Reputation, and the naming of things
I’ve worked at the Office of the Privacy Commissioner since 2001, and five years of that was spent on complaints. My job title was “investigating officer”, which I secretly quite liked; it made me feel a bit like being a PI in an old noir movie.
‘Complaint’, I discovered through experience, is a strange word to look at for a long time. Did you know it means lament, from the old French word complaindre? Mediaeval French troubadors probably sang complaints about their poor luck in love and the difficulty of getting good lute strings in wet weather.
Today complaints are still a form of lament, a song of wrongdoing whether alleged or actual; motivated by outrage, despair or, often, the desire to save someone else from a trouble that has befallen the complainant.
And when it comes to privacy complaints it is the job of John Edwards, the Privacy Commissioner, to listen to them all and decide what action to take.
When John investigates a complaint he is morally, and to an extent legally, obligated to keep the details to himself. The Privacy Act has always stipulated that complaints should be investigated confidentially, so complainants and respondents can feel comfortable coming forward about something that is likely to be sensitive, embarrassing or both.
But Privacy Commissioners have also always had the ability to disclose information when they consider it is the right thing to do, or, more precisely, to “disclose such matters as in the Commissioner’s opinion ought to be disclosed for the purposes of giving effect to this Act.” In practice this discretion hasn’t been used much.
In December 2014, John issued a policy on how, and when, and why he might choose to publicly name agencies that miss their privacy goals. Under the policy a decision to name would nearly always happen after the complaint has been resolved (unless it’s a matter of public safety or extreme public concern) and the agency would always get to have their say before the decision was put into effect.
For instance the Privacy Commissioner might decide to name an agency where multiple complaints of a certain kind indicate that it could do with some public attention being drawn to its processes.
Similarly, naming an agency, that through mistake or malfeasance has got things seriously wrong, can encourage other agencies in a similar situation to engage more quickly with the resolution of privacy issues in future.
Naming can warn the public, can encourage aggrieved individuals to come forward with complaints where they have been affected by the agency’s practices and may make it more likely the news media will pick up on similar stories in the future.
However naming is not a decision that will ever be taken lightly. Being named as breaching someone’s privacy in a complaint is quite likely damaging to an agency’s reputation, so it will only happen where the Privacy Commissioner decides that it is necessary to give effect to the Privacy Act. One important aspect of a case that would make him more likely to do that is where an agency’s conduct was both very serious, either because of a single very significant breach or a bunch of smaller ones, and it hasn’t addressed identified problems with its conduct.
It’s important to be clear that this isn’t about a disagreement over the law. There’s a lot of leeway in the complaints process for discussion, and disagreement, and finding a middle ground; our main focus is always going to be charting out an acceptable resolution for both complainant and respondent.
It’s more where, as happens occasionally, an agency simply whistles a little tune and makes a derisive hand gesture. In those circumstances it’s likely that the public will benefit from knowing that there is an agency out there that doesn’t choose to acknowledge the Privacy Act. It also means that other agencies in the same area won’t get tarred with the same brush, and that other people who might have been affected by that agency’s disregard for the law will be alerted to the decision and know to come forward and add their voices to the chorus.
Naming is unquestionably a significant step. So there are a number of contraindications. Where an agency’s actions, or lack of action, only affected one person; where there was no real actual harm to anyone; or where because of the circumstances it would be completely unfair to name the agency, it’s unlikely that naming would be the right thing to do.
Similarly, if an agency has come to us to put its hand up to a breach (“I left a bundle of my case files on the backseat of my car and it got stolen” is a hardy perennial) it’s unlikely that we’d need to proceed to naming.
There are likely to be reputational consequences from naming an agency, and that’s figured into the policy. Reputation, as Cassio noted in Shakespeare’s Othello, is the immortal part of us. It is a cloud of information that surrounds us that tells the world how it should see us. If you’re working as a doctor you are selling two things; your expertise, and your reputation, having spent years creating and maintaining both.
Privacy is ultimately a tool that gives people more control over their information, and the naming policy is intended to be responsive to that. Where your own business is concerned, you’re best advised to respond to privacy complaints carefully and listen well to what their songs are saying.