Privacy Awareness Week blog series: From principles to practice
Privacy is often a somewhat abstract thing. It’s very real when our own privacy has been breached. But at other times it’s a right we may take for granted. People often trade their privacy for some perceived benefit – for example, giving up their name, address, and possibly birthday, to win a prize of some kind.
Quite often we push privacy to the back of our minds in order to achieve a particular goal, quickly. Who has the desire, or the time, to wade through pages of terms and conditions, which are often written in obscure legalese, in order to understand what we’re giving up?
This is one of the reasons this year’s Privacy Awareness Week has the theme Privacy: From Principles to Practice. Because the risks to privacy are not always clear, we need to think less in terms of the theory of privacy and more in terms of how it is at risk, or can be protected, in daily life.
The particular problem we’re all dealing with in 2018 is the persistence of data. Once you’ve had your privacy compromised, for example by providing more information than you’d have wished to disclose, it’s hard to understand the uses to which that data might be put, where that data will go, who it will be shared with, and for how long it will be kept. Worse, sometimes we’re not even sure when we’ve accidentally ‘consented’ to our information being shared, simply by being part of other activities.
Few outside of Facebook and the makers of quiz apps understand that our personal data is made available to the quiz makers when our Facebook friends play those games, even if we’re not the ones using those apps. In general, we expect to have to consent when we give up privacy, and the processes around signing up for social media – and some other websites – are so difficult for most people to comprehend that our understanding of what ‘consent’ means in the context of participating in a social media platform isn’t the same for users and operators. In Australia, the principle of consent is enshrined in laws, for example the Commonwealth Privacy Act 1988 and, in Victoria, the Privacy and Data Protection Act 2014.
Businesses, individuals and government agencies need to move beyond a legal approach to consent. Since it’s clear most people don’t have an understanding of all the information in the terms and conditions they agree to when signing up for services, we need to move, as a society, to a more transparent mechanism to ensure people are aware of the true risk-benefit balance to agreeing to those terms. We need to have a shared understanding of what it means to actually give consent.
That shared understanding of consent is vital to the continued operation of the internet. Without trust that we are dealing with reputable sites, e-commerce would come to a halt. Without trust that our data is protected and used ethically, people will stop using services, or they’ll demand regulation to protect them. And that’s not a legal issue so much as it is a social one.
The first blog post in our Privacy Awareness Week blog series went into more detail on practical steps to achieve genuine consent. Many of these are also reflected in a new European law, the General Data Protection Regulation, which comes into effect later this month. While that law governs data belonging to EU citizens and residents, the principles that underpin it are laudable, and it will be most interesting to see how it is put into practice and enforced by EU courts.
Beyond the issue of consent, the Office of the Victorian Information Commissioner (OVIC) has also been exploring the limits of effective de-identification, and in particular the limitations of “open data,” where data containing ‘de-identified’ individual-level records is released online. We recently published a report on this issue. In coming weeks we will also publish a brief overview of Artificial Intelligence (AI), which explores the key challenges that AI raises for information privacy, and later this year, a more thorough look at AI and its impact on privacy and service delivery. These are but a few of the themes that the international privacy community is currently exploring, and at the core of OVIC’s work in these areas is a commitment to demonstrating to the Victorian public sector how they can work with the Information Privacy Principles to harness the opportunities of AI and de-identification in a practical way.
This week OVIC has been running a range of activities to help people better understand how to protect their privacy, and for government agencies to better understand how to work with data and deliver services in a privacy protecting manner. The idea behind our Privacy Awareness Week program is to provide practical advice that you can actually work with to improve the culture of privacy in Victoria.
How you work with data and systems is at least as important, if not more important, than what you think about privacy in the abstract, and OVIC looks forward to continuing to explore the practical implications of data and digital service delivery upon the people of Victoria.
This blog post was written by Rachel Dixon, Privacy and Data Protection Deputy Commissioner, Office of the Victorian Information Commissioner.