Call today! 1 866 3 NYMITY
Username: Password:
Nymity News
Nymity logo
Home About Us

Interview with Malcolm Crompton

 

July 2004

 

Terry McQuay, Nymity's President, interview with Malcolm Crompton, former Privacy Commissioner of Australia, focuses on the impact Australia's private sector privacy law has had on private sector organizations. As of December 2001, the private sector amendments to the Privacy Act 1988 (Cth) (the "Act") became operative making the new provisions provide for ten National Privacy Principles (NPPs), found in Schedule 3 of the Act, apply to the private sector.


Nymity: Mr. Crompton please provide a history of privacy in the private sector of Australia.


Crompton: The history is, in fact, quite long. For example, Professor Sir Zelman Cowan, a leading juror in Australia and later our Governor-General, presented the prestigious Boyer lectures in 1969 on radio for the Australian Broadcasting Commission. He titled his lecture series The Private Man and one of the notable remarks from those lectures was his view that "A man without privacy is a man without dignity; the fear that Big Brother is watching and listening threatens the freedom of the individual no less than the prison bars." Unfortunately, his lectures are not available online, but copies of the resulting book may still be available from www.abc.net.au.

Then in the late 1980s, The Hon. Mr. Justice M.D. Kirby, then Chairman of the Australian Law Reform Commission, chaired a group of government experts that developed the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. These guidelines have formed the basis of most, if not all, data protection law ever since, worldwide.

Australia got its first data protection law in the form of the Privacy Act 1988, a Federal law. It applied to almost all Federal Ministers and agencies with few exceptions such as some national security agencies. In the early 1990s, Part IIIA was inserted into the Act to apply to the credit industry. From December 2001, the Privacy Amendment (Private Sector) Act 2000 came into effect. The Amendment Act applies privacy law to over 70% of private sector business activity, including all private sector health service providers, all private sector organisations with a turnover of over $3 million and to small businesses that fall into a number of categories including those that trade in personal information for 'benefit, service or advantage'.

Informal arrangements preceded the Federal law in various State jurisdictions and three States/Territories have adopted privacy law since 1988. Informal arrangements persist in most of the other states. The Privacy Law History page on the website of the Office of the Federal Privacy Commissioner, www.privacy.gov.au, sets out the history in more detail and the State Privacy Laws page summarises the current position as regards the States and Territories.


Nymity: What was your role?


Crompton:  I was the third person appointed as Federal Privacy Commissioner, the two previous Commissioners being Kevin O'Connor and Moira Scollay. I was commissioner for 5 years until the end of April 2004 and as such was responsible for putting the new private sector privacy provisions into place. We did this through a series of strategies for 'promoting an Australian culture that respects privacy', as set out in the Office's Strategic Plan 2003 and Strategic Plan 2000. As the privacy regulator, the Office was charged with education and assistance to organisations and the public at large; contributing to policy development where there was a privacy implication and to resolving complaints by individuals against agencies or organisations alleged to have caused a breach of privacy.


Nymity: Why did Australia enact privacy legislation for the private sector?


Crompton: As is often the case, there were many reasons for doing so, but two of the immediate reasons at the time were a desire to meet the European Data Directive 95/46/EC 'adequacy' requirements and a desire by business to avoid having to be subject to different data protection laws passed by individual state jurisdictions. Unfortunately, the Europeans have not yet seen fit to regard Australian privacy law as 'adequate' by their measures.


Nymity: What was the initial reaction from corporations in Australia?


Crompton: Generally positive, including because the business chambers etc had been supporters of introducing such law. Some professions were supportive in principle but not necessarily supportive of the particular drafting of the law, for example some of the health professionals.


Nymity: What were the major challenges corporations in Australia faced when complying (2000 -2001)?


Crompton: The same as is always the case with new law. First and foremost, simply understanding it then finding a sensible way of applying it to their circumstances. There were many advisers offering their services with differing interpretations and unfortunately, a number took a very narrow, highly risk averse approach that would have made life more difficult than it needed to be.

Some Larger organisations have spent millions of dollars on policy development, systems redevelopment, privacy notices and staff training.


Nymity: Besides creating privacy policies, what else did organizations do in response to the Privacy Act?


Crompton: Many of the more responsible undertook quite a sensible range of steps, including sending out privacy notices to their customers, analysing and rebuilding systems and training staff. The Office focused much of its effort in 2000 and 2001 on helping organisations make appropriate arrangements. The written product of that work is available on the Private Sector - Business page of the Office website and includes Guidelines, Information Sheets and FAQs. The Office also introduced a Small Business page, with material specifically designed to help that sector.


Nymity: What are the major challenges facing corporations today?


Crompton: The answer to this is unclear. The initial introduction phase is over and some commentators perceive business as no longer focussing on data protection issues. Evidence for or against this assertion needs to be collected and if the Two Year Review promised by the previous Attorney-General proceeds (and now due), it should bring to light such evidence.

