Privacy Law and Policy Reporter
In late 1994, the previous Minister for Finance, Kim Beazley, formed a group of four people to examine Commonwealth acquisition and use of information technology (IT). The IT Review Group comprised two consultants, one of the most senior and highly regarded of Commonwealth IT executives, Mick Roche, Deputy Secretary of the Australian Customs Service, and the equally well-reputed IT Policy tsar in LD, Ian Reinecke, who adopted the role of convenor.
The IT Review Group's 100-page report was published on 1 March 1995 under the title Clients First. The report is potentially very significant, both for the application of IT in the public sector, and for the information privacy of all Australians. It accordingly warrants a review in PLPR.
The report's purpose is to shift the focus of governmental computing beyond mere automation of transaction processing, to the re-engineering of business processes on the one hand, and to applications with greater strategic impact on the other. It provides a valuable summary of the current state of IT in the Commonwealth government (pp 5-13, 83-97).
In corporations, the recent vogue of strategic applications of IT has been driven by competitive considerations. There is a serious gap in the theoretical literature concerning the notion of strategy for not-for-profit organisations in general, and government agencies in particular. No-one doubts that 'service' will be a key element of whatever theory finally emerges. Moreover, of the 'strategic thrusts' which have been identified in the private sector, cost reduction, internal integration and external integration all appear to be applicable in the public sector too.
The report is permeated by references to client service. It urges agencies to take up opportunities to deliver better services while containing costs, and to 'adopt a service vision that puts clients first' (p iv). The positive message is summed up in this passage (at 27):
A fundamental question in the use of information technology is whether that use is determined by the needs of the client or by the requirements of agencies that perceive themselves as owning data. The shift from the latter to the former view involves a major conceptual change for governments everywhere and will increase in importance as the focus of service delivery moves from agency structure to client need.
The primary manner in which it is envisaged that client service will be improved (pp ix, 25-26, 29-31) is through 'single points' of access by: clients to multiple sources of agency services' (p ix), 'a coherent whole-of-enterprise vision of client service' (p 29), electronic delivery of services and public kiosks (pp. 26, 29), and 'one-stop-shops and agency-to-agency co-operation' (p 30). In some unexplained manner, IT is to be combined with 'a more rational view of clients' such that 'policy options' emerge for treating them as individuals, rather than in the generic fashion inherent in many existing programs (p 30).
The message about client service is mixed, however, and it has to be doubted whether the report really intends to reverse the recent trend away from client service and towards client control. For example, although the Review Group consulted with scores of government agencies and IT suppliers (pp 73-75), it did not see fit to seek the views of a single representative of the public sector's clients.
Moreover, the flavour becomes threatening at times; for example 'transactions between government and its citizens are changing ... as the use of information technology in delivering services becomes prevalent. Content of the transaction can be enriched by information technology moving the scope of the interaction from that of a single event to an episode, or a series of connected events. For example, 'Working Nation' proposed that clients be regarded in this fashion for the payment of unemployment benefits' (p 25).
Reasonably enough, cost reduction continues to be seen as important (p 25). The claim is made that economies of scale exist in mainframe computing, and it is therefore argued that the 17 smaller mainframe sites (50-150 MIPS) should be consolidated into a smaller number of sites each with in excess of 200 MIPS (pp 41-42). With computer and network technologies continuing to migrate away from centralised structures toward dispersed architectures, and IT economics away from economies of scale toward closeness of fit to organisational need, this is an unconvincing proposal, more attuned to the 1960s than the late 1990s.
In addition to consolidation to achieve cost savings, prominence is given to an external integration thrust. The report proposes 'a co-ordinated approach to the management of information technology across government' (p ix) standardisation and reuse (p 18), joint ventures and alliances (p 19), and outsourcing (pp 19, 57-64). This extends as far as to propose consolidation of infrastructure by aggregating like agencies on the basis of business type' (pp x, 42). Given that many of these agencies are intrinsically little more than information processors, that proposal inevitably implies organisational consolidation as well.
Many of the themes that emerge in the report (such as one-stop-shops, agency-to-agency co-operation, a more rational view of clients, the construction of client transaction trails, site consolidation, and external integration among agencies and between agencies and corporations) lead very directly to privacy concerns; yet privacy is expressly mentioned at only a very few points in the IT Review's report.
The sole mention of privacy in the covering letter to the Minister suggests that an enlightened view exists: 'Privacy guidelines that were developed in an information systems environment dominated by central computing should be reviewed in the light of this report to take account of the potential benefits offered to clients and the Commonwealth by new systems approaches' (p v).
It also seems heartening to read that:
Clients may wish to have a greater say in specifying levels of confidentiality based on balancing their individual service needs against the generalised need to protect their personal information. This point has been raised in submissions, on the premise that demand for privacy of information may increase as the potential of new technologies to deliver is realised. It has also been suggested that in the absence of a national approach to achieving this balance, lack of consumer confidence about privacy issues will lessen potential benefits of electronic client services (pp 27-28).
