Future Privacy: A tipping point for tech

In celebration of Privacy Awareness Week we’re starting our new blog series “Future Privacy”, in which we’ll seek to understand and resolve some of the challenges many organisations face managing privacy in a time of exponential data growth. In particular, we’ll be looking into the role technology and automation can play.

In this first post of the series, we’ll start by reflecting on how privacy has developed as a discipline in Australia over the last 20 years, through the experiences of our privacy practice lead, Melanie Marks.

Perhaps surprisingly for a privacy professional, my career began in advertising. Working for an agency, I was spruiking credit cards (if the work of an ‘account coordinator’ can be called spruiking) while I finished my law degree. I took a course at ADMA where I learned about privacy in the context of direct marketing practices, including managing the quality of data held by the mailing house.

Privacy was a reasonably new concept for businesses and there were only a handful of people in Australia who would call themselves ‘privacy practitioners’. At this time, the Privacy Act had just been extended to apply to the private sector and there were two sets of privacy principles known as the ‘NPPs’ and the ‘IPPs’. Those early years of the new millennium also produced rapid advances in digitisation and opened the consumer app market with the rolling launches of Android, Facebook, YouTube, Twitter and iPhone, mere ripples in what would become a sea of data-driven practices requiring privacy management.

In 2008, the ALRC released its comprehensive report into the adequacy of Australia’s privacy laws, in which it took the position that ‘as a recognised human right, privacy protection generally should take precedence over a range of other countervailing interests, such as cost and convenience’. The review was an amazing product – three huge volumes of analysis, still referenced today. Despite this, it would take six years before most of recommendations (including the unified APPs) were enacted. Many of the report’s themes are back on the table in the current review of the Privacy Act.

In 2009, there were three management-level privacy roles advertised in Sydney, and I suspect that the number of purely privacy advisory roles were similarly few. By comparison, there are countless ads for roles with privacy accountabilities today, of which the best ones are at elevenM. 😊

My first role in privacy management was in eHealth where privacy was understood to be paramount to trust in the emerging digital system. Our privacy team was most aligned to a compliance function and like many of the client teams we see today, busy with bespoke privacy impact assessments (PIAs) as well as reviewing technical requirements, contributing to draft legislation, and addressing the concerns of diverse stakeholders. Although we were run off our feet (and in fact the organisation held very little personal information), in 2009 the idea of automation to undertake privacy operational tasks did not arise.

My next move, to a large retail bank, was characterised by transformation. We stared into the new concept of ‘digital trust’ which had currency overseas, to inform our privacy strategy. The team operated an internal consultancy, delivering PIAs, managing data breaches and dealing with myriad other emerging issues. As the bank rapidly pursued innovative customer and enterprise innovations, while seeking to remain compliant and engender trust, my team faced an unsurmountable volume of requests to size up and manage the privacy impacts.

It became clear to me that a scalable and automated PIA solution for the Australian market was needed, and I set out to find one. The best option I found (but did not pursue) was to outsource PIAs to one of the new privacy consultancies in the market. Our team continued to deliver against the growing needs of our internal customers. It was already evident that no amount of human capital would be enough to future-proof demand. It should be said that some of today’s market-dominant privacy solutions were already out there, but adoption was not commonplace.

In recent years, we have seen a significant blurring of the roles played by privacy, data governance and information security teams. Responsibilities have moved, morphed and evolved. For example, tasks which were previously the domain of data governance or were entirely neglected (such as inventories, mapping, data retention and maintenance) have drifted into the work of privacy teams. Incident management often sits between privacy and cyber teams with legal and other stakeholders. Vendor assessment has become a multidisciplinary process undertaken by security, privacy, data governance, compliance, procurement personnel and others. What we are seeing has validated our firm’s objective of delivering services which combine these disciplines. It has also highlighted the need for enterprise collaboration and risk management software.

Amongst most of our clients, we are also seeing that the tsunami of data that every organisation now holds is increasing demands for privacy expertise. The speed and scale in which all organisations can now view, collect, create, use and share data would not have been believed in the early 2000s. Factors behind this are the emergence of cloud-based services, the comparative reduction in the costs of data storage, the willingness of companies to outsource key functions and the seeming desire of organisations to analyse every piece of data that they have ever collected or might infer. We’ve also had significant tightening up of laws (think European and APAC changes, as well as mandatory PIAs for Commonwealth agencies and reporting of breaches). Operational privacy can no longer be managed using the same processes that teams used 20 years ago.

Today, there is no way that a person (or even 10 people) with a spreadsheet (or 100 spreadsheets) in any large enterprise can definitively map data flows or inventory an organisation’s data holdings, whilst risk assessing all material initiatives, responding to data breaches and data subject requests and inquiries. We have a scaling problem. And hence, transformation in privacy will be necessary for survival; in fact, the tipping point is here.

