Why I hate the Privacy Commissioner's office
According to the Office of the Privacy Commissioner's 2007 annual report, Australian consumers should feel pretty safe — but that's because it's full of crap.
My hair is going grey, which I can handle, but thanks to the uselessness of the Office of the Privacy Commissioner's Web site and annual report, I think it's now starting to fall out.
The Privacy Commissioner Karen Curtis — bless her cotton socks — has been trying to prime business for data breach disclosure laws with initiatives such as privacy awards — a positive approach to foster support among companies for what will presumably be an unpopular piece of legislation.
Last week a news story from the UK triggered my interest — the UK Information Commissioner's Office (ICO) revealed that since the security breach at HMRC in November last year, it has been notified of almost 100 data breaches. The public sector accounted for 62 breaches and the private sector for 28.
That set me thinking — how well (or poorly) does Australia fare in terms of data security and privacy?
I wanted to see if our Privacy Commissioner would reveal similar information as her UK counterpart. As it turns out, she probably would ... if she could.
The information about Aussie breaches provided to me — and what is available to you — was unfortunately about as much use as a chocolate teapot. Between July 2007 and March 2008, the Privacy Commissioner has recorded 60 instances where a breach of privacy may have occurred. In that time, there have been 830 instances of individuals complaining of a privacy breach. Promising, I thought, but how many of those specifically related to potentially far-reaching information security breaches, rather than, say, a one-off complaint about an overly intrusive call centre? So I went back for a second bite of the cherry and asked the Commissioner's office for how the 100 breaches were categorised.
Apparently analysing this information is a very onerous task, so it's not been done. The result: the cause of the complaint, as well as the nature and scale of any breach, cannot be disclosed. In the absence of said information, the next best thing is a look at the number of privacy complaints, which the Commissioner's office does record, and I was referred to the 2007 Privacy Commissioner's annual report.
It turns out that four percent (762) of the complaints lodged with the office related to "data security". In total, there were over 17,000 complaints.
Just four percent. Sounds minuscule compared to the 25 million Brits affected by the UK HMRC breach. Which is exactly the point — there is no way that all 25 million people would know, and therefore could complain to the Office about the breach. So why in Australia do we collect data on complaints? It shows nothing other than the workload of a government office and how many eagle-eyed consumers know when they've been wronged.
We are given this reassuring notice: "If the Commissioner is satisfied that a matter has been adequately dealt with, or if there has not been an interference with privacy, the Commissioner may decide not to investigate the matter any further."
This highlights why the decision to disclose a breach should be taken out of the hands of an individual and, instead, minimum standards set so that disclosure becomes an automatic response. Whether this occurs will be debated in parliament once the ALRC submits its recommendations to the Attorney General's Department this month.
Here's some more useless information I found: Australia's private sector is a worse privacy offender than the public sector — two-thirds of the "complaints" this year related to possible breaches in the private sector. Size and nature is all I have to say.
And yet some more ... The annual report details whether complaints were received by telephone, letter or e-mail, whether there was "an apology made", if a complaint was closed because it was "frivolous, vexatious or misconceived".
So I advise everyone, if you're looking at the state of information security in Australia, do not bother visiting the Office of the Privacy Commissioner's Web site — not until it contains information on actual breaches, such as: the name of the organisation (particularly for publicly documented breaches); whether information was lost via an unencrypted laptop, a lost CD, a misplaced USB, or by hacking; and most importantly, details on how many records were compromised.
Please, Commissioner, I urge you, stop publishing the volume of complaints your office receives. Nothing useful can be gleaned from this other than the workload your staff face and give us what we really want: a Commissioner that's not afraid to shame big business into protecting its consumers.