IAPP-GDPR Web Banners-300x250-FINAL

By Malcolm Crompton, Chris Cowper, and Martin Abrams
The Privacy and Trust Partnership (P&TP), a consortium of Australian businesses which included credit reporting bureau, data brokers and IT companies and whose core activities rely on the use of personal information, last year sponsored a project to consider privacy protection and trust in the information economy.

The consortium's view was that traditional approaches to protecting individual privacy—based on 30-year-old thinking embodied, for example, in early credit reporting law, Fair Information Privacy principles and the 1980 Organisation for Economic Co-operation and Development (OECD) Guidelines on Transborder data flows—are struggling to keep pace with the realities of the speed and volume of the flow of personal information in the world's economies, let alone new uses such as business analytics. Its starting point for the P&TP project was that if a better way could be found the payoff lies in safely unlocking the further enormous potential value in personal information.

About the project
The P&TP project had two key aims. Firstly, it recognised that to be effective any new approach to privacy and trust would need to consider the interests and values of all of the players. To this end the consortium hosted two workshops bringing together key Australian stakeholders in the personal information use debate, including businesses, consumer and privacy advocates, and regulators.

Secondly, the consortium sought some innovative thinking on the issues. Consultants to the project, Information Integrity Solutions Pty Ltd (IIS) and the Centre for Information Policy Leadership (CIPL) prepared two papers: A New Approach to Trust and Privacy in the Information Age; and a working paper which proposed some themes and a possible framework based on a privacy risk rating. The papers and other information about the project are available at and

Scoping the problem
The P&TP papers explored the proposition that there is enormous value to be unlocked for everybody in the responsible use of personal information, often found in ways not previously anticipated. Alan Greenspan, for example, pointed to its value in terms of reducing "knowledge float" because it is a valuable input to data analytics for risk management, marketing etc, in online transactions or in new or improved business processes (transcript found at

The papers argued that this potential is clouded by a worrying conundrum: despite an increasing array of laws designed to protect personal information and security, nobody is fully satisfied with the result. Individuals do not feel that their personal information is safe, businesses find privacy rules constraining and onerous, and government officials and regulators find it difficult to respond effectively to the needs of either group. In short, current and future uses of personal information and personal safety are at risk. This situation appears to be true across economies, whether in Australia, which has a general privacy law as well as specific issue laws, or the United States, which to date has dealt with issues sector by sector (credit reporting, Gramm Leach Bliley, HIPAA, Do-Not-Call, etc…) or elsewhere.

The consultants pointed to a range of contributing factors including:

  • the almost unimaginable amount of personal information generated in the digital economy; one article puts it at "three million times the information in all the books ever written," with predictions that by 2010 the volume will increase "more than sixfold to 988 exabytes." ("Humans Created 161 Exabytes of Data in 2006,", March 7, 2007, );
  • traditional privacy principles rely on giving individuals fine-grained control via notice and consent mechanisms which, together with the inherent purpose limitations, adds up to a costly, inflexible regime for business, which is also stifling to innovation;
  • the current rules rely on individuals being able to make rational choices and being the front line enforcer of their own privacy when things go wrong. In practice, the result for individuals is too many notices and too little time and expertise to assess them;
  • such privacy rules also tend to assume binary relationships between individuals' and business, not the networking of information and extended value chains that characterise both the online world and current business models (analytics, Facebook, credit reporting, ID authentication, data cleansing, outsourcing ...)
  • the absence of individual comfort and disconnects between business and individuals' expectations means that the law tends to develop haphazardly as particular issues become an ‘emergency' concern—for example, do-not-call registers in the United States and Australia and the various United States data breach laws (which may soon come to Australia).

Some possible themes for a new privacy and trust framework
A number of themes and ideas emerged from the P&TP papers and workshops that seem likely to bear fruit if used to guide development of new privacy frameworks. These include that:

  • the emphasis should be on outcomes rather than processes—what will success look like rather than outlining requirements to give notice, for example;
  • individuals should have sufficient control, or be confident that information is under control, and feel that they are getting value and are safe regardless of how freely the information moves;
  • businesses need predictability and freedom to innovate;
  • there must be a fair allocation of risk, control for individuals, and accountability leading to an environment of trust;
  • rules, standards or principles are needed to establish a common language and expectations around the framework, and these need to be kept flexible and adaptable, and to line up with other information governance frameworks, such as for financial information; and,
  • an effective framework will need to include enforcement mechanisms. "Responsive regulation" was suggested as guide to striking a balance between assistance, inducements, and punishments, with the emphasis on the former (see the writings of Professor John Braithwaite at

Other ideas explored included the management of personal information by "trusted agents," clearer answers to "who bears the risk" in transactions, and insights from other regulatory models, for example, environmental protection where the "polluter pays" in order to internalise economic externalities.

Privacy risk rating to calibrate business privacy obligations
The second P&TP paper attempts to draw these themes and ideas into a framework. The model is based on a binding privacy framework approach (BPF)—similar to the Australian notion of approved privacy codes or the EU notion of binding corporate rules—that would cover not only "privacy principles," but also the accompanying compliance framework and the notion of a privacy risk rating.

The BPF and the risk rating would combine as levers to increase the stakes to the extent that organisations internalise the need for privacy action, for example, in relation to what personal information is collected, or how privacy risks are managed. In return organisations get greater flexibility in managing their obligations, greater assurance that their actions will be "trusted" as individuals become confident that the systems work without them needing to police their privacy, and the freedom to innovate both in business processes and in use of personal information.

The paper suggests that the privacy risk rating system would aim to inform and mobilise market forces and would be backed by an enforcement regime to reinforce the benefits of lowering the rating to a business. The rating, for example, would be designed to influence consumer choice and influence costs of capital, both providing an incentive to seek a more privacy respecting rating. Components of the enforcement regime that could be made dependent on the rating, in order to reinforce even further the incentive to improve privacy practices, could include the assurance or external accountability obligations and level of penalties to which the organisation is subjected.

In developing the model, further choices would have to be made at a number of levels. For example: would the rating be voluntary or mandatory, would the risk rating be established in law or set by an independent body which would undertake the rating process, and what factors would determine risk rating?

In conclusion
The P&TP discussions have confirmed that there is indeed a range of perspectives and strongly held views that will be brought to bear on this issue. The discussion to date has been robust, and the next step in the process will be to look at all the ideas that have come forward and to see which should be developed. The one thing we can be sure of, though: doing nothing is not a viable option.

Malcolm Crompton is managing director of Information Integrity Solutions P/L, advising private and public sector organisations on building trust through the way they collect and use personal information. He was Australia's Privacy Commissioner for five years until April 2004. He is also a member of the Board of the International Association of Privacy Professionals.

Chris Cowper is a principal consultant with Information Integrity Solutions P/L. Her recent projects have included privacy impact or risk assessments in the education and resource sectors, privacy training in the health sector and thought leadership on privacy regulation. Before joining IIS in 2007, Chris spent 16 years with the Office of the Australian Privacy Commissioner.

Martin Abrams
is executive director of the Centre for Information Policy Leadership at Hunton & Williams LLP. He has been an innovator in information, privacy and security for nearly 20 years, helping to shape digital-age global privacy concepts by providing thought leadership for companies, consumer leaders, and policy makers.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»