The APF comprises professionals who have background in a wide variety of professions, industries and technologies. They bring their expertise to bear on proposals and issues by gathering evidence, drawing evidence-based conclusions, and providing verbal and written submissions. Moreover, APF members generally perform this work pro bono, as volunteers, in the public interest. Organisations that listen, and use the information provided, achieve high returns on their investment.
The APF participates in consultations with proponents of projects that have potentially negative privacy impacts. Where possible, it also works with proponents of privacy protective measures, including laws, codes, organisational measures, business processes, system design features and privacy enhancing technologies (PETs).
The APF undertakes consultations with organisations of many kinds. These include corporations (e.g. Google), industry and professional associations (e.g. Communications Alliance, Universities Australia, Media Alliance), oversight agencies (e.g. the Australian Privacy Commissioner), government agencies in all jurisdictions (e.g. the Office of Transport Security, the Commonwealth Attorney-General’s Depatrment, Centrelink, Queensland Transport, Penrith City Council) and multi-governmental organisations (e.g. the National eHealth Transition Authority – NEHTA).
However, in order to commit the time, effort and opportunity-cost involved in participating in consultations, APF members expect that the organisation sponsoring the project will be committed, and that the process will be effective. Unfortunately, that has not always been the case.
This Policy Statement identifies the key features of effective consultations, and aspects that undermine them.
Positive Indicators of Effective Consultations
Initiation
- Inititation by the sponsoring organisation
- Evidence of executive commitment to identify and address privacy concerns
- Active effort by the sponsoring organisation to identify, and gain the involvement of, the relevant privacy advocacy organisations
Conduct
- Provision to privacy advocacy organisations of sufficiently comprehensive and clear information about the proposal
- Provision of information in advance of meetings, rather than in the meeting itself
- Provision of short, verbal briefings to supplement the previously-distributed information
- A practical approach to any confidentiality and security issues
- Facilitation of interactions among stakeholders in order to identify concerns, clarify issues, define problems, and come up with ways to avoid or at least mitigate negative privacy impacts
- Documentation of the outcomes of consultations
- Progressive development of an ‘issues register’ to record problems and their potential and agreed solutions
- Progressive development of a ‘privacy design features paper’, showing which features are intended to avoid or mitigate which privacy issues
Results
- Outcomes that demonstrate accommodation of the perspectives of the consultees, e.g. assimilation of impact avoidance and impact mitigation measures into subsequent rounds of documentation, and into design and implementation activities
- Specific commitments to avoidance and mitigation measures as part of the design
- Control mechanisms to ensure carry-through on the commitments
Negative Indicators
- Provision of information only in meetings, rather than in advance of them
- Communication-avoidance behaviours, such as non-response to communications, slow responses or vague responses that fail to address the questions asked
- Engagement-avoidance behaviours, such as the absence of key staff from meetings, and the use of consultants not only as facilitators and advisors but also as a shield between the organisation and the consultees
- Unwillingness to provide travel expenses and per diems to ensure that the appropriate people can participate in events
- Stage-managed meetings that are dominated by briefings and ‘talking at’ participants and that limit the air-time for participants to enquire, discuss and suggest
- Defensive behaviours, such as unrealistic or excessive approaches to confidentiality or security issues, ill-justified denial of information, or the ruling of relevant aspects of the matter to be off the agenda
- Commitment-avoidance behaviours, such as statements to the effect that the organisation reserves the right to cancel the process or ignore the outcomes, or that staff present at meetings do not have the authority to bind the organisation
- Inadequate follow-up to meetings
- Absence of effort to sustain corporate memory through the process, e.g. through staff-turnover without strong handover/takeover procedures
- Inadequate follow-through on commitments made
Results
- Little or no assimilation of the information provided by privacy advocates
- Changes limited to marketing communications rather than being embedded in the scheme’s design