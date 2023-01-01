With more of our personal data stored online, to support anything from auto-payment for cappuccino purchases to targeted Jimmy Choo adverts, shouldn't we realise the true cost of this apparent convenience?
A recent opinion piece (Adam Triggs and Dan Andrews, "Data-privacy trade-off is overblown after Optus, Medibank breaches," December 2022) reminds me of my undergraduate O-Week experience, when passionate advocates from at least six competing stalls assured me that true socialism had never been implemented.
As sincerely as Triggs and Andrews must hold their views regarding the benefits of collecting more granular data, I suggest the key to effective privacy policy is practical implementation, and it is not enough to profess data protection without considering the full consequences of system design. Thus, just as I was never going to join any one of those socialist clubs, with my heart fondly swelling from nostalgia, I will bite.
The piece in question makes a strong case that the benefits of data outweigh the risks, although the blanket criticism of privacy advocates' concerns was an alarm bell. Let us not forget, many of the rules enabling secure data exchange, including the Privacy Act 1988, only exist as a result of those advocates' sustained efforts over many years, and to dismiss such concerns is akin to blaming Kerry Packer for ruining World Series Cricket.
That stance at the outset indicates a less than comprehensive understanding of the full remit of privacy, and what it is all about: balance.
Practicality matters. How many of us have juggled more than 10 system passwords at once, and either used the same one for each system, written them all down, or both?
As much as there are failings in data governance - which should be addressed - one should recognise that the humans handling data - either as administrators or users - are inherently fallible, no matter what is written in a standard operating procedure.
The prospect of more granular data collection resulting in enhanced service delivery sounds promising, especially if one de-identifies the data to protect privacy, although linking de-identified data findings to service delivery is complex, and perhaps why so many data governance arrangements fail.
The misuse of personal information is a living reality for many Australians, realised even before the concept of data breaches existed.
The Australian Bureau of Statistics census traditionally returns an under-count of Indigenous Australians as a direct result of the Stolen Generations (and their communities) having developed a certain mistrust of government when it comes to declaring ethnicity. Quite often, the consequences of public administration are not overcome by a simple check-box or disclaimer, despite the apparent benefits of data.
As for more recent public administration, the robodebt royal commission essentially concerns the misuse of data. How can anyone claim that privacy is overblown, when the misuse of personal information literally resulted in death?
These are often personal value judgements. When I delivered privacy training many moons ago, I would sometimes commence the class with a grid-like survey which asked participants many questions regarding what they would disclose along a scale; the varied scenarios included anything from the colour of one's car to medical information, and the scale included different stakeholders (one's spouse, a stranger, and so on).
Through that five-minute exercise, participants added up their disclosure score, and the numbers throughout the class always differed. The purpose of this little exercise was both to demonstrate that individuals' own sense of privacy is personal, and to shift participants' thinking from "this behaviour is acceptable to me" to "this behaviour is acceptable under law" - there is sometimes a stark difference.
In highlighting this reality, I am not expressing fear or anxiety. Rather, I hope to convey a more nuanced understanding of the situation.
Perhaps the easiest method of observing different privacy cost/benefit interpretations in practice today is via the living-with-COVID experience of international travel.
Quite aside from the trends of liberal democracies compared to authoritarian governments, data norms vary not only in the law as it is written, but also in the effectiveness of a jurisdiction's implementation of their law, and in the weighting of competing factors (such as public health); there is no consistency.
It is clear that improving data governance would help address privacy concerns, yet we should not pretend that the risks of increased data collection could easily be overcome with the stroke of a pen, or that the misuse of data, whether by accident or design, does not have lasting costs.
Regardless of positive intentions, before seeking to collect more granular data, perhaps it is best to ask: why not a different approach, and what is the true cost?
