Mythbusters: The Truth About Privacy

National Disability Services Conference, 12 February 2013 by NSW Privacy Commissioner Dr Elizabeth Coombs

Speech: Mythbusters: The truth about privacy, 12 February 2013 (PDF)

Before I begin, I’d like to acknowledge the traditional owners of the land on which we are gathered today, and pay my respects to the elders, both past and present.

Thank you. It’s a great pleasure to be speaking with you today. You and your clients are very important – and not just from a privacy perspective.

Your services and your workforce (employees and volunteers) touch the lives of many people in NSW. And it’s immaterial whether you are a small agency or a large multi-service organisation.

The work you do and the services you provide are not unfamiliar to me. But I don’t pretend to know in a detailed or operational way, the challenges you face. What I do know however, is the importance of privacy to your clients and their carers, and what your privacy practices say about your organisation.

National Disability Services (NSW) represents many non-government organisations. Its aim of equipping and enabling members to provide quality services and life opportunities for Australians with disability, complements the approach we take to promoting privacy. That is, to work with others to assist them achieve their goals.

In researching this presentation, I note that NDS is co-ordinating the Good Governance Program for industry development. And this is what privacy is about – good governance.

Your privacy arrangements are an important part of your corporate governance – of how you do business, and also, in the changes coming, a significant demonstration of service excellence.

Today, I’m going to briefly outline my role as NSW Privacy Commissioner; speak about some common misconceptions of privacy; provide some feedback on a sample of disability organisations’ privacy policies, and suggest approaches for consideration.

But first, privacy…

Privacy – and our right to privacy – touches the very core of our expectations of inalienable human rights.

Our ability to exert our right to privacy speaks to our position of control and self determination – the respect we feel for ourselves, and the respect we receive from others.

Because of the significance of privacy to our ability to function as respected members of society, we find it enshrined in some of the most powerful international conventions.

Among the most profound is the Universal Declaration of Human Rights. (As an aside, an Australian, William Hodgson was one of the nine people who drafted the declaration.)

Right at the front of the declaration, the third article states that everyone has the right to life, liberty and security of person.


But more specifically in Article 12, it says that:

no one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.[i]

And, to reinforce this message in the context of people with disabilities, the United Nations Convention on the Rights of Persons with Disabilities includes Article 22 on Respect for Privacy.


It says:

No person with disabilities, regardless of place of residence or living arrangements, shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence or other types of communication or to unlawful attacks on his or her honour and reputation. Persons with disabilities have the right to the protection of the law against such interference or attacks.

And, importantly, “States Parties shall protect the privacy of personal, health and rehabilitation information of persons with disabilities on an equal basis with others.”[ii]

Here we have not just the use of the broad term ‘privacy’, but a very specific reference to the protection of information – personal information, health information and rehabilitation information.

The Australian Government signed the United Nations Convention on the Rights of Persons with Disabilities on 30 March 2007.

As you know, these principles are reflected in supporting legislation at the State and Commonwealth levels. And in a number of instruments that regulate and guide service provision to people with disabilities.

But before I go on to those points, let me just say a few words about my role.


As Privacy Commissioner of NSW, I have responsibility for two Acts:

NSW Privacy and Personal Information Protection Act 1998 (PPIP Act)
The PPIP Act covers NSW public sector agencies that is, NSW Government agencies, local councils and universities. The Act also provides reserve power for the Privacy Commissioner to research and make public statements about any matter relating to the privacy of individuals generally. And, to make such inquiries and investigations into privacy related matters as appropriate.

The second Act, the

NSW Health Records and Information Privacy Act 2002 (HRIP Act)
The HRIP Act covers NSW organisations both public and private that deal with health-related information. And this will be many in this audience.

In service delivery, privacy is a critical, but frequently taken for granted aspect of service provision. Sometimes too, it is used as a reason why service improvements cannot be made.

When we speak of “person centric service delivery” you can’t go past privacy as a test of whether an organisation “walks the talk” or just talks.

