-
On this page
1 November 2023
Read the keynote address prepared for delivery by Australian Information Commissioner and Privacy Commissioner Angelene Falk for the Australian Government Solicitor FOI and Privacy Law Conference on 31 October 2023.
Prepared speech – check against delivery
Acknowledgement of Country
Thank you Matthew, and good morning to you all.
I would like to begin by acknowledging the Ngunnawal people as Traditional Custodians of the ACT and recognise any other people or families with connection to the lands of the ACT and region. I acknowledge and respect their continuing culture and the contribution they make to the life of this city and this region.
I also acknowledge and welcome other Aboriginal and Torres Strait Islander people attending today.
Fundamental human rights
It is great to see such a good turnout for a conference focused on issues central to my role – privacy and information access.
Both are fundamental human rights.
Privacy is recognised in Article 12 of the UN Declaration of Human Rights, Article 17 of the International Covenant on Civil and Political Rights, and in many other regional and international agreements.
Our right to privacy underpins our right to autonomy, human dignity, and to decide to who we reveal ourselves, and what we reveal.
In Australia, the Privacy Act gives effect to the fundamental right to privacy by preventing individuals from being subject to arbitrary interferences with their personal information, and protecting them from harm stemming from the misuse of their personal information.
Article 19 of the International Covenant on Civil and Political Rights states that, ‘Everyone shall have the right to freedom of expression; this right shall include freedom to seek, receive and impart information and ideas of all kinds.’
These commitments are also reflected in the United Nations’ Sustainable Development Goal 16, which calls for all countries to ‘Promote peaceful and inclusive societies for sustainable development, provide access to justice for all and build effective, accountable and inclusive institutions at all levels.’ This includes an important target committing states to adopt laws and regulations on public access to information.
So, access to information is also a fundamental principle that enables us to exercise other rights. It is also integral to democratic society.
Indeed, privacy and access to information share many commonalities.
While we are often asked as the independent national regulator for both, whether there is an inherent tension between protecting information and making it freely available, we say the converse is true: each would be weaker in the absence of the other.
They are complementary, both underpinned by the principles of transparency and accountability.
Both rights are also challenged by the digital environment, and today I will share how we can stand up to this challenge.
Privacy’s wake-up moment
First, I would like to turn to privacy, as it has been a wake-up year for the protection of personal information.
It has been a year in which we have seen millions of Australians be impacted by the biggest data breaches the country has experienced since the commencement of the Notifiable Data Breaches scheme.
Our community attitudes research, which I will spend some more time on shortly, found 47% of those surveyed had been affected by a data breach, and 76% reported experiencing harm as a result.
As a result of these data breaches, the security of personal information has come into even sharper focus as one of the top priorities for organisations and the public.
The data breaches turned attention to the mass amounts of data that organisations can collect and store, and the risks this creates.
While cyber should have always been a top risk for Australian organisations, recent events have reminded people of that, and we are anecdotally hearing more organisations are dealing with cyber security and data governance at the board level.
The past year was also marked by developments and increased uptake of technology, particularly artificial intelligence and facial recognition, and with them, a transformation in how our personal information is used.
The momentum behind AI announcements has been so significant that some experts and public figures believe mitigating the risk of extinction from AI should be a global priority alongside other societal-scale risks as pandemics and nuclear war.
The use of these technologies has raised questions about how we want our society to look into the future, and made the community keenly aware of the very real risks that come with the opportunities of a digital economy.
We see the increased community’s awareness and experience of privacy issues reflected in the matters to my office.
As with other agencies, we recently published our annual report for the 2022–23 financial year, and in a year in which data breaches were so prominent, it shows a 5% increase in notifications received by my office, with 895 notifications received overall.
We also received 3,402 privacy complaints – a 34% increase compared to the previous financial year and the highest number of complaints received since the OAIC was created in 2010.
Community attitudes
And we know the community cares about their privacy as they told us in our Australian Community Attitudes to Privacy Survey (ACAPS).
ACAPS is a survey we conduct every three years to gain a comprehensive view of Australians’ privacy attitudes and experiences and how recent events have impacted them.
- Nine in 10 Australians told us they have a clear understanding of why they should protect their personal information.
- 62% see the protection of their personal information as a major concern in their life.
- 82% said they care enough about their privacy to do something about it.
