Professor Roger Clarke, chair of the Australian Privacy Foundation and a CLA member, was awarded the 2009 Australian Privacy Medal in November for a lifetime of work ensuring people’s rights are as protected as possible. In his speech, he outlined some of the major challenges the nation is facing, and spoke of “the sorry state that privacy protection in Australia is in…”
A Tag-Team Acceptance Speech
Comments by Professor/Dr Roger Clark* on receiving the Australian Privacy Medal awarded by the Privacy Commissioner, Karen Curtis**, 12 Nov 09. The medal was presented by Special Minister for State, Joe Ludwig, at a dinner in Sydney.
One of the many important facets of privacy is the recognition that each of us has multiple identities. We mostly like to keep those identities separate from one another. But, as a contribution to the evening, I thought I should ask several of my personas what they thought about being nominated for this Medal.
The Ego
My ego is represented by my mother. She’s proud of me. And she’s delighted that the time and energy I’ve invested in this area over 35 years is appreciated.
The Researcher
For a researcher, only a few forms of positive feedback matter. Most of my publications are in Information Systems and eBusiness. But for my 36 refereed papers on privacy topics, Google Scholar shows well over 1,000 citations. Cumulative downloads of those papers are perhaps 5 million and are running at 350,000 p.a. That’s pretty competitive on the world stage, so the Researcher in me feels vindicated.
But, with so few formal Awards available to win in new disciplines like Information Systems, this Medal is likely to help with the dissemination of ideas. So the Researcher in me is pleased to be recognised.
The Advocate
The advocate in me, however, is a lot more circumspect.
Corporations and government agencies have become habituated to hands-off stances by parliaments and by regulators. Instead of looking for real understanding of privacy issues, and real solutions, organisations get away with investing in image.
Public thoroughfares are being converted from anonymous use to identified use, and not one Privacy or Human Rights Commissioner takes any interest in the matter.
Law enforcement agencies, working through Crimtrac, regard the building of a national vehicle surveillance database as being unthreatening to democracy. So they play the public for fools, and simply get on and do it.
Organisations demand access to body fluids and measurements of people’s bodies, on the flimsiest of excuses, and in the absence of any effective regulatory framework.
Media empires refuse to establish a body of principles to guide the collection and publication of personal data. Instead, they conduct propaganda campaigns against a privacy right of action.
Complaints-handling by regulators is subject to long delays. And the eventual reply is full of complex legalese used to justify taking no meaningful action.
The Australian Law Reform Commission Privacy Report’s recommendations were a long way from what advocates sought. Yet the recent response of the Government, or at least of the public servants who have the pen in their hands, permits unfettered off-shoring of the personal data of Australians, as organisations see fit.
Meanwhile, public interest representatives and advocates are kept at arms-length. Terms like ‘the same old faces’ are frequently heard.
Organisations as diverse as the Department of Human Services, the ABC, the National eHealth Transition Authority, and the major banks, act as though advocates had horns on their heads, and do everything they can to avoid engagement.
I’ve been involved in advocacy in this area since 1972. Until the mid-1980s, I worked on behalf of the professional body, the Australian Computer Society. My purpose was ensure that the seemingly inevitable privacy statute was balanced and not unduly onerous.
Since the first of the long series of attempts to introduce a national id scheme in 1985, my work has been primarily through the Australian Privacy Foundation. I know the advocates. They all wear suits. They’re so conservative that they didn’t let me have a turn as Chair until 20 years after the APF was formed. Advocates don’t have horns.
Given the sorry state that privacy protection in Australia is in, the advocate in me sees a medal that is less burnished, and more tarnished.
The Consultant
My other relevant persona is what I call a ‘competency-based consultant’. From that perspective, ‘any publicity is good publicity’, and ‘an Award’s an Award’, so maybe there’s some way to leverage off it.
