Practical Privacy: What goes around …

| June 5, 2010

Two of the last projects I initiated as Privacy Commissioner were:

•    The first Privacy Impact Assessment Guide; and
•    Privacy & Boards: What You Don’t Know Can Hurt You.

The first PIA Guide was finalised and launched in August 2006 by my successor, Karen Curtis.  The launch and its subsequent promulgation and uptake within Government has been a real success story.

More recently, in May she launched a Revised Privacy Impact Assessment Guide during Privacy Awareness Week. Importantly, the Revised Guide explicitly offers guidance on privacy impact assessment in the private sector.  This supports the adoption by the federal Government of the following Recommendations in the report of the Australian Law Reform Commission, For Your Information that:

Recommendation 47–4  “The Privacy Act should be amended to empower the Privacy Commissioner to:

(a)    direct an agency to provide to the Privacy Commissioner a Privacy Impact Assessment in relation to a new project or development that the Privacy Commissioner considers may have a significant impact on the handling of personal information; …”

Recommendation 47–5  “The Office of the Privacy Commissioner should develop and publish Privacy Impact Assessment Guidelines tailored to the needs of organisations. A review should be undertaken in five years from the commencement of the amended Privacy Act to assess whether the power in Recommendation 47–4 should be extended to include organisations.”

Privacy & Boards: What You Don’t Know Can Hurt You was an adaptation of the original guide developed by the Information and Privacy Commissioner of Ontario, Ann Cavoukian and developed in conjunction with the Australian Institute of Company Directors. The guide was launched in April 2006 at the Institute’s annual conference.

Earlier in May this year, I went to Directorship:10, the Institute’s 2010 annual conference. 

                                                                               One of the best sessions of the conference was moderated by Oracle’s Roland Slee on The Commercial Benefits of Today’s Social Networking Platforms.  Panellists were Laurel Papworth, Online Community Strategist, World Communities; Ross Monaghan, Lecturer, Deakin University and Kate Carruthers, Strategy Consultant with Hyro Limited. 

Kate’s slides are online at while Laurel promises hers will be posted eventually at

The panellists gave us a fabulous expose of three kinds of risks being faced by organisations from new media such as Youtube, Facebook and Twitter.  These risks are:

  • Employees and others associated with the organisation using new media in a way that undermines reputation and brand.  We saw a particularly graphic Youtube example of staff making pizzas on work premises with the branding clearly on display.
  • Impact of others on the organisation using ‘crowd sourcing’ to undermine reputation or brand and being able to do so with campaigns that are successful within minutes or hours with thousands of followers.  The first thing is to have enough ‘presence’  is to able to learn very rapidly that something is afoot and second to be able to respond.  The example given related to two women who claimed, again on Youtube, that they had been barred from flying because they were prettier than the flight crew when in fact the women were barred for unacceptable behaviour, followed by the airline response on Youtube that was posted within hours.
  • The converse is also possible:  imaginative ways of promoting the organisation’s reputation or brand using new media.  We have all seen many examples of this, but one that I really like is the one that promotes a car insurance comparison website via a series of videos and a new media presence that has gone viral via many media, including Facebook:  see!  Given the rate of increase in popularity of new media and the corresponding decline in older media, engagement is essential if the organisation or brand isn’t to slip quietly from view.

BUT think of the privacy implications!  When I identified myself to the audience as the previous Privacy Commissioner, there was a roar of interest and the debate was very interesting and very sensible.  The first steps for privacy professionals are obvious and simple when this arises in their organisations.  For example:

  • Make sure you are always first to know about initiatives to use new media and insert a privacy ‘consciousness’;
  • Workshop ideas with the staff involved:  I was part of a very vigorous workshop recently with a company that wanted to do just that;
  • Establish some control procedures in terms of a privacy sign off as well as all the other sign offs before anything goes live;
  • Monitor, monitor and monitor after launch;
  • Educate staff on the risks they face if they behave inappropriately using new media, while also respecting any whistleblower policy that your organisation might have.  Remember:  staff will engage in new media whether not they are formally permitted to do so, even if it is only in their private capacity and away from work.

My conclusion:  Privacy & Boards: What You Don’t Know Can Hurt You may have been ahead of its time, but its time is coming.

This first appeared as an article in the iappANZ Member Bulletin for June 2010 edition,

Malcolm Crompton is Managing Director of Information Integrity Solutions (IIS), a globally connected company that works with public sector and private sector organisations to help them build customer trust through respect for the customer and their personal information. He was also foundation President of the International Association of Privacy Professionals, Australia New Zealand,