Preparing for changes in privacy

It’s here. The Attorney-General Department’s (AGD) review of the Australian Privacy Act of 1988 has been released, giving us a clear view of how privacy legislation in Australia will change in the not so distant future. 

The release to the public, made on 16 February 2023, included the full report (all 320 pages) along with a summary of the “Report on a Page”. You can view the full report here and the summary here. 

Why was this reviewed? Well, if it wasn’t the “1988” that did it, Australia has been reported to be behind the 8-ball on its privacy legislation for some time, only made worse by recent world-news making data breaches by some of our nation’s most loved and trusted brands. 

It’s harder of course when you’re a large target, and many businesses I am sure take resolve in being a small fish among these big Aussie Striped Marlin 🐟

It’s one thing to hope though, that being a smaller target can help dodge some of the scrutiny, risk and urgency but the proposed reforms are designed to put in place the very measures to stop such a mindset. 

Times in our Aussie-land are changing and that means it’s time to start preparing, now. 

As highlighted directly in the report:

“The proposed reforms are aimed at strengthening the protection of personal information and the control individuals have over their information. Stronger privacy protections would support digital innovation and enhance Australia’s reputation as a trusted trading partner.”

Given the current state of the world, it’s that last sentence that is also a very interesting one. Doing our bit to do the right thing by our customers (which let’s remind ourselves, is really doing the right thing by one another), goes beyond avoiding just a slap on the wrist. 

The collective impact of Aussie organisations not adhering to high integrity privacy protection standards may impact Australia heavily due to our dependence on international trade and foreign investment (it’s that big old island of ours with few people that does it). 

As other countries take a proactive approach, legislating controls and enforcing better standards, organisations will likely shy away from sharing data and trading across boarders with countries who do not uphold those same standards. 

The simple fact is that this reform is a response to a call to action from the people to ask organisations to do better. 

As an analytics newsletter, my focus here is directly from an analytics lens. 

A company’s data strategy goes beyond analytics alone (legal, IT, digital, marketing, customer support), however there are some key initiatives that analytics professionals can make strides in to prepare for the impending changes. In addition, there are some interesting and clever mitigation tactics that can be employed to better protect individual identities when conducting analysis. 

This week’s newsletter aims to provide a short list of ideas for your consideration. 

For preparation now and mitigation later

1. Know your consent for analytics use 

The reform explicitly outlines a need in Section 11.1 to “amend the definition of consent to provide that it must be voluntary, informed, current, specific, and unambiguous” a clear understanding of what data organisations have consent to use for what purpose will be imperative across every role. 

For analytics professionals in particular, this means understanding how data is collected, stored (and purged), and accessed, and for what report types. If these policies don’t already exist in your organisation, or they do but not all data and analytics teams deeply understand the policies, it’s time to get a wriggle on and get across it. 

2. Gone are the days of “collect it all in case” 

Shout out to my old friend Jacob Moran who highlighted an interesting key point at MeasureCamp recently. It was in the context of minimising data collection for reducing maintenance and storage costs, however it stands for data minimisation practices in general. 

(I’m paraphrasing by the way… )

Think about whether it’s important to collect all the time [as an always-on collection mechanism] or if this is going to be something that can be implemented for a short period to gain the same insight. If enough traffic [data] can be gathered within a short period of time to derive insight, don’t collect and store it all now. Collect it for a short period to offer you a meaningful sample size for analysis, then turn the tags off. 

I thought this was brilliant. Extending this concept to privacy, we can continue to minimise the data points we choose to store against a customer profile to mitigate the risk of exposing unnecessary behavioural or engagement based traits to a user profile. 

By the same token, we can consider leveraging qualitative insights in the same way. A sample can sometimes be enough to derive insight. Just consider whether or not the data is even needed.

3. Let’s get anonymous 

Similar to the point above, just because you can tie it to an individual identity, doesn’t mean you should.

I actually find this to be the most enjoyable part of an analytics strategist’s role (don’t know what an “Analytics Strategist” is? Come work with me at The Lumery). 

Specifically my favourite part of what we do is critically analyse the problem to be solved and attach the best possible method for analysis. 

Any analyst knows there are often insights that can be derived from aggregate, anonymous sample data. In fact, if you don’t need to create a model or segment of customers to immediately activate on, chances are anonymous, aggregate data will suit you just fine. 

One form of anonymisation that’s generating noise in analytics circles at the moment is the incorporation of “synthetic data”. Synthetic data, just as it sounds is artificially generated data that mimics the characteristics of an existing data sample. 

Synthetic data in particular is being used in many machine learning applications or applications where data sharing would otherwise be of a key commercial benefit but is against the privacy and consent guidelines of the individuals whose data has been captured. 

It allows organisations to create an aggregate set of data with distributed characteristics that are similar across the data sample while protecting any individual data records with 1:1 characteristics. 

4. Access, security & encryption 

Structuring the types of data that can be accessed and manipulated across an organisation has always been of high importance, though governance measures and standards are only likely to require additional rigour now. 

Partitioning, though typically used for improved performance and scalability can be a tool that supports management of data types across an organisation, especially as the team scales. 

Similarly the concept of “scratch databases” can allow teams to experiment and iterate on improvements with a sub-set of consent granted sampled customer data which can further mitigate the risk of access and security provisions for core tables. As “scratch databases” are created and destroyed quickly and easily, it can also offer piece of mind and limit the maintenance load for ongoing security. 

When legislative changes occur they tend to rattle our organisations from the inside out. There is absolutely no doubt that an end to end data strategy will be developed organisation-wide, however in the interim there are many small but important steps analytics professionals can take to start shifting our mindsets to prepare for the impending change. 

I hope this provides a little inspiration and food for thought on where you might start with your team. 

Until next week.