Most of my consultancy work is in eBusiness, but 20% is in privacy strategies, privacy issues analyses, and privacy impact assessments. I’ve written sets of PIA guidelines, including for the UK government.
The one-line message is this.
You and your organisations need to get out ahead of the game.
It may seem fine to adopt a reactive stance, to lie low in order to create a small target, and to wait and see if privacy problems happen. It’s fine, until you get caught out. Because then the party gets rough, and then you get stampeded into unwise media responses based on zero strategy and zero preparation. My epithet for this phenomenon is ‘privacy doesn’t matter, until it does’.
Debacles like the Access Card happen when public servants are allowed to get utterly out of touch with the real world. (The Minister – Senator Ludwig – would be pleased if I would point out that that debacle was achieved by the previous Government).
Tenderers (in that case, scores of them!) failed to ask the right questions, simply because the dollar signs looked so inviting. There will be more, massive disappointments, not least in the eHealth arena, because lessons aren’t being learnt.
Public Interest Analyses (PIAs) are central to this, because PIAs are fundamentally exercises in risk management. To avoid problems, and to come up with future-proof designs, get the public involved early. Get the consumer reps and privacy advocates inside the door. Learn from them.
Get them pregnant enough that they’ll feel it’s dishonourable to attack you when your scheme goes live, even if its privacy profile drops a bit short of what they thought you were going to do.
There are plenty of ‘brand-name consultancies’ out there. And, in recent years, a few new faces have joined ‘the usual suspects’. Brand-name consultancies will conclude prettymuch whatever you’d like them to conclude. But some organisations are interested in real understanding and real solutions, rather than just ‘marketing communications’.
So … the consultant in me has some hopes that this Award might stimulate privacy business of the right kind.
Many organisations may lack the confidence to hire a consultant who has as many personas as I’ve got. But there are several other ‘competency-based privacy consultants’ in the country, and if this conversation results in additional meaningful assignments landing on their plates, then this consultant can see in this Medal a little less tarnish and a little more burnish.
I apologise to the Privacy Commissioner. I apologise for putting her to the expense of casting four medals, one for each of my identities.
I thank my nominators. And I thank the sponsors.
And I thank the Privacy Commissioner and the Selection Committee firstly for considering me for this Medal, and, secondly, in full knowledge of what my advocate persona thinks of the situation, awarding it to me.
ENDS SPEECH
_____
Author affiliations:
* Roger Clarke is Principal of Xamax Consultancy Pty Ltd, Canberra. He is also a Visiting Professor in the Cyberspace Law & Policy Centre at the University of NSW, a Visiting Professor in the Department of Computer Science at the Australian National University, and Board member of the Australian Privacy Foundation since its inception in 1987, and currently its Chair. He is a member of Civil Liberties Australia.
_____
** In making the award, Australian Privacy Commissioner Karen Curtis said:
Dr Roger Clarke, a leading privacy consultant, academic and advocate, (is) winner of the Australian Privacy Medal 2009.
“Through his work, both professional and voluntary, Dr Clarke has helped influence the community and several generations of politicians, business leaders, public servants, and civil society activists to recognise and understand the importance of privacy protection in contemporary Australian society,” said Karen Curtis, the Australian Privacy Commissioner.
The Medal was presented by Senator the Hon Joe Ludwig, Cabinet Minister and Special Minister of State, at a dinner in Sydney in November 2009.
Ms Curtis said that Dr Clarke had served the privacy field for more than three decades:
“Dr Clarke’s consulting practice has assisted organisations on privacy strategy formation, privacy policy advice, and the conduct of privacy impact assessments,” said Ms Curtis.
“In the academic sphere, Dr Clarke has published many papers on privacy and has made a particularly significant contribution to the development of thinking about privacy in the context of identity management and of new technologies.
“Dr Clarke has also served for many years as a privacy advocate with organisations such as the Australian Computer Society, Electronic Frontiers Australia, and the Australian Privacy Foundation,” Ms Curtis said.