In relation to the earlier point about the right to privacy being reflected in legislation and other instruments, Standard 10 concerning ‘Rights’ produced by the NSW Department of Ageing, Disability, Home Care is especially significant. It requires service providers to be aware of the United Nations Convention on the Rights of Persons with Disabilities and, most importantly, to apply its guiding principles… in all aspects of service delivery.[iii]

This updated standard also incorporates the key components of the former Standard No. 4: Privacy, Dignity and Confidentiality.

The significance of privacy to the maintenance of dignity and control over one’s life makes it absolutely fundamental to people living with disabilities.

While offering support or services, each organisation becomes a custodian of personal information. Each service provider receives an investment of trust from clients when personal information is provided, but each transfer of personal information can potentially represent more vulnerability for the client should their personal, health and rehabilitation information not be secured and protected.

As we stand on the threshold of a new model of service delivery for Australians with disabilities, a person centred service system, the issue of privacy becomes a defining feature of those agencies that “get it” and those that don’t.


The standard on rights (that is Standard 10) has, as a practice requirement, that “each person will receive a service that reflects their right to privacy and have their personal records and details about their lives dealt with in an ethical and confidential manner in line with relevant legislation”.[iv]

And, as a speaker at the NDS conference in 2012 said, clients and carers will be increasingly aware of their rights, as well as service and contractual arrangements, obligations, deliverables and measures.

Hence it is timely to be thinking of how privacy works in your organisation.

I acknowledge in a busy world, dealing with major funding and service delivery changes, it can be difficult to get a grip on privacy. So let’s move on to some of the myths around privacy.

Privacy Myths

This is the age of technology and rapid data transfer. Never before has it been so easy to transfer information between individuals and around the globe. Participating and functioning in a modern society requires sharing of personal information.

Technological advances have created previously unheard of uses, and abuses of, personal information. Social media, online commerce, internet banking have all raised particular issues and produced a range of perceptions about privacy.

Myths abound about privacy.


MYTH 1: Privacy is dead

I can happily confirm that privacy is not dead. It’s taken some hits, but these have been useful to alert us all to the danger of complacency.

Research and survey work abounds that demonstrates that people’s concern for their and their family’s privacy is strong and definitely not declining. If anything, it’s growing.



The reality is, people will choose to deal with organisations that demonstrate an ability to protect their personal information.

And, enlightened organisations, such as yours, will respond with privacy protective offerings and ways of providing services.

In fact, it’s not too hard to imagine that far from being dead, privacy may become an element in each organisation’s competitive arsenal.


MYTH 2: 'No one cares about Privacy any more. Everybody shares their most personal details and opinions on the internet. Humans are social beings and it's all about connecting to others.'

Yes, people put up on their social networking profile, names, ages, addresses, hobbies, affiliation with community groups and photos of themselves and their friends. And in many cases viewable by anyone! All freely provided.

Yes, many privacy breaches are the result of people’s own laziness or negligence when it comes to protecting their personal information.

But it would be very foolish to think that this behaviour means your clients won’t care if you adopt the same approach to their personal information.


REALITY: 'People care about what you do to them.'

The latitude all of us give to mistakes made by ourselves is far more generous than that given to the mistakes made by others. This is even more the case when your mistakes impact poorly on others. It’s just the way it is; no-one can say that human beings are always logical and consistent!

The reality is privacy is also an essential part of the human condition. Our need to preserve private spaces and private time in our lives, to reflect and enjoy moments of solitude is as relevant now as it has ever been.[v]

It seems a contradiction but while people are out there sharing what they do on the “world wide web”, their concerns about privacy have increased. But this is the case. Enquiries to our office on privacy related matters have increased by more than 300% in the past four years.


MYTH 3: ‘Notifying clients of your intentions about using their personal information is an adequate privacy framework.’



The reality is, telling people that you are going to, for example, pass their personal information on to a third party, is not the same as getting consent.

Also, choice is not a real choice if there is insufficient information about the consequences of the choice. Choice has to be informed. It’s also not a real choice if clients are forced to consent for fear of being refused services.


MYTH 4, 'Privacy is really complicated. It makes it difficult to run an organisation because we can't share information. It’s just too hard.'