Unsurprisingly, Australians saw data breaches as the number one privacy concern.
The survey also found significant discomfort and distrust with artificial intelligence that uses personal information and biometric technology. However, Australians trust or are comfortable with government agencies using these technologies more than the private sector.
Indeed, trust is a key theme of the survey. Interestingly for agencies, federal government is the second most trusted sector after health service providers.
Two-thirds (67%) of the Australians we surveyed said they trust agencies when it comes to how they protect and use their personal information, suggesting there is room for improvement.
It will be of interest to this audience that there continues to be a slight but steady increase in the percentage of Australians who are comfortable with the government using their personal information for research, and service and policy development. The percentage increased from 38% in 2017 and 40% in 2020 to 44% in 2023. So, we are heading in the right direction.
But despite there being higher levels of trust and comfort in the government’s use of personal information, the vast majority of Australians want government agencies to do more to protect their data.
AI
The increasing adoption of AI – including generative AI – could have broad-ranging benefits and risks for Australia’s economy and society. The Australian Government identified AI as a critical technology in the national interest and has several initiatives underway to promote trusted, secure and responsible AI.
For instance, the Department of Industry, Science and Resources consulted on a discussion paper about Safe and responsible AI in Australia, which invited feedback on whether further regulatory and governance responses are required to ensure appropriate safeguards are in place.
Earlier this month, Commonwealth, state and territory education ministers agreed to the Australian framework for generative AI in schools, which seeks to guide the responsible and ethical use of generative AI tools in ways that benefit students, schools and society.
The OAIC’s position is that consideration should be given to how existing frameworks should be strengthened and enhanced to provide adequate safeguards before a separate regulatory regime specific to AI is considered.
The Privacy Act provides a well-established framework to minimise the privacy risks associated with personal information handling and facilitate community trust and confidence in new technologies and data initiatives.
While there are measures that can further strengthen the existing privacy framework, which I will touch on shortly, existing mechanisms like privacy impact assessments are a valuable tool to facilitate a privacy by design approach, and consider privacy risks and impacts upfront.
Privacy law reform
The community also made it clear in our research that they have much higher expectations for the protection of their personal information.
Eighty-four per cent want more control over the collection and use of their personal information. And 89% said they would like the government to pass more legislation that protects their personal information.
Last month, the Australian Government responded to the Attorney-General’s Department’s proposals for reform to the Privacy Act.
There are many elements to the reforms. Some have been agreed, some are subject to further consultation and impact analysis, and some have been noted.
But taken together, the reforms will take a significant step towards meeting the community’s expectations for the proper protection of their personal information.
Reforms to the Privacy Act are urgent. We have a good foundation with the current principles-based and technology neutral framework, but the review is a vital step to ensure our privacy framework is fit for the digital age.
One measure I particularly want to call out, which the government has agreed to in principle, is a new positive obligation that personal information handling is fair and reasonable, which we would like to see become the new keystone of the Australian privacy framework.
This will require organisations and agencies to ensure their personal information handling practices are fair and reasonable in the first place. In other words, that privacy is built in by design.
This would address some of the uses of personal information made possible by rapid advances in technology where there is significant potential for harm.
For example:
- The pairing of a mixed reality headset and facial recognition technology, giving the user the ability to identify individuals on the street – is that fair and reasonable?
- Online tracking, profiling and targeted advertising to vulnerable individuals, such as children – is that fair and reasonable?
- The use of personal information for AI-informed decisions that have a significant effect on an individual, such as hiring decisions or assessing their suitability for a loan – is that fair and reasonable?
The fair and reasonable test will provide confidence to the Australian community that, like a food or building safety standard, privacy must be built into products and services from the start.
Other important developments include enabling individuals to exercise new privacy rights, including an enhanced right to access their personal information and a right of erasure, and take direct action in the courts if their privacy is breached. These initiatives reflect the baseline privacy rights expected by our community.
In addition to the enhanced right of access, there are several other important reforms that seek to enhance transparency around how and why personal information is handled.
This includes a requirement that privacy policies set out the types of personal information used in automated decision-making systems that have a legal or similarly significant effect on individuals’ rights. There will also be a right for individuals to request meaningful information about how these decisions are made.
There are also changes proposed to ensure privacy policies and collection notices are clear and easy to understand, including the development of standardised templates.
