Today, August 6th, Salinger Privacy turns 20!
To mark our birthday, the whole team pitched in with reflections on how the privacy field has changed, what we have learned along the way, and our hopes for the future.
We’ve come a long way
Our Principal Anna Johnston reflects that when she founded Salinger Privacy in 2004, the world was very different: “no social media, no smartphones, no Internet of Things, AI was only mentioned in sci-fi, and Google was still the new kid on the block”. The September 11 terror attacks were still fresh, so when advocating publicly for better privacy protections, she was often labelled a zealot, or part of the ‘tin-foil hat brigade’.
And privacy advice wasn’t always well-received either. In the early days of starting a privacy consulting business – “so long ago that the term ‘start-up’ wasn’t even a thing then” – Anna liked to joke that rather than Privacy Impact Assessment, PIA could have stood for “Pay to Ignore my Advice”. Happily, we’ve come a long way since then.
So not surprisingly, Anna nominates shifting attitudes towards privacy – from the community, from our clients, and finally from politicians – as a key change over time: “I see greater awareness of the privacy risks of collating and sharing personal information. Technological evangelists are met with greater scepticism. People are so much more aware of the possible harms now, and they expect the law and regulators to step in and protect them”.
Our Senior Privacy Consultant Emily McGufficke struck a similar note: “Most people I talk to about privacy are not only aware of privacy risks and harms, but they have also felt them play out as victims of data breaches”. As a result, the ‘hard sell’ of privacy to business is over: “While privacy laws may have been viewed as a compliance burden by some in the past, good privacy practices are now properly seen as value proposition that can build customer trust and give organisations a competitive edge”.
As a result, many of our clients are now thinking deeply about how they can best protect privacy, above and beyond what the legal minimum requirement asks of them. They get it: they need community acceptance, or ‘social licence’, beyond baseline compliance.
We now see privacy management as a profession shifting from tick-box legal compliance, to a more nuanced task of finding the appropriate point of intersection between law, technology and ethics.
And because technology is always changing, the work is anything but boring. Melanie Casley has worked as a Senior Privacy Consultant with us since 2019, but her career in privacy goes back more than 20 years, including across in-house roles and senior experience at what is now OVIC. She reflects that her long tenure in privacy practice would have surprised her younger self: “If someone had said to me as a university graduate, You should specialise in privacy compliance, I would have said No way, I don’t want to be stuck in one field my whole career!”
But she hasn’t felt typecast at all: “This is an area of work that continually evolves and gives rise to new challenges – particularly in data ethics. Each new technological advance in commerce, government or society requires us as privacy consultants to adjust our critical thinking, and to seek out tools and options to protect privacy interests. This is why I’m still here, continually fascinated, and passionate about privacy protection”.
Privacy & Technology Specialist Alex Kotova, who has worked in privacy roles across banking, retail and insurance industries, also noted the changing recognition that privacy is a career path: “When asked what I do for work, I’ve gone from people nodding politely when I say I work in privacy, to Oh like with Optus and Medibank?, and now to Oh hey, what do you think of XYZ scenario?”
With that recognition, investment in privacy has followed, along with the realisation that it takes a village: privacy cannot be just one person’s job in an organisation. Justin Frank, fellow Privacy & Technology Specialist, worked in technology roles before studying law: “20 years ago, privacy was something that was rarely, if ever, raised in project meetings, and certainly there was no mention of ‘privacy by design’”. But now? “Technology teams have become some of the greatest allies that we have when it comes to best practice for collecting, handling and securing personal information”.
Our business has evolved too. Since joining us seven years ago, our Office Manager Jo Funtanilla has overseen the changes: “We started offering face-to-face training locally, expanded interstate, before the pandemic caused us to transition to live virtual – and now we have more national and international enquiries and bookings than ever”.
Jo also looks after sales and support for customers seeking online training modules or compliance resources, and she observes that “proactive privacy compliance clients are the happiest people”.
Which brings us to…
The privacy community
Privacy people are the best people!
The privacy profession in Australia and New Zealand, although relatively small, is a tight-knit community of collaborative and passionate individuals. And that community is growing, as we start to draw not only from legal and compliance fields, but increasingly from the fields of digital, data, tech, tech policy, AI, and so on.
Our Director of Learning Andrea Calleia would be well-known to many, having met hundreds of attendees at our training courses over the years. Andrea says she loves “hearing participants share insights about their experiences, and views about the training topics we have covered”, and marvels at how so many privacy pros are willing to freely share their expertise with others.
Andrea has also noticed a shift over time from our in-house clients when identifying their training needs, “from initially wanting to understand what the law says, to then thinking about how to apply the privacy law, to now wanting to build privacy considerations into how they work across all different processes and product development”. Often these are repeat clients, changing up their approach over time. She sees this as a very positive development: “It shows me that there are organisations out there that really do care about privacy, care about doing ‘the right thing’, and consider ‘respecting privacy’ as one of their organisational values and responsibilities”.