Sometimes you also hear the corollary, because privacy is so difficult, the only way we can cope is have really complicated and complex policy statements that nobody understands or wants to read.

I know that’s not the case here!


REALITY: 'The consequences of major privacy breaches are difficult.'

Privacy is not difficult – it’s relatively simple. Dealing with a bad privacy breach – now that’s difficult. If you are not aware of it, you may care to look up the consequences of the 2012 privacy breach at the New Zealand Accident Compensation Commission.[vi]

A major portion of good privacy governance is good administrative practice and common sense. And the best way to do it is to think about privacy from the beginning, not as an afterthought.

We call this ‘Privacy by Design’.[vii]

The privacy practices you have around your clients’ personal, health and rehabilitation information is critical corporate governance. And because of those principles of privacy discussed earlier, your privacy practices go to corporate integrity.

In preparing for this conference, I looked at the privacy policies of a number of agencies as evidenced by material on their websites.

Now before I tell you what I found, let me say that last year we updated our privacy policy because it had become out of date. So I know that finding the time and resources to update policies can be difficult. But it was a valuable exercise for us at the IPC, so I thought this would be a useful exercise to undertake for today.

I’m not saying this sample of privacy policies is indicative of the sector as a whole. But it may provide some useful pointers to issues you want to examine when you return to your organisation following this conference.

The sample was of 16 policies and represented a range of service types from across Australia – so not just NSW. I initially did this work in early January this year and then repeated it last week to see if there had been any updates.

The website of each agency was visited to see if there was a Privacy Policy or a link that took you to a privacy statement. In addition, each website was searched using either the search facility provided or by reviewing the site map if there wasn’t a search facility.

The policies were examined to see if the basics were present; more of a good practice review than a legislative compliance examination.

So what I looked for was:

Is there a privacy policy referred to on the website?

If so, was it available?

What did it cover (for example, what information was collected, who had access to it, how long it was kept, did say if the client had an option to correct their personal information, and was there an officer mentioned for contact if there was a privacy concern or complaint)?

Overall, it was a mixed picture. Yes, I was disappointed but perhaps the sample isn’t representative of the Sector as a whole.

There were four agencies that did not have a privacy statement – that is 25%. This included agencies that said that they had a policy but it could not be located. For example, one agency had a blank page just with the title ‘Privacy’ but no text on the page.

One of these four agencies referred to privacy in a description of their ‘Values’ but gave no indication as to what that meant in terms of collecting, using and disposing of personal, health or rehabilitation information.

Demonstrating privacy requires more than a statement that ‘we value your privacy’. It’s important to set out what you do to make this value a reality. Specifically, for example, how your staff behave in relation to personal information they have come in contact with as a part of service provision.

Of the 12 agencies that did have privacy statements or policies, three were very good – and in different ways. They provided very useful and sufficient information clearly setting out how personal data is collected, managed, and retained.

Of this group of 12, some had short statements with a link to more comprehensive statements, if there was an interest in reading more. And this can be a helpful way to provide information to clients.

Again of the sample of 12, there were four where the policy outlined information collected or not collected from visitors to the website. For example, whether cookies were used, or IP addresses collected. This is part of a comprehensive privacy policy but not sufficient in itself.

While I included two agencies in the group regarded as having a policy, they required the agency to be contacted if a copy was sought. So they said they had a policy but you couldn’t access it from the website. One wanted this request in writing and via post – not electronic mail.

Another agency, when contacted by phone, as their website referred to a policy that couldn’t be located, said that they couldn’t give public access to their policies. A privacy policy that was indeed, very private.

The comprehensive policies referred to the relevant privacy principles to make it clear what actions were required of them, and included useful matters such as who to contact if there was a privacy concern or complaint.

The point of a privacy policy document isn’t that you just have it and there, that’s that box ticked on the list of things to do. The development of a privacy policy document provides a process whereby you identify your strengths and weaknesses, what needs to be done, it promotes discussion about what can be done, and what risk mitigation strategies are appropriate.

A privacy policy document provides the basis upon which you train staff, it provides the direction for any governance compliance work you plan to do, or even any investigations you may need to undertake.