And the government has agreed in principle that organisations should be required to establish maximum and minimum retention periods for personal information, and specify these in their privacy policies.
The reforms also provide a greater range of powers to the OAIC, reflecting the Australian community’s increasing expectation that its regulators take a more enforcement-focused approach.
This will increase the OAIC’s ability to take regulatory action on behalf of the Australian people in a flexible and proportionate way, and to address systemic privacy issues.
Evolution, not a revolution
It is a time of change, but I want to emphasise that what has been proposed is an evolution, not a revolution.
Many of the proposals seek to build upon or enhance the existing framework by clarifying definitions, or by elevating OAIC guidance on certain areas expressly into the law.
In addition to some of the proposals I’ve already mentioned such as the enhanced right of access, the Australian Government has also agreed in principle to:
- change the word ‘about’ in the definition of personal information to ‘relates to’ to clarify that personal information is an expansive concept that includes technical and inferred information if this information can be used to identify individuals
- amend the definition of ‘collection’ to expressly cover information obtained from any source and by any means, including inferred or generated information
- amend the definition of consent to provide that it must be voluntary, informed, current, specific and unambiguous, and expressly recognising the ability to withdraw consent
- require entities to take reasonable steps to implement practices, procedures and systems to enable it to respond to a data breach.
Many of the accountability mechanisms that we would like to see introduced are already requirements for government agencies under the Australian Government Agencies Privacy Code.
For example, the government has agreed in principle to also require private sector entities to:
- conduct a privacy impact assessment for all high privacy risks projects
- appoint or designate a senior employee responsible for privacy within the entity.
Because these obligations have existed for government agencies since 2018, we expect most are already at best practice status.
Privacy: how to, not don’t do
In any case, for organisations doing privacy well now, the reforms will require a simple uplift.
But one of the key messages that I hope you will leave with today is that privacy shouldn’t be viewed as a compliance exercise.
Protecting privacy is about treating an individual’s personal information with respect and care, and remembering you are only its custodian.
It’s about considering your activities through the lens of whether a person on the street would consider them to be fair and reasonable.
It’s a how to, not a don’t do.
And as the digital economy continues to grow, organisations and agencies consider new ways of handling personal information and the community engages further in the online world, privacy will continue to play a fundamental role in supporting successful innovation.
We are seeing this in the central role of privacy in many other reforms and initiatives on the agenda, including the work being done around AI, digital identity and the Australian Cyber Security Strategy.
Access to information
I have spoken of the connection between good privacy protections and trust, and I can also say that when done well, access to information plays an equally important role in building trust in government and the success of initiatives.
Timely access to information promotes public scrutiny of government policy, participation in democratic processes, and allows individuals and governments to make informed decisions.
And it is important to remember that the issue of being a custodian of information is critical.
One of the core objects of the Freedom of Information Act is to ensure government-held information is managed as a national resource.
The FOI Act also seeks to facilitate:
- providing access to information in effective and efficient ways
- that government-held information is used for the public’s benefit, as it can inform evidence-based policy making and support innovation.
From compliance to proactive release
Statistics from our most recent annual report show around 34,200 FOI requests were made to agencies and ministers last financial year.
Seventy-four per cent of these were for personal information, showing the FOI Act also has an important role to play when it comes to access to personal information held by agencies.
We advocate for administrative access schemes that provide individuals with fast access to their personal information, without having to make a formal FOI request.
A quarter (25%) of FOI requests were granted in full, 52% were granted in part, and 23% were refused.
There was a small improvement in the percentage of FOI requests processed within the applicable statutory time – with 74% decided in time, compared to 70% the previous financial year. This reverses a trend of declining timeliness in decision making by agencies and ministers that we had observed in the previous four years.
In terms of other statistics, I would like to draw your attention to the third cross‑jurisdictional study of community attitudes on access to government information, which we recently released with information commissioners and ombudsmen from across Australia.
The report provides important signposts for governments and agencies to increase community trust and confidence in information access rights.
It found the vast majority (91%) of Australians believe their right to access government information is important.
Of all the jurisdictions, Australians had the most success accessing information – through a range of methods, some informal, some formal – at the federal level.
Australians had the most success accessing their personal information and policy and procedural documents held by Australian Government agencies. They were less successful accessing information from ministers.
It is clear from both this research and our agency FOI statistics that success in meeting FOI objectives varies fairly significantly across the Commonwealth.
