Q & A with Paxton Booth

Tell us a bit about yourself and your previous roles.

Prior to commencing as the Privacy Commissioner (Qld) I was the Executive Director, Corruption Strategy, Prevention and Legal at the Crime and Corruption Commission, Queensland (CCC). I have held several positions at the CCC during my 11 years of employment. Most recently I lead the identification of strategic corruption risks, prevention initiatives and corruption audits. In this role I oversaw the public hearings and public report from Operation Impala which examined improper access to and dissemination of confidential information by public sector agencies.

I also worked at the Office of the Health Ombudsman for 9 months as the Executive Director of Investigations on a secondment during this period.
I spent 11 years working for the Queensland Police Service (QPS) as a lawyer. I provided legal advice into investigations about major and organised crime to the QPS and represented the QPS in Supreme Court applications for surveillance devices and other police powers.

I also spent 5 years working at the Office of the Director of Public Prosecutions in various positions.

I have a Bachelor of Laws and Bachelor of Commerce and was admitted as a Barrister of the Supreme Court of Queensland in 1997. I recently graduated from the Australian Institute of Company Directors course.

What is on your agenda for the next 12 months?

I look forward to supporting agencies to identify privacy by design solutions that help build greater trust through transparency and enable improved outcomes for the community. I also want to empower the community to better protect their personal information and be aware of their rights. This will lead to better informed decisions by the community if they are asked to disclose their personal information to agencies.

Privacy can be positive tool that can be used by agencies to demonstrate their commitment to accountability and transparency. I will be encouraging all agencies to look at privacy as an opportunity to engage positively with the community.

What are you seeing as the most important considerations in the changing digital landscape?

Digital technology is increasing at an ever-expanding rate. With changes in technology come changes in the way in which people’s personal information is collected and managed by agencies. It is imperative that agencies build in good privacy practices at the beginning of any new project, especially digital projects which have the capacity to gather and store large amounts of personal information.

Digital solutions have a capacity to improve outcomes for many people, however, new technology must not discriminate nor disadvantage individuals simply because they don’t want to give their personal information away. Getting privacy right at the beginning will improve the experience that customers have with new technology. This in turn will lead to greater trust, engagement and faster adoption by the community.

The Queensland Office of the Information Commissioner's submissions to the Commonwealth Privacy Act Review provide strong support for aligning the Commonwealth Privacy Act and state privacy frameworks with the EU General Data Protection Regulation (GDPR). What do you see as the advantages of such alignment for Queensland agencies, and organisations contracting with such agencies?

Dealing with privacy laws can be complex particularly where some agencies have to manage their business across a variety of jurisdictions.

Having consistent privacy principles will make compliance easier for government agencies, contracting agencies and the community alike. It will reduce confusion over an agencies compliance obligations and result in a reduction in costs for business.

Operation Impala (2020) made a number of recommendations about increased powers of the Office of the Information Commissioner, including that the OIC have own-motion powers under the IP Act to strengthen existing powers and better identify systemic issues arising from an act or practice of an agency; and power to make a declaration following such an investigation. Do you see this as an important area for reform?

Yes, the Information Privacy Act 2009 has not been significantly changed since it was first introduced in 2009. There are several changes that could be made to the current privacy framework in Queensland, including increasing the powers available to the Office of the Information Commissioner (OIC) that would make Queensland’s legislation a more contemporary privacy model.

The OIC would also welcome the introduction of a Mandatory Notification of Data Breach (MNDB) scheme in Queensland. I believe this is one of the hallmarks of a contemporary privacy model and would be beneficial for the Queensland community and agencies by increasing transparency and accountability.

It would increase certainty for the community by creating an obligation that they will be notified in the event the breach is serious enough to warrant reporting. It would also encourage agencies to ensure they have robust policies and procedures to reduce breaches and a clear process in the event there is a serious breach. A recent inquiry (2019) in New South Wales about the introduction of a MNDB scheme found there was overwhelming support for a MNDB scheme in that state.

The Commonwealth notifiable data breaches scheme is now in its fourth year of operation. The most recent report (July- December 2021) shows malicious or criminal attacks remain the leading source of breaches, but a significant rise in breaches due to human error. What do you see as the benefits of a mandatory data breach notification system, and do you support its introduction in Queensland?

Yes, a MNDB scheme would have a number of benefits for Queensland. In addition to what I have mentioned above, a MNDB scheme which requires early notification of data breaches to affected parties will have a lot of benefits for individuals.

It will allow them to take action to reduce any risks as a result of the breach such as changing passwords, mitigating any risks associated with financial loss and consider whether there are any adverse impacts to their safety which require action. For example, most agencies that hold a person’s residential address will know whether that information is particularly significant to their safety due domestic violence issues. Informing people quickly about data breaches allows them to make their own assessment of the risks posed and take immediate action.

Automated decision-making is becoming increasingly common across government agencies and the private sector. What privacy protections do you see as critical to the adoption of such tools?

Automated decision making offers a number of benefits and risks. If done well it can improve administrative efficiency and deliver better services to more people and the right people. If done poorly it can result in certain classes of the community being unfairly disadvantaged, even discriminated against.

It is essential that any process which includes automated decision-making is well designed and tested, especially in relation to the impact on people’s privacy. There are a number of papers that are currently available that discuss the risks and potential benefits of AI. One heavily reported example was the robodebt scheme where the application was poorly executed and significantly impacted a large number of people in the community.
In other areas augmented decision making with the aid of artificial intelligence can have positive outcomes. Augmented decision making is where information from the artificial intelligence is not replacing a decision by an individual, but is just another tool to assist in the decision-making process.

This year during Privacy Awareness Week (PAW) (commencing 2 May 2022) the Office of the Information Commission is launching PAW with a presentation from Professor Ed Santow about the interaction between AI and privacy rights. With a focus on the rise of facial recognition technology, Professor Edward Santow talk about how agencies need to “bake in” privacy protections to artificial intelligence solutions as part of the way AI is designed, developed and used and how this could improve trust for agencies. The theme for PAW this year is Privacy - the foundation of trust.

What are your top tips for organisations in protecting privacy?

Develop a privacy culture that promotes good privacy practices. Adopting the Privacy by Design (PbD) approach to new projects is a must. Agencies need to think about the potential impacts of privacy at the beginning of any new project. Using a privacy impact assessment tool is a great way to do that. The impacts of privacy should then regularly be re-evaluated, particularly if there is a change in scope to the project. Getting privacy considerations right at the beginning of any project is crucial and will result in a better product or service, reduce privacy complaints and costs. If privacy becomes a last-minute assessment during the project, it will be seen as an obstacle or impediment to the implementation instead of being a valuable tool that will increase transparency, community confidence, trust and accelerate the uptake of new products and services.

Some of the key things that agencies should communicate to clients when collecting personal information is why it’s being collected, what will it be used for, how is it stored and who will it be disclosed to. All of this leads to better transparency and increased trust by the community when they know and understand how their personal information is being managed.

Good privacy practices are important no matter what sector your agency works in.

To find out more about preparing your organisation's privacy impact assessments, or for other services to improve privacy practices, contact Sonja Read.