There is now a track record of how the Act is being interpreted, in the Case Notes and Determinations issued by the Office. All these are published on the Complaint Case Notes and Complaint Determinations page of the Office website. Very recently, the first court decision interpreting the Act was handed down by the Federal Court, Seven Network (Operations) Limited v Media Entertainment and Arts Alliance [2004] FCA 637 (21 May 2004). This could have significant impact, including on the phone call centre industry because of its interpretation of National Privacy Principle 1.3, that will require more to be given by way of notice during a call than many operators had been in the practice of doing.


Nymity: How did consumers react to the Privacy Act? Do consumers understand their rights? How do they interpret the Act?


Crompton: There is certainly continuing media interest in privacy and in the operations of the Act. The work of the Office was regularly reported, particularly in the print media. The view of the wider community may be relatively muted, but very shortly we will be in a position to know this much better. The Office has recently undertaken a second Community Attitude survey to gauge the answers to questions such as this. I hope that the results are published in the near future. The survey will be comparable to the results obtained by the Surveys conducted in 2001 so will give an indication of the impact of the new provisions since then.


Nymity: What pressures do consumer put on private sector organizations as a result of their understanding of the Privacy Act? How are corporations altering their businesses practice due to this consumer demand?


Crompton: The day to day pressure is hard to measure from the perspective of a regulator. The forthcoming survey results should provide some insight, however. The Office's greatest insight has come through its handling of complaints and inquiries, both of which vastly exceeded expectations and the levels of increased funding provided when the new private sector privacy law was introduced. The Office receives some 1200 complaints a year, 6x more than before the new law commenced and nearly 3x the phone & email inquiries. The anticipated and funded increase was about 2x. For details, see the Complaints and enquiries statistics page on the Office website or the Office's Annual Reports. These statistics are a pretty reasonable indication that individuals are exercising their rights.

In addition, the media take a fairly consistent interest in privacy issues and organisations are responding to protect their brands.


Nymity: What has the impact been on the retail industry?


Crompton: Australia's retail industry has not been nearly as aggressive as North American retail in establishing individual Loyalty Card and other arrangements, although they do exist. The most popular Loyalty Card arrangement is probably Fly Buys, established by a group of retailers and credit card providers. It has a generally good approach to respecting privacy, including a comprehensive opt out offering for those who want to gain loyalty points without having their information being used to market directly to them.

In addition, the largest retail chains have good, specific privacy policies in place.

Large retailers have not shown up in complaints statistics as a major source of complaints. For example, Figure 5.3 of the Office's 2003-2004 Annual Report lists retail as comprising less than 2% of complaints received in that year.

Direct marketing has come in for its fair share of criticism and the Australian Labor Party, the leading Opposition Party, has only just announced that it will introduce Do Not Call legislation similar in concept to the US Do Not Call arrangements. Again, though, the Australian direct marketing industry has been nowhere near as aggressive as the industry in North America and the Australian Direct Marketing Association has sought to introduce codes of conduct to rein in the worst offenders.


Nymity: Please provide some details as the nature of the 20,000 inquires your organization receives in a year.


Section 5.2 on page 63 of the Office's 2003-2004 Annual Report spells out the nature of inquiries in some detail.

Table 5.1 Hotline Enquiries 2002–2003
__________________________________________________________________________________
Issue Number of calls
Credit Reporting..................................................................................................................1,708
Data-matching.........................................................................................................................18
IPPs....................................................................................................... ............................1,347
Spent Convictions...................................................................................... ............................186
TFN ........................................................................................................................................91
Privacy General ..................................................................................................................1,872
Priv acy Issues Outside Jurisdiction .........................................................................................610
Sub-total.............................................................................................................................5,832
Private sector amendments
Private sector provisions General .........................................................................................1,441
NPP 1: Collection.................................................................................................................1,995
NPP 2: Use & Disclosure.......................................................................................................5,070
NPP 3: Data Quality ...............................................................................................................226
NPP 4: Security......................................................................................................................604
NPP 5: Openness ...................................................................................................................241
NPP 6: Access & Correction .................................................................................................2,032
NPP 7: Agency Identifier ..........................................................................................................29
NPP 8: Anonymity....................................................................................................................26
NPP 9: Transborder Data Flows ................................................................................................53
NPP 10: Sensitive Information.................................................................................................170
Exemptions.........................................................................................................................2,530
Sub- total..........................................................................................................................14,417
Unrelated to Privacy.............................................................................................................1,041
__________________________________________________________________________________
TOTAL...............................................................................................................................21,290

Nymity: With over a 1,000 complaints a year, what were the major industries impacted and what were the predominant complaints?


Crompton: The Complaints and enquiries statistics page on the Office website and the Office's Annual Reports provide the best immediate statistics available, including splits by nature of complaint and industry sector source. Figure 5.3 of the Office's 2003-2004 Annual Report indicates that the largest number of complaints come from Financial and Investment sector, followed by Landlords and Real Estate Agents. Health service providers in the private sector have generally responded very well indeed to the introduction of the private sector privacy law and we receive few complaints about them.