We have also learned that privacy peeps love story-telling!
Clients of Andrea’s in-house training know she loves developing a good hypothetical scenario to get participants’ brains ticking over.
And Anna reflects that from our public presentations and blogs, through to our approach to training, some of our ‘biggest hits’ have been when we have used relatable analogies, cartoons or real-life stories to illustrate privacy concepts.
The messages which continue to resonate include the chicken, egg and farmer cartoons we commissioned to illustrate eight privacy design strategies, the shameless name-dropping of Bradley Cooper to highlight privacy risks, the process of ordering a burger to illustrate consent in privacy law, and the invention of a fictional cohort of high school students including Kanye Peacock and Beyonce Phoenix to illustrate how different de-identification techniques work. (BTW if you want to know more about deID, Anna will be teaching a masterclass in de-identification at the IAPP ANZ Summit in November.)
The challenges
Advances in tech have facilitated data collection and handling practices – and privacy harms – that were not imagined 20 years ago: the growth of the digital age; the rise of AI; as well as the scale and nature of data breaches.
Emily noted that “It’s amazing of think that a set of legal privacy principles established in 1988 (with some tweaks) are still working hard to protect privacy in the face of developments the drafters could not have dreamt of!”
On the other hand, the problems evident years ago are still there. Emily started her privacy career 17 years ago, answering enquiries at the OAIC. She notes that some intrusive privacy practices are yet to be addressed, because the exemption for small businesses is still in place: “I can still hear echoes of callers on the hotline saying: So you’re telling me X can do Y? – and those complaints would still be relevant today, because of the gaps in the Privacy Act”.
In many ways, from a legislative perspective it feels like we are being left behind – as Justin observed: “We are walking to catch up in a space where we really need to be sprinting”. The risks to privacy posed by the rapid development and deployment of AI technologies, in particular, is an area where more robust (and robustly enforced) legislative guardrails are desperately needed.
Future thinking
Of course, it’s not all doom and gloom. We also look forward to technological developments – not just of public interest developments like ground-breaking medical breakthroughs, but also useful personalisation doesn’t come at the cost of our control over what we choose to share about ourselves. (Alex is hoping for Mecca to come up with the ideal, personalised moisturiser recommendation, while Mel fantasises about a world in which her work PC can read her mood to deliver a perfectly timed and brewed coffee.)
Perhaps the best indication that, as a community, we have the power to shape technology and the law for the better, is that conversations around managing privacy are continuing to evolve.
While we used to talk about privacy as giving customers choice and control over how their personal information is handled, Emily noted how the conversation is now shifting to organisational accountability and responsibility, to only handle personal information in a fair and reasonable manner, that meets community expectations. (And here’s hoping this shift is reflected in the upcoming law reform!)
Likewise there is growing recognition that privacy harms can occur even when people are not ‘identified’ in the traditional sense, which is why Anna’s number one hope for the future is for individuation to be brought into the definition of ‘personal information’ in the Privacy Act.
But perhaps the final say on our wishes for the future should come from Alex: “I dare to dream that one day we will all be privacy nerds”. Yes, what a world that would be! Check back with us in another decade or two, to see if we’re there yet.
With thanks
We feel incredibly lucky to have sustained and grown a business over 20 years in a human rights field we are all passionate about – and privileged that Salinger Privacy is considered a leader in this field.
So thank you to you, our clients, subscribers and fellow privacy travellers – for we are nothing without our community.
With best wishes from the Salinger Privacy team: Alex, Andrea, Anna, Emily, Jo, Justin and Mel x
Salinger Privacy by the numbers
Years: 20
Blogs: 102 (plus this one)
Public training courses and webinars: 88
In-house training programs for clients: 203
PIAs for clients: 73 before we lost count*
Consulting engagements for clients such as compliance reviews, maturity assessments, gap analysis, advice on data ethics or Privacy by Design, and drafting privacy frameworks / policies / procedures: Way too many to count!*
Law reform submissions published: 23
Sectors for which we have tailored privacy Compliance Kits: 6 (WA, we’re looking at you next!)
Online training modules available off-the-shelf: 17
eBooks published: 8 (plus our free Handbook)
Editions of ‘PPIPA in Practice’: 70
NSW privacy cases read and annotated for ‘PPIPA in Practice’: 603 (!)
* We like to practise what we preach about data retention, so we don’t keep client records after 7 years
Phew, for a small team we’ve done a lot in 20 years! Here’s to the future of privacy – hope you can stick with us.
Photograph © Matthew Ball on Unsplash