Yet, whilst today there are tools offered by hundreds of vendors for privacy assessment, consent management, data mapping, data subject requests, incident response and notification, scanning, mapping, discovery, de-identification and more[1], take-up in the Australian market has so far been patchy.

Every privacy professional, CIO, CISO and CDO needs to know about these tools. And every privacy leader should be thinking about how to implement the tools and hence, how to build their teams of the future. In my next blog I will be imagining a new way forward. What should organisations look for in a technology solution? Is it possible to buy the turn-key solution to end your privacy woes? And what skills will be needed in the privacy workforce of the future?

[1] As a starting point, you might like to read the IAPP’s 2021 TechVendorReport, featuring a mere 245 pages of privacy vendors grouped by product category.

GovHack: a lesson in optimism

elevenM Senior Consultant and Victorian State Director of GovHack, Jordan Wilson-Otto explains why it’s important to maintain a sense of optimism about the future of technology and society.

It’s judging time for GovHack, the largest open data hackathon in the southern hemisphere. Looking through this year’s submissions, I’ve been thinking about how GovHack’s mission of optimism, civic engagement and empowerment presents a partial answer to the hard questions we raised in our recent post about parenting, privacy and the future.

When we talk about technology, it’s easy to focus on the things that can go wrong. Few things in this world don’t have secondary effects, and we need to think about the implications of the systems that we are building and using so that we can harness their benefits while anticipating and mitigating their downsides.

Undue focus on benefits can lead to bad outcomes, but undue focus on harms can lead to bad outcomes too. If we can’t imagine a more equitable, sustainable or humane world, or a world where technology has made life better and not worse, then there can be no progress. The best we can hope for is stasis, or perhaps the return to some imagined golden age.

But optimism is hard. Almost all the modern narratives about technology are dystopian. Automation is coming for our jobs, algorithmic bias is perpetuating inequalities and killer robots are just around the corner. Meanwhile surveillance capitalism leads to our every online move being tracked, while spy agencies look on and hackers and trolls wait in the wings ready to pounce. And we’re powerless to respond, disabled by an increasingly polarised and dysfunctional political discourse, powered by social media.

So the solution falls to the individual – we’re taught to fear and protect ourselves from technology. We need to watch out for scams, not reuse passwords, be careful what we download or where we browse, and not click links in emails. We’re supposed to read privacy policies, scrutinise permissions, install add blockers, delete cookies and somehow keep track of the changing data practices of the thousand different apps and online services that we use.  We need to look out for trolls, and be alert to the threats of cyber bullying, online harassment and other forms of online abuse.

I think we owe it to ourselves to inject a bit of optimism every once in a while. It’s not all that important how we do it. Maybe read some utopian science fiction, watch some Star Trek, or just consider how far we’ve already come as a species. For me, this is where GovHack comes in – it’s a perfect lesson in optimism. An annual refresher on civics and the power of community, and a reminder that the shape of our technology and our world is not a given, and that technology is just a set of tools that we can build and apply as we need, to the problems we choose.

GovHack is a free, weekend-long creative competition that takes place across Australia and New Zealand. It’s a ‘festival of ideas, using open government data to make our communities better places’. Competitors have 46 hours to make something cool with open government data.  What people make is really up to them. It could be an app, some kind of informative visualisation, a prototype gadget, a game, a story, an artistic display or anything else they can think of.

Projects vary from the whimsical to the deeply practical, and from simple to highly technical. You can see some of this year’s projects here, but some highlights include:

  • Are you really going to drive tomorrow?’, which uses AI to predict days when a user’s commute is likely to be particularly congested, and prompts the user in advance to consider other options.
  • Ripple effect’, an interactive story about everyday encounters that shows users how simple choices that you wouldn’t associate with water, affect the supply and distribution of water.
  • Once upon a crime’, a song about Australian convicts and their history, which draws on multiple data sources about Australian convicts.
  • Insight without sight’ sought to make open data more accessible for visually impaired people by providing a way of using sound to convey data in a graph, combined with a new way to access open government data through a voice command interface with Queensland’s Open API.

Sometimes projects go on to be successful start-ups, or lead to lasting improvements or new and better ways of doing things in government. But for the most part, GovHack projects don’t last beyond the weekend. And that’s ok – in fact, that’s kind of the point.  You’re not going to fix the world with a song and a story. We know this. The problems we face are real and will require both expertise and sustained commitment to solve, if they can be solved at all. But songs and stories are so nice. And they represent a willingness to engage with data, with government, and with the rest of our community to think about the world we live in. A willingness to play with ideas and try to imagine something new.

That idea of ‘play’ is important here too – paradoxically, it can be the license not to solve the world’s problems that gives us the creative freedom that we will need to solve the world’s problems.

So, in working on the big problems, let’s not limit ourselves to avoiding harms. Let’s take a lesson from GovHack on the value of play and all things surprising and tangential. Let’s remember that our current technologies and ways of thinking are just one way of doing things – the right solutions might be just around the corner, if only we give ourselves license to get there.