A particularly well documented series of investigations related to the tenancy database industry in Australia. This industry until recently has been largely unregulated and stories of inappropriate practice have circulated for years. The State of Queensland has specifically legislated to control some of these practices, but the new private sector privacy provisions were the first to bring across-the-board requirements to limit what is collected, give notice, provide individuals with rights of access to information about them held in the databases etc. I finalised a series of Determinations against some of the industry practices in April and these are posted on Complaint Determinations part of the Complaint Case Notes and Complaint Determinations page on the Office website.

As to nature of complaint, inappropriate use or disclosure dominates at over a third of all complaints received. Inappropriate collection practices and requests to access or correct information are the next most significant types of complaint.

Incidentally, a very recent decision of the Federal Court, Seven Network (Operations) Limited v Media Entertainment and Arts Alliance [2004] FCA 637 (21 May 2004), found inappropriate collection practices had occurred in the circumstances of the case. It indicates that some organisations will have to improve the care with which they limit the amount of personal information they collect and improve the collection notice that they give.


Nymity: Of the 1,000 complaints received, how many did your organization issues findings on?


Crompton: The Office always seeks to resolve complaints by mediation in an Alternative Dispute Resolution context. Our philosophy is spelt out in Information Sheet 13-2001. This has been very successful over the years and prior to the recent series of Determinations against the tenancy databases, the Office had only ever issued a total of 3 formal Determinations where mediation was not successful, as can be seen on the Complaint Case Notes and Complaint Determinations page on the Office website. The Case Notes there give examples of how we have resolved complaints where we did not proceed to Determination. Section 5.3.2.1 of the 2002-2003 Annual Report indicates that some 20% of the private sector complaints did lead to a finding that there had been a breach of the National Privacy Principles.


Nymity: Does the Privacy Commissioner office in Australia publicly state organization's names?


Crompton: As set out in Information Sheet 13-2001, the Office has reserved the right to name names but has chosen not to do so where the responding organisation is working to resolve the issues at hand. I should add that this approach is not always appropriate when an issue or complaint is already in the public domain, for example is being covered by the media. As set out in the Information Sheet:

 

"On occasion there may be some merit in making public the circumstances of a particular complaint or investigation. This may be, for example, where there is already publicity around a particular matter before it reaches the Office or where, despite all the other approaches the Office has taken, an organisation continues to engage in behaviour that constitutes an interference with privacy. This would clearly be a serious step which could have commercial consequences for the organisation concerned. It would only be appropriate in rare circumstances. In the ordinary course of events, the Commissioner would not consider such a step unless:

  • an organisation either repeatedly or very seriously breaches the Privacy Act;
  • the organisation demonstrates by its actions that it does not intend to comply with its legal obligations; and
  • all other measures have failed to change the organisation's behaviour."


The advantage of this approach is that it provides an incentive to focus on problem resolution instead of defence. It was particularly appropriate during the early commencement phase of the new legislation as organisations grappled with understanding the new law and developed appropriate responses

A recent example of where an organisation was named is set out in a Media Release by the Office on 12 February. In this instance, while the actual harm caused was small, there was little excuse for the error made given that the issues had been well aired some years earlier. Moreover, the risks of a similar very poor approach to website design causing harm was very great.

It will be a matter for the incoming Commissioner to decide whether to continue this policy, especially now that the new provisions have been in place for over two years.


Nymity: On a personal note, what are your plans for the future? Do you offer services?


Crompton: I have established The Trust Dimension as a business that will work with private sector and public sector organisations to build trust with consumers and citizens. It will focus around offering services to improve data governance, starting with the data protection of personal information.

In the information age, the businesses that will have the competitive edge will be those that demonstrably have in place best practice data governance arrangements, including privacy, security and indeed knowledge management of the information they hold. The old saw of the importance of progressing through the sequence Data » Information » Knowledge » Wisdom will be more important than ever.

We may even see the emergence of "Fourth Bottom Line" measures of data governance. Industries that handle particularly sensitive data such as our health records as we move into electronic health records may be required to pass such tests first. Organisations bidding to provide outsourced services involving the sharing of information may be another, where it becomes a competitive advantage to prove in advance that suitable data governance arrangements are in place.

The Trust Dimension will provide thought leadership in this area and will stand ready to help organisations meet the challenge.


Nymity: In closing, what recommendations do you have for corporate Canada?


Crompton: Demand for companies to respect for personal information are here to stay. Lack of respect will lead to lack of trust. The Yankelovich Trust Study is a very recent, pungent illustration of this. The most recent consumer survey report by Privacy and American Business reaches a similar conclusion - consumers more than ever take action against those companies they do not trust with their personal information. It will also lead to calls for more legislation nationally and internationally. Meet and exceed consumer expectations instead of pushing rules to the limit and your company will be permitted (or even asked) to do more with their personal information. This is not just a matter of form filling. Rather, it is about rethinking processes, technologies and accountabilities from the consumer perspective as an integral part of service improvement rather than as a last minute retro-fix. Build in, not Build on.

  

 

 

Now Hiring

 

 

 

 

 

 
Contact Us | Privacy Policy | Terms of Use and Disclaimer © 2003 - 2008 NYMITY