Subsequent passages, however, make clear the real meaning of those bland statements. The 'potential of the new technologies to deliver' appears to apply only to data security, rather than to the full gamut of privacy protections (pp 28, 32). Moreover, 'it is likely these developments will begin to create an environment that questions blanket prescriptions against once-only collection of personal information by government' (p 28). In other words, the bulwarks placed between agencies by privacy protection principles in general, and the Privacy Act 1988 in particular, are to be broken down by the white heat of the rampant technological imperative.
This is stated quite emphatically in a short section headed 'Privacy and Security':
Strategies for exploiting the benefits of cross-agency information flows need to recognise that this issue reaches ... to questions of client perception [but not, it seems, to client needs or rights]. ... [A]s standards of privacy change, the view of information held by government is likely to be modified. The current formulation of limiting the use of personal data to the purpose for which it was originally collected would render invalid many activities in retail banking, direct marketing and target selling. The Review Group believes that as community standards change, government information should not be placed in a special category that limits the potential to provide improved client service (p 32).
This plea for removal of the constraints that the Privacy Act imposes, culminates in Recommendation 5, to the effect that 'the Commonwealth formally assess the future relationship between existing privacy guidelines and the potential of multiple agencies to deliver services to clients through single points of contact' (p 32).
In calling for the same freedoms enjoyed by 'retail banking, direct marketing and target selling', the Review Group demonstrates just how out of touch with public policy directions they are. The far more likely development is the extension of enforceable privacy rights to the private sector, as has already happened throughout Europe (and is accelerating with the EU Data Protection Directive - see (1995) 2 PLPR 80), in NZ, and in a bill awaiting enactment in Hong Kong.
The awareness of privacy issues shown by the IT Review Group is lamentably poor. Their comments appear stuck in a timewarp, as though they were unaware of the sea-change that has occurred in attitudes and expectations among the public. Six years after the enactment of a set of 11 Information Privacy Principles, the senior echelons of the public service seem to still equate privacy with just one of those 11, namely security. The report reflects no appreciation that such matters as data quality, and limitations on collection, use and disclosure, are of great concern to the public.
It is apparent that the Review Group perceives contemporary data surveillance maturing into a more comprehensive form of behaviour surveillance, particularly for those people who have considerable dealings with government agencies, and especially those in dependency relationships. Control of fraud against the Commonwealth is leading to re-definition (dare one say 'new-speak'), whereby 'service' does not mean assistance to, for example, the temporarily unemployed, but rather continual and co-ordinated monitoring of the interactions of unemployed people with every government agency.
Contrary to the IT Review Group's presumptions, a single point of delivery does not necessarily imply the merger of organisations and functions. A shop-front (whether physical or electronic) needs to act as an agent for the various agencies, and to carefully separate the data flows.
The era of blind worship of the economies-of-scale principle has passed, and consolidation of infrastructure is far less desirable than co-ordination. Consolidation of agencies themselves needs to be strenuously resisted, in order to prevent the emergence of monolithic government. The public definitely has an interest in keeping one another under control, and thereby keeping taxes down; but it has an even more important interest in restraining the power of its servants, and thereby sustaining Australian democracy as government by the people rather than by the public service.
One further indicator of the lack of maturity in privacy matters was the Review Group's failure to find time for the Privacy Commissioner in its long list of consultations. The following day, he issued an uncharacteristically sharp rejoinder, quoted in The Sydney Morning Herald. Shortly afterwards, the leading IT industry weekly, Computerworld, ran a front-page item which expressed serious concerns about the report's tone (Australia Card fears flare again, 24 March). It was unnecessary for privacy lobbyists to re-invoke that divisive period between 1985 and 1987 - the Human Rights & Equal Opportunities Commission had already done so: Lindy Smith, head of the Commission's privacy branch, says cross-matching of data and sharing databases have been a concern to the Commission 'That was the whole basis of the Australia Card debate', Smith said.
The IT Review Group comprised people of undoubted quality, and the majority of its analysis is sensible and forward-looking. This makes the deficiencies in relation to privacy all the more disappointing. It appears that the senior echelons of the Commonwealth Public Service may have learnt little from the debates and the debacles of the last decade. The Privacy Commissioner continues to be ignored during the policy-creation process, and his staff continue to be treated as mere publishers of codes of practice negotiated to suit the needs of agencies. This report provides evidence that senior public sector executives regard the Privacy Act 1988 as a temporary inconvenience, to be shuffled to one side as technological determinism demands and opportunity permits.
The report shows a thoroughly inadequate appreciation of the demands of Australian society for balance to be found between social controls and privacy interests.
'Clients First: The Challenge for Government Information Technology'
Financial Management Division, Department of Finance, Newlands Street PARKES, ACT 2600, tel, (06) 263 3462, fax, (06) 263 2466, X.400 e-mail address: e-mail address: Allan.Maclean@Finance.Ausgovfinance.Telememo.au
Roger Clarke is Reader in Information Systems in the Department of Commerce at the Australian National University, a long-time data surveillance researcher and privacy advocate and a member of the Editorial Advisory Board of PLPR.