Latest Products

The Gap in Privacy Awareness

Friday 26 May 2017

On 15 May, first day of Privacy Awareness Week, the Office of the Australian Information Commissioner (OAIC) released the findings of the Australian Community Attitudes to Privacy Survey (ACAPS) 2017.

Speaking about the Survey’s results, Timothy Pilgrim, Australian Information and Privacy Commissioner, said “The 2017 survey has highlighted gaps between community expectations and privacy law and its reality, and there is now a lot of work to be done with both business and government to close that gap.”

These gaps manifest themselves in different ways. “69% of people feel less comfortable with online interaction than five years ago,” Pilgrim explained, “and 83% feel online interactions are inherently more risky in privacy terms.” He added that there is also a gap between concerns expressed and the subsequent action taken.

Of particular concern is the indication that Australians do not read privacy notices. 43% of those surveyed admitted not adjusting their social media privacy settings, and around 25% have rarely or never asked an organisation why they are requesting personal information.

Australians do expect there should be privacy coverage across all sectors, but this is not the case. And while exemptions do exist for small businesses, media organisations, work place information and political parties, these exemptions are not fully understood by the community.

Pilgrim said that, for the regulator, the question must be asked:
  • should the gap be closed by modifying community expectations to fit the law?
  • Or should the law itself be modified to fit community expectations?
“It doesn’t take a psychologist to see that the apparent contradiction between rising concern and steady action is, in part, due to being overwhelmed by the issue. Businesses that make privacy choices easy to control and understand will become the trusted brands.”

Unfortunately, many businesses tend to write privacy notices that are long and difficult to read. According to Pilgrim, however, the emphasis should be on communication, not mitigation. “Businesses and agencies do have the primary responsibility here to make privacy easy and empowering to manage,” he said, ”though we have all have a role, as individuals, to use as best we can the protections already available to us.”

Online is not the greatest risk
Pilgrim said that while 87% of ACAPS respondents saw being online as a great risk, the reality of online risk is often not reflected in many of the breaches that have occurred. ”"In my role as Commissioner, many of the breaches that get reported occur offline or are ‘low-tech’.”

Data sharing
The other challenge facing both business and the regulator is that of the need to work together on the concept of data sharing.

“79% of respondents are ‘net uncomfortable’ of this idea of data sharing in the commercial context,” Pilgrim explained. “Only 10% reported net comfort that their data can be shared by commercial entities.”

In contrast, government agencies have a net comfort of 33%, and a net discomfort of 49%.
With these figures in mind, Pilgrim noted the challenge they present to the notion of innovative data sharing and secondary use, since 86% of surveyed Australians see secondary use of their data as a misuse.

“These perceptions suggest a disconnect between community expectations and data innovation,” he said. “However, a new question was added this year about data innovation, and tested comfort levels against data used by Government for research, service development or policy development purposes. The net comfort level reported against that question was 46%. That is significantly higher than data sharing.”

Pilgrim noted that this suggested a degree of contradiction against secondary uses, since the question does suggest an acceptance of secondary use. However, it remains possible that the secondary use of data may be considered more valid or acceptable if a clear social or economic use for it is made.

What is clear is that ACAPS 2017 has provided valuable insight into what remains a challenging issue. Further exploration on a few fundamental challenges still need to be considered:

  •  Is possible to create a social licence for data innovation? If so, what would be the conditions?
  •  Are there limits on notices and consent, and these are being tested? If so, what response will build upon, rather than replace, the current frameworks?