Open by design
So, how do we address this?
Ultimately, enshrining the community’s right to access government-held information is broader than complying with the ‘pull’ obligations in the FOI Act, that is, responding to requests.
It requires agencies and ministers’ offices to be open by design, or move more to a ‘push’ model where information is proactively provided.
There is a way to go to swing the pendulum more fully from pull to push.
The OAIC and our state and territory counterparts established the open by design principles in 2021 to encourage the proactive release of information and promote open government.
We encourage all public institutions to build a culture of transparency and prioritise, promote and resource proactive disclosure.
We recommend that agencies:
- Embed a proactive disclosure culture.
- Implement a best practice open by design approach to proactive disclosure.
- Engage with the Australian community in relation to the information that is of most value and interest to them.
- Adopt a customer service approach to the proactive disclosure of information.
One of the mechanisms in the FOI Act that supports proactive disclosure is the Information Publication Scheme, or IPS.
The IPS mandates that agencies release identified categories of information to the public proactively, and encourages agencies to proactively release other information to the public wherever possible.
The scheme fosters greater openness and transparency in government.
We have commenced our third review of agencies’ compliance with their IPS obligations, which involved a survey of agencies that has now closed. This is a very valuable exercise in terms of underlying the importance of the IPS, and for the OAIC to interact with agencies through workshops to build a better understanding of each other’s concerns.
In the past, the survey’s results have assisted the OAIC to identify areas where improvements can be made to further promote the proactive publication of government information, and we look forward to sharing the results of the survey in due course.
I would also encourage those involved in the IPS review to use it as an opportunity to look more closely at proactive release in your agency and how it could be improved to foster an open by design culture.
Getting things right requires taking a life cycle approach to information management that builds access to information into the design of systems and processes.
Accurate record keeping is critical to the process, making sure information can be found and that subsequent requests are more seamless to process.
Digital inclusion
The online space plays a pivotal role in empowering citizens by providing easy and convenient access to a vast array of government information.
It fosters an informed and engaged society, enabling individuals to make well-informed decisions and participate actively in public discourse.
But in our increasingly digital world, it is imperative that we make government information easily accessible – by all Australians.
And in thinking about making information available, and accessible, we must also consider what barriers people may face to digital access and inclusion, and factor these into the work we do at all times.
The Solomon Lecture – held in the week of International Access to Information Day – was this year delivered by Seisia community member and Young Australian of the Year for Queensland, Talei Elu, and was about how access to information in remote Indigenous communities can help solve complex problems.
Seisia is a small coastal Torres Strait Islander community at the northernmost point of Cape York. In recent years, the people of this community have experienced difficulties associated with poor telecommunications – including being unable to call 000 and access COVID resources.
A seemingly simple-to-resolve issue that Talei spoke about was the volume of government information provided in PDFs, which people with poor connectivity may not be able to download.
Talei shared her story about how the people of Seisia harnessed the information and contacts they had to lobby for better telecommunications infrastructure, ultimately securing a $1.09 million tower through the Regional Connectivity Program.
Better digital access can also pose other challenges. Residents of Seisia now have to ensure they can gain the positives, are digitally literate and resilient.
There were so many more insights and takeaways in Talei’s address, and I strongly encourage you to watch the recording, which is available on the Queensland Office of the Information Commissioner’s website.
Her address crystallised that online access to government information must be inclusive, so that all citizens can quickly and easily engage with government agencies, access services, and seek assistance.
In this digital age, we must ensure that access to government information is not only upheld, but continually improved.
While digital transformation is generating social, cultural, and economic benefits for many Australians, these benefits are not shared equally.
The premise of digital inclusion is that everyone should be able to make full use of digital technologies and the benefits they bring, while avoiding their potential negative consequences.
We need to be mindful of this as we move into an increasingly digital world.
Conclusion
For me, privacy and access to information are ultimately a matter of integrity: respecting the community’s fundamental rights by acting honestly and ethically, with decency and fairness.
Earning the trust and confidence of the community in the way you handle information, whether from a privacy perspective or through the access you provide to it, is crucial.
It is crucial for our digital economy and digital services to flourish.
As government lawyers, as privacy and FOI leaders and managers, and as advisers to regulated entities, everyone in this room can play an important role in driving change with us, for the better.
I look forward to taking your questions now.