If Australia’s privacy regulators had a dollar for every time a politician or senior official insisted citizens’ privacy is their number one priority, they might have enough funding to actually carry out their duties.
But instead - in the upside down world of pollie doublespeak - such pledges actually translate into a gradual, persistent, behind-the-scenes undermining of these statutory offices, in what has turned the bulk of Australia’s personal information regulators into agencies under siege.
In Australia, Commonwealth privacy law - which governs all organisations turning over more than $3 million a year, and all federal agencies - is enforced by the Office of the Australian Information Commissioner.
In the states and territories, separate acts define how government and health agencies in each jurisdiction are allowed to treat the vast troves of personal information they store. Western Australia, which lacks any privacy regulation, is the exception.
Nearly all currently have one thing in common: a resourcing choke-hold paired with a workload that gets bigger each day as governments jump on the technology bandwagon.
This week Canberra witnessed a rare privacy victory as parliament finally passed mandatory data breach notification rules that force government and big business to actually publicly admit when data is potentially compromised.
In a true symbol of parliament’s commitment to the cause, the laws took five years to come into play, despite being supported in principle by everyone in politics.
But we can't really expect much more from a government that quite openly tried to dismantle the OAIC under the guise of saving roughly $2.5 million (not quite half an Australia Post CEO salary) a year.
The federal regulator is undoubtedly the most powerful - and most publically embattled - privacy office in Australia. It has only just emerged from two years in budget purgatory while the government tried to push through legislation to dissolve the office and pass off its remaining functions to other agencies.
Even after its eleventh-hour reprieve in the May budget, the OAIC that remains is a new, leaner body just barely resourced to face what could be an unprecedented flood of mandatory data breach notifications from across the country.
An endemic issue?
But with a total of 75 staff as of June 2016 (across FOI and privacy functions), even the struggling OAIC eclipses its NSW counterpart when it comes to resourcing.
In Sydney, the Information and Privacy Commission employs 29 staff, just eight of whom carry out the job of regulating privacy across a 400,000-person public service.
That’s eight people to make sure hospitals are properly securing the vital health details of 7.5 million residents, to investigate all complaints that come in every year, to check the privacy compliance of all the new surveillance gadgets police are clipping to their belts, and to guide the government through an unprecedented era of inter-agency data matching.
Privacy commissioner Elizabeth Coombs has no say in the resourcing or administration of the office, which is controlled by the state’s Information Commissioner.
NSW’s first ever privacy commissioner, Chris Puplick, offered his insight into the regulatory torment:
“As a statutory officer, unless you have a real budget that allows you to determine your own priorities, unless you have the capacity and resources to make your own decisions and to fulfill your basic statutory responsibilities, then the whole thing is a sham,” he told iTnews.
In Victoria, all bets are off: privacy commissioner David Watts and the Andrews government have taken to trading blows in public.
Watts’ protected statutory position can only be terminated with the agreement of both houses of state parliament. But he says the government is trying to get rid of him anyway with a restructure of his office that will see privacy merged with FOI, and both existing commissioners become sackable deputies under a newly appointed Information Commissioner.
The relationship hasn’t been helped by Watts' office launching a formal investigation into the premier himself, following reports Daniel Andrews ordered his parliamentarians and senior public servants to hand over their mobile phones as part of an anti-leak campaign.
The legislation to restructure Watts' office will resurface in the state’s upper house next week.
Up north, Queensland’s privacy commissioner Phil Green is staying stoic.
He might not want to take his chances with a government that treats his position with so much respect it left it vacant for four years.
But while the state of affairs in Queensland, Victoria, NSW, and the federal government might seem woeful, spare a thought for the residents of Western Australia, who have no Privacy Act at all.
So next time you hear a politician insist all their privacy protections boxes have been ticked - like when federal attorney-general George Brandis tells you his government “recognises that the privacy of citizens is of paramount importance” - spare a thought for the overworked and under-resourced privacy officers struggling to pick up the pieces when it all goes wrong.
Like the time Immigration published the details of 10,000 asylum seekers online, or Health released a billion lines of Medicare claims in a poorly encrypted spreadsheet.
Until the siege on Australia’s privacy regulators ends, voters have no real reason to believe politicians and officials when they insist their data tinkering is above board.
If they’ve got nothing to hide, why fear a watchdog with teeth?
