The Oxford Dictionary defines privacy as: "A state in which one is not observed or disturbed by other people." The internet, satellite technologies, mobile devices, hyper-connectivity and big data have already dented the definition.
Can privacy survive the internet?
Edward Snowden's revelations about the lengths to which the US National Security Agency has gone to access personal data have already dealt a further blow to the notion of personal privacy.
We are now moving to a new era described by technophiles as the "internet of things" where not only are people connected to the internet, so are devices and sensors. It is conceivable that in the future an in-car sensor will report to an insurance company when you are driving above the speed limit and modify your premium in real time.
Nation states, however, cling to the concept of personal privacy and have implemented a raft of legislation and regulations to protect consumers and citizens. In March Australia introduced its updated privacy regime intended to restore some power to the individual.
Previously the OAIC has had only limited powers, but, as any organisation governed by the APPs needs to understand, that has now changed.
The amended Privacy Act has boosted the powers of the OAIC, which can assess organisations' privacy compliance, accept enforceable undertakings and seek civil penalties of up to $1.7 million if organisations fail to comply.
Sparke Helmore Consultant Janice Nand says proactive enforcement is likely to be a hallmark of the new privacy regime, providing the OAIC with "real teeth." While there has always been the option of negotiating or settling privacy complaints, there is now the additional incentive to resolve complaints to avoid the risk of significant penalties for serious or repeated breaches.
Proactive enforcement requires companies to take a more proactive measures with regard to both information privacy and computer security. Computer security should be viewed as privacy's evil twin in the internet era given the heightened risk of companies and their data being hacked and attacked.
The most recent example of how computer security can compromise privacy came courtesy of Heartbleed.
Heartbleed was the name given to a security problem that arose because of a hole in software that can be used to create a secure layer on the internet. It's this layer that is used for online purchasing or internet banking. Once that hole was spotted it could be used to access the encryption keys used to keep everything on the secure layer private and safe.
Not every organisation used the affected software to build their secure layer – but those companies that did needed to fix the hole, then change their encryption keys and tell their users to change their passwords. Not everyone was quite so proactive.
Consider the approach taken by Dropbox – the information sharing application used by 275 million people all over the world and 95 per cent of the ASX 100.
When it found that its systems were affected by Heartbleed, Dropbox patched the software, changed its encryption keys and then posted on a company blog a recommendation that Dropbox users change their passwords. It didn't however send an email to all its users making that recommendation – if users didn't read the blog then they didn't know they and their data might be at risk.
Dropbox had ticked the box on compliance – but it hadn't taken the extra (simple) step that would have boosted its trust factor.
Businesses that aim to build businesses and trust over the internet need to develop effective privacy and security cultures. This is not about posting on a website a huge, impenetrable privacy policy written in legalese and then ticking a compliance box. To properly protect privacy organisations need a clear and coherent privacy policy, the supporting systems and procedures to ensure that policy is adhered to, and a culture that accepts that it's not OK to have a quick look at your cousin's fiancée's records "just in case".
Then, just maybe, privacy can survive the internet.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
