Pilgrim said.
“Many APS agencies have powers to collect personal information on a compulsory basis, in exchange for the provision of services and payments. This means that individuals are not always able to exercise meaningful choice over how their personal information is used,” he said.
“These factors underline the existence of a strong need for APS agencies to enhance their existing privacy capability to enable them to better prepare for contemporary privacy issues.”
But Mr Clarke said the recent controversies show the current privacy protection system isn’t working, and the new code doesn’t take steps to fix it.
“The media need to keep reporting the continual inadequacies of government agencies in relation to data security and their arrogance in dealing with the public. The census disaster and the Centrelink robo-debt fiasco are examples of issues that need to be ridden continually,” he said.
“We all need to relentlessly pursue the Privacy Commissioner for his continual weak-kneed behaviour, excusing agencies and corporations when they breach privacy obligations.”
More stringent rules and obligations in dealing with private data are required for all government by the Privacy Act, he said.
“Parliaments need to be continually reminded that it’s their fault that so many problems people face can’t be resolved,” Mr Clarke said.
“Parliaments should have long ago stopped posturing, and implemented the carefully-balanced privacy right of action recommended by all law reform commission.”