How regulation and technology are shaping the future of privacy and security
The privacy and security of customers’ personal data continues to be a growing source of debate. Balancing privacy and security with transparency is a core challenge for consumers, companies and regulators.
Australia Post recently hosted a panel discussion on privacy and security with the following industry leaders in the public and private sectors:
- David Watts, former Commissioner for Privacy and Data Protection in Victoria
- Jason Holandsjo, Telstra Chief Privacy and Compliance Officer
- Saara Mistry, NAB Acting Chief Privacy Officer
- Regis Bauchiere, Australia Post General Manager of Identity Services
- Linden Dawson, Australia Post Head of Identity, Trust and Safety
These are some of the highlights captured from their discussion:
- Mandatory Data Breach Reporting will create a floor of obligations for all enterprises and we must put ourselves in our customers’ shoes when assessing the potential implications of a data breach
- Biometry has the potential to protect our privacy but like any technology, we need to regulate the way it’s used to avoid an inappropriate over-collection of information
- Transparency around how customers’ information may be divulged is critical to establishing and maintaining their trust
Mandatory Data Breach Reporting is set to take effect from late February 2018. What do you believe customer expectations will be around the reporting of a data loss incident?
Jason Holandsjo: "The Mandatory Data Breach Reporting framework will create a floor of obligations for all enterprises. If you’re a truly customer-centric organisation and want to maintain that social contract to have access to their personal information, then you would already have a process in place if something does go wrong."
David Watts: "From a regulator’s point of view, the test in relation to serious data breach is a qualitative one and not just a quantitative one. Some judgments need to be made regarding what amounts to a serious data breach."
Saara Mistry: "At NAB, we firmly put ourselves in our customers’ shoes and ask what the consequences would be for them in a particular incident. One of the key elements is the kind of information involved. Would it allow a third party to transact on a customer’s account? Could it facilitate identity theft or fraud? And what can we do to prevent that from happening?"
We’re seeing a range of new technologies potentially impacting privacy, such as drone, blockchain and biometric verification. This leads to the ever present question - Is privacy dead? Or do individuals have more control of their privacy than before?
Watts: "People are concerned about their privacy. They make decisions about what they’re willing to trade off, but they don’t always know what they’re trading off when they’re dealing with companies like Facebook or Google. Many organisations use information to target people with political messages. Some people may be comfortable with that and some people might not. This is about individual control."
Holandsjo: "People have never been better informed about their privacy and their rights or had better access to information. They’re making conscious decisions around the products they want to use and can work out if the benefits of joining something outweigh the risks."
Regis Bauchiere: "Biometrics is still theoretically the ideal technology in order to authenticate someone but there are challenges around authentication referencing, spoofing and accuracy. In the future, I see biometry has having the capability to protect our privacy, but like any technology we need to regulate the way it is used."
Linden Dawson: "Right now Australia Post is leaning into digital identity and is really trying to drive compliance with the privacy policies. And it’s about to get more interesting as we face into the biometrics build for digital identity.
A key learning from an industry thought leaders’ workshop that we recently hosted was to ensure our solutions don’t lead to over-sharing of information and that we, as a business, don’t over-collect information that’s not appropriate."
In recent years, law enforcement has attempted to force Apple and Whatsapp to unlock accounts belonging to alleged terrorists. In both cases, information was not handed over. Do you think customers expect entities to maintain their privacy in such instances?
Mistry: "There is a general expectation that if a company holds information that can validly be used to prevent or detect an alleged terrorist activity or crime, the company should be able to divulge that to the appropriate law enforcement authorities.
What it comes down to is the transparency that companies have with their customers. It’s very important that when you collect information, you make it very clear to your customers the circumstances in which you will divulge their information.
A relevant consideration is the proportionality of the law enforcement authorities and the nature of the request for the information. It needs to be proportionate and how they use that information needs to be appropriate to the circumstances."
Watts: "There are controversial issues around this. If we have incredibly strong encryption, are we willing to trade off the protection that law enforcement and national security can give us?
There are a lot of people who would argue, quite validly, that encryption is something we can use and that there shouldn’t be backdoors that are open to malware attacks. I think we need to start talking about the issues as adults rather than from ideological positions, and work our way through them."
As technology evolves so will the conversations around the issues of privacy and security. But one conversation that will carry into the future will be around how organisations are using, sharing and protecting customers’ personal data.
As a result, transparency will be viewed a key differentiator alongside technological sophistication in terms of how consumers decide which companies to trust with their personal identity and information.