If a year ago I had attached a piece of string to the personal information I provided in order to enter an online competition, would I be surprised how many organisations had my string threading through them by now?
Almost certainly my string would by now lead in multiple directions – and I am willing to bet that my privacy was infringed somewhere along the way.
In between all the organisational filters such as privacy policies, collection notices and consent mechanisms that my personal information should not have been able to pass through, it would only take one organisation to have set up a non-compliant privacy framework (or to have no framework at all) for my personal information to have spread like wildfire.
I am typically an optimist. I like to think that insufficient privacy frameworks are due to a lack of expertise rather than questionable practices. However, when it comes to my own privacy string, my optimism breaks down.
So, I think to myself. What are three simple things that all companies (and government agencies alike…I haven’t forgotten about you) can do, so that if my piece of string led me to your organisation, I would not be unpleasantly surprised?
First, I think privacy needs to always be considered in an organisation’s initial project plan, with controls ultimately being incorporated into the final design prior to implementation.
The term for this is ‘Privacy by Design’. And yes, it’s actually a thing!
Privacy shouldn’t be something to tick off at the last minute before launching your next lucrative venture. It should be one of the first things considered, and incorporated into designs or project plans.
This can be as light-touch as checking the collection notice drafted for a new form is appropriate, or as comprehensive as performing a privacy impact assessment on a complex project being worked on by multiple departments. Failing to do so will ultimately lead to uncontrolled privacy risks post-implementation. Many organisations can attest to this, trust me, but let’s look at one briefly.
Suncorp’s insurance arm built a new feature for their online quoting platform. In order to speed up the process for customers, the feature pre-filled the physical security details of residential properties where these were already known to Suncorp (which also owns AAMI, GIO and other insurance brands), such as whether there were deadlocks or alarms installed. However because online users were not required to verify whether they owned or lived at the residence in order to view those details, this amounted to publicly exposing physical security features (or the lack thereof) to the public at large.
So, to give an example, if I wanted to see what kind of security measures I’d need to overcome in order to shake our Prime Minister’s hand in his own home, I’d simply have to type in the address for The Lodge and hope a quote had been generated or a policy held for that address with one of Suncorp’s insurance brands in the past. Of course, there’s also the tricky subject of bodyguards but you get my drift.
Following complaints from the public, Suncorp immediately removed the feature. So although built as a time saving feature for customers, we can only speculate that the grave privacy implications of disclosing that level of information in the absence of identity verification had not been comprehensively considered by Suncorp. Privacy by Design could have saved the day.
Moving on, the second thing organisations can do is strengthen their de-identification methods. It’s well known that de-identification of personal information when performed properly allows an organisation to draw powerful insights from datasets while simultaneously protecting the privacy of individuals.
But what is de-identification really?
I’d take a guess that for most organisations, simply stripping out direct identifiers such as name, address and date of birth constitutes their preferred de-identification technique. However, the process of de-identification can be complex, and simply stripping away personal identifiers from a dataset may not be sufficient to prevent re-identification or constructive identification.
I’m of the opinion that organisations need to consider a few things here.
First, can the data be linked with other datasets via data points that would not – at face value – constitute personal information?
Second, in addition to the de-identification techniques used, what other controls will be placed on access to or storage of the data?
And third, who is the data being disclosed to, and can they re-identify it using their expertise? In the case of public disclosures, the worst needs to be assumed here. I know, I know, I thought I was an optimist too.
Don’t take my word for it though, let’s look at an example. In 2016 the Department of Health (DoH) published Medicare Benefits Schedule and Pharmaceutical Benefits Scheme data on approximately 2.5 million Australians. The data was treated with several different de-identification techniques before being published online.
However following the publication, researchers at the University of Melbourne were able to re-identify data belonging to several high-profile individuals, primarily through a cross matching exercise with other publicly available datasets. Well, you know what they say, where there is a will, there is a way.
The DoH was subsequently found by the Office of the Australian Information Commissioner (OAIC) to be in breach of three Australian Privacy Principles. Being a government agency, the effect of such breaches can lead to the corrosion of public trust and confidence in the way government agencies in general handle personal information.
I guess I would like to think that if my string led me to a government agency, my personal information would have been subject to extra care, right? (Yes, I’m still optimistic!) But the lesson here is the importance of talking re-identification risk seriously.
The final thing I’d want organisations to do would be to exercise more transparency in the way they handle personal information. Of all my recommendations, this would be the easiest to implement.
More transparency doesn’t just show individuals how their personal information will be handled, it also provides other organisations with the tools to help them decide whether or not personal information can or should be exchanged with your organisation.
An organisation’s failure to be transparent in its handling of personal information is one of the most fundamental privacy risks it faces, because transparency is an enabler of other privacy rights for the individual consumer or citizen.
Having a clear, concise and easy to read privacy policy, collection notice and consent capturing process will go a long way in combating the risk of non-transparency.
Now let’s look at my third point in action. HealthEngine, a health service booking platform, was recently found to be routinely disclosing to a law firm information about individuals who had booked appointments with medical professionals through their site. That law firm then direct marketed legal services pertaining to occupational injuries back to those individuals.
While HealthEngine argued that individuals consented to the disclosure via its Collection Notice, that Notice seemed contradictory to its Privacy Policy which was radio silent on the nature of that disclosure. Additionally, acceptance of HealthEngine’s Terms, Privacy Policy and Collection Notice was ‘bundled’ and the ability for an individual to make a booking was contingent on that acceptance. Probably not what their customers expected, and certainly not within the spirit of voluntary and informed consent.
Given the public outcry, it’s fair to say that individuals did not expect their sensitive health information to be used and disclosed in such a way. In other words, if a string had been attached to their information, they certainly would not have expected to follow it back to a law firm.
This case outlined the importance of dealing with information, particularly that sensitive in nature such as health information, in accordance with customer expectations.
So my three pieces of advice for your organisation, to help reduce your privacy compliance risks and keep your customers happy, is to engage meaningfully with Privacy by Design; tread carefully when it comes to de-identification; and be clear with your customers about what exactly you are planning to do with their data.
I have no doubt that one day, if I follow the millions of strings attached to the personal information I have ever provided to anyone else, I will be content with where it leads me. Unfortunately, though, that is not the case today. Being part of a privacy consulting firm myself though, I will definitely do my part to correctly guide the strings of others.
Join one of our Privacy Management in Practice workshops to learn more about managing privacy risk in your organisation.
Photograph © Shutterstock