Privacy Commissioner

Published 7 May 2024
Read the keynotes address prepared for delivery by Privacy Commissioner Carly Kind for the IAPP Sydney KnowledgeNet event on Monday 6 May 2024, 'How to power up a privacy program for emerging and evolving technologies'.

Introduction

• I would like to begin by acknowledging the Traditional Custodians of the land on which we meet today, the Gadigal people of the Eora Nation.
• I pay my respects to Elders past and present and extend that respect to any First Nations peoples with us today.
• All of these issues, and many more, relate to privacy, and in my view could be tempered or mitigated through stronger, better privacy protections.
• But if the dinner tables I’m at are anything to judge by, it is also, instinctively, the view of many of our fellow citizens and consumers.

Privacy Awareness Week

• It is against this backdrop, then, that we commemorate Privacy Awareness Week.
• This year, awareness of privacy is higher than ever before, arguably.
• We would also like to see government power up privacy Australia-wide by introducing the reforms to the Privacy Act that are so overdue.

Privacy reform

• It is no coincidence that I have taken up the role of Privacy Commissioner at a time in which Privacy Act reform is on the agenda.
• In that role, I thought a lot about the role of data privacy regulation and regulators in grappling with new and emerging technologies, particularly AI.
• The clearest issue of interest and challenge for privacy professionals worldwide that came through the many events and panels at the conference was how should privacy professionals be thinking about AI, and what would AI governance and regulation ultimately look like.
• This goes to the overarching theme of today’s convening and Privacy Awareness Week, which is 'Privacy and technology: improving transparency, accountability and security'
  .In thinking about what this means in the context of emerging technologies, I think privacy professionals should have a few things in mind:
  The first is that you can’t go wrong with a precautionary approach.
• I would encourage you, then to get into the habit of using privacy impact assessments to surface privacy challenges of new and emerging technologies, and to share them with your colleagues.
• Online privacy and high privacy impact technologies, including practices involving the use of generative AI, facial recognition and the use of other biometric information, are also high on our regulatory priorities.

Regulatory practice

Published 22 May 2024
Read the keynote address prepared for delivery by Privacy Commissioner Carly Kind for the Biometrics Institute Asia-Pacific Conference on Wednesday 22 May 2024.

Introduction

• I have known the Biometrics Institute for some time, and appreciate the invitation to speak.
• I have seen first-hand how biometrics registration and identity systems can be used to great effect, for example, to assist in the registration of refugees who have had to flee their homes without paper identity documents.

The risks of biometrics

• However, I have also observed the range of risks and harms that can happen in the context of the use of biometrics systems, and heard first-hand from the public their concerns in this regard.
• Prior to taking on the role of Privacy Commissioner, I was the director of the Ada Lovelace Institute, and we undertook a large-scale public deliberation on biometrics technologies.
• Because, as we all know, there is something different about biometrics.

Intersection with the Privacy Act

• In Australia, we have an emerging picture of how biometric technologies can be used consistently with the Privacy Act.
• Facial recognition technologies and other automatic biometric identification technologies should only be used when it is reasonably necessary for, and the risks to privacy are proportional to, the functions or activity.
• The OAIC found that Clearview AI breached Australians’ privacy by scraping their biometric information from the web and disclosing it through a facial recognition tool.
• The Australian Information Commissioner determined that the Australian Federal Police (AFP) failed to comply with its privacy obligations in using the Clearview AI facial recognition tool.
• Commissioner Falk found the AFP failed to complete a privacy impact assessment before using the tool, in breach of the Australian Government Agencies Privacy Code, which requires a privacy impact assessment for all high privacy risk projects.

Looking ahead – Privacy Act reforms

• The federal Attorney-General shared earlier this month that at the request of the Prime Minister, he will bring forward legislation in August to overhaul the Privacy Act.
• Privacy law reform will up the standards for consent, bring into scope a larger subset of the Australian economy, and expands the powers of the OAIC to enforce privacy law.
• Also of note for the biometrics sector are reforms around consent management and data deletion and retention.

Privacy at the forefront of Digital ID scheme

• While we wait for Privacy Act reforms, we will begin applying higher legislated standard to biometric information immediately, with the passage of the Digital ID Bill last week
  The OAIC will be the privacy regulator for the Digital ID scheme and will use a range of regulatory powers to ensure that individuals’ privacy is protected when using the system.
• The ‘additional privacy safeguards’ in the Digital ID legislation will operate in addition to the general protections under the Privacy Act (or equivalent state or territory privacy legislation).
• The OAIC’s regulatory role under the Digital ID legislation will include oversight of breaches of the additional privacy safeguards by all accredited entities, including state and territory agencies.

Conclusion

• OTTAWA, ON, Feb. 21, 2024 /CNW/ - Shared Services Canada (SSC) and the Canada Border Services Agency (CBSA) advised today that they are working to restore CBSA's ability to process Access to Information and Privacy (ATIP) requests electronically.
• While the CBSA still has access to the original ATIP requests submitted, at this time the Agency cannot access the information it gathered to respond to those requests.
• The CBSA processed over 300 requests manually last week while restoration efforts continue on approximately 16,000 pending ATIP requests dating back to 2021.
• The CBSA expects to be able to process about half of its usual volume of 1,200 weekly ATIP requests this week, and will continue to bolster its capacity to process requests impacted by the current situation.