The APF comprises professionals who have background in a wide variety of professions,
industries and technologies. They bring their expertise to bear on proposals
and issues by gathering evidence, drawing evidence-based conclusions, and providing
verbal and written submissions. Moreover, APF members generally perform this
work pro bono, as volunteers, in the public interest. Organisations
that listen, and use the information provided, achieve high returns on their
investment.
The APF participates in consultations with proponents of projects that have
potentially negative privacy impacts. Where possible, it also works with proponents
of privacy protective measures, including laws, codes, organisational measures,
business processes, system design features and privacy enhancing technologies
(PETs).
The APF undertakes consultations with organisations of many kinds.
These include corporations (e.g. Google), industry and professional associations
(e.g. Communications Alliance, Universities Australia, Media Alliance), oversight
agencies (e.g. the Australian Privacy Commissioner), government agencies in
all jurisdictions (e.g. the Office of Transport Security, the Commonwealth Attorney-General's
Depatrment, Centrelink, Queensland Transport, Penrith City Council) and multi-governmental
organisations (e.g. the National eHealth Transition Authority – NEHTA).
However, in order to commit the time, effort and opportunity-cost involved
in participating in consultations, APF members expect that the organisation
sponsoring the project will be committed, and that the process will be effective.
Unfortunately, that has not always been the case.
This Policy Statement identifies the key features of effective consultations,
and aspects that undermine them.
Positive Indicators of Effective Consultations
Initiation
- Inititation by the sponsoring organisation
- Evidence of executive commitment to identify and address privacy concerns
- Active effort by the sponsoring organisation to identify, and gain the involvement
of, the relevant privacy advocacy organisations
Conduct
- Provision to privacy advocacy organisations of sufficiently comprehensive
and clear information about the proposal, in advance of meetings
- Availability of travel support and per diem / sitting fees, to
reflect the facts that, unlike representatives of business and government
interests, many consumer and privacy advocates do not have an employer able
and willing to fund their participation, and that many advocates bring deep
expertise to the table and are foregoing time and in effect performing charity
consultancy
- Provision of verbal briefings to supplement the previously-distributed information
- A practical approach to any confidentiality
and security issues
- Facilitation of interactions among stakeholders in order to identify concerns,
clarify issues, define problems, and come up with ways to avoid or at least
mitigate negative privacy impacts
- Documentation of the outcomes of consultations
- Maintenance of corporate memory, and cumulative commitment by all participants,
through ongoing involvement by individuals with a personal commitment to the
process
- Progressive development of an 'issues register' to record problems and their
potential and agreed solutions
- Progressive development of a 'privacy design features paper', showing which
features are intended to avoid or mitigate which privacy issues
Results
- Outcomes that demonstrate accommodation of the perspectives of the consultees,
e.g. assimilation of impact avoidance and impact mitigation measures into
subsequent rounds of documentation, and into design and implementation activities
- Specific commitments to avoidance and mitigation measures as part of the
design
- Control mechanisms to ensure carry-through on the commitments
Negative Indicators
- Commitment-avoidance behaviours, such as failure to establish and sustain
a coherent process, stop-start communications, statements to the effect that
the organisation reserves the right to cancel the process or ignore the outcomes,
or emphatic statements that staff present at meetings do not have the authority
to bind the organisation
- Unwillingness to make available travel expenses and per diems /
sitting fees to ensure that the appropriate people can participate in events
- Communication-avoidance behaviours, such as non-response to communications,
slow responses or vague responses that fail to address the questions asked
- Defensive behaviours, such as unrealistic or excessive approaches to confidentiality
or security issues, ill-justified denial of information, or the ruling of
relevant aspects of the matter to be off the agenda
- Absence of effort to sustain corporate memory through the process, e.g.
through sporadic involvement by employees who have little personal commitment
to the process, and staff-turnover without strong handover/takeover procedures
- Engagement-avoidance behaviours, such as the absence of key staff from meetings,
and the use of consultants not as facilitators and advisors but as a shield
between the organisation and the consultees
- Stage-managed meetings that are dominated by briefings and 'talking at'
participants and that limit the air-time for participants to enquire, discuss
and suggest
- Inadequate follow-up to meetings
- Inadequate follow-through on commitments made