In addition, having a sound privacy policy provides information to your clients, which is their right on this very important responsibility you have to them, and it demonstrates how you protect the information that identifies them.

In terms of things you can do to demonstrate a commitment to the rights of people with disabilities to privacy:

  • Make privacy a part of your corporate governance
  • Have a good privacy policy which is easily accessible and easy to read. Include it in the material given to clients
  • Consider having a summary of your privacy policy with a link to the more comprehensive document
  • Have a ‘champion of privacy’ within your organisation, whose role is to assist those who have a concern or complaint about privacy or the treatment of their personal information
  • Include privacy obligations and expected behaviours in staff inductions, ongoing training and performance appraisals
  • Include reviews of the protection of personal data in your internal audit program
  • Be prepared for dealing with a breach of privacy. It may be a matter of a simple apology and counselling of an employee. Or it may be more serious and require external investigation. Think through what you would need to know, how such an investigation would be need to be done and the communication strategy that would be needed.
  • Participate in privacy awareness activities. The annual Privacy Awareness Week hosted by the Asia Pacific Privacy Association occurs the first week of each May. This year it’s from 29 April to 5 May.
  • These types of behaviours, and there are many examples, model good privacy practices.

No matter the size of organisation, there is something that each of you can do to improve privacy practices. For example, there is a very respectful approach and good practice demonstrated in the 2011/12 Annual Report of the NDS. It’s a simple thing but permission was sought from individuals before their photographs were used in the Annual Report.[viii]

The non-government sector has always been integral to the delivery of services to support older people, younger people with a disability, their families and carers. And it is becoming more so.

How you do this is critical to their wellbeing but not just for their physical wellbeing but also for their wellbeing as respected individuals.

As a group, people with disabilities will connect in increasing numbers with the voluntary sector.

Placing citizens in the driver’s seat, in greater positions of control over their services, also means that issues such as privacy that go to demonstrating respect, are likely to become part of a suite of defining desirable characteristics that service users will apply.

How well you handle the privacy of your clients, and that of your staff, can assist you in your core business.

It is my job, and that of my Federal and State colleagues to champion the right of people to privacy; to work with individuals and agencies to ensure privacy protections are in place and to promote awareness of privacy.

The themes of the National Disability Services, to support, promote and inform are very similar to those of the NSW Information and Privacy Commission. Ours are to promote, assist, review and give feedback.

I look forward to developing an ongoing relationship with National Disability Services and yourselves; and, as appropriate, to work with you on developing good privacy governance.

Thank you.

[i]United Nations, Universal Declaration of Human Rights. The Declaration is the basic international pronouncement of the inalienable and inviolable rights of all members of the human family. The Declaration was proclaimed in a resolution of the General Assembly on 10 December 1948 as the "common standard of achievement for all peoples and all nations" in respect for human rights.

[ii]United Nations, Convention of the Rights of Persons with Disabilities.

[iii]NSW Ageing, Disability and Home Care, Department of Family and Community Services Fact Sheet #3, April 2012. “Working Together to Improve Outcomes: Updating Standards in Action – Rights”.

[iv]NSW Ageing, Disability and Home Care, Department of Family and Community Services Fact Sheet #6, November 2012. “Updated NSW Disability Services Standards and the Quality Framework”.

[v]Ontario Information and Privacy Commissioner, Ann Cavoukian, PhD, Ontario Canada,

[vi]KPMG and Information Integrity Solutions, "Independent Review of ACC’s Privacy and Security of Information", August 2012.

[vii]“Back in the ’90s, it was clear to me that the time was upon us when legislation and regulation would no longer be sufficient to safeguard privacy. In my view, with the increasing complexity and interconnectedness of information technologies, nothing short of building privacy right into system design could suffice. So I developed the concept of Privacy by Design (PbD), to describe the philosophy of embedding privacy proactively into technology itself – making it the default.” October 2008, Ann Cavoukian, Ph.D., Information and Privacy Commissioner, Ontario, Canada. Dr. Cavoukian has been recognised by the “Best Practice Institute” as the Founder of Privacy by Design.

[viii]National Disability Services, Annual Report 2011 – 2012, 2012,