Last week's IAPP (International Association of Privacy Professional) Summit in Sydney was as well-attended as ever, with privacy professionals from across Australia and New Zealand gathering to discuss privacy developments and think ahead about technological, legal and ethical challenges on the horizon. Unsurprisingly, the privacy risks and considerations of AI featured frequently – Buddle Findlay partners Allan Yeoman and Natasha Wilson summarise their five top takeaways from this year's IAPP ANZ Summit:
- While it's easy to continue marvelling over the advancements and opportunities of AI, it remains critical that the human side is not overlooked. The fundamental question 'what does it mean to be human' should, it was argued, be front of mind when we're turning to AI to help us solve problems, and AI governance and guardrails within organisations should focus on ensuring the human users understand AI's risks and limitations, how and when to verify AI output, and that generative AI strives for fluency (and sounding convincing) rather than accuracy.
- AI governance need not be scary or daunting, and it shouldn't be put in the 'too hard basket' – organisations already have the processes and skillsets to do governance well across areas such as security, privacy, risk and health and safety. Putting good AI governance practices in to place should draw on those existing areas, rather than needing to re-invent the wheel for AI specifically.
- The Office of the Australian Information Commissioner (OAIC) has a full dance card of enquiries and enforcement action, involving the likes of Meta, Bunnings, Kmart, Optus and Medibank. The size of those businesses, and the scale and complexity of the privacy issues involved, reflect the OAIC's desire to keep a tight rein on compliance with Australian privacy law.
- In his key note speech, the New Zealand Privacy Commissioner spoke about the high importance of privacy to New Zealanders. Complaints about privacy breaches are trending up (an increase of 21% from last year), and in the Commissioner's most recent privacy survey, two-thirds of respondents reported that they would consider changing providers because of concerns about poor privacy practices. The importance of not just consent, but for having a legitimate business purpose to collect, use, and share personal information, was also highlighted.
- In Australia, the health services sector continues to top notifiable breach reports and throw up complex questions and issues (many of which will be familiar to New Zealand health sector players), including the importance of rigorous due diligence on how personal and health information is managed as part of health company acquisitions, how health service providers need to be ready to respond instantly to privacy breaches, that 'de-identification' of patient information is not a magic bullet for managing privacy risks, the tensions between disposal of personal information but retention of health records for long periods, and the fundamental question (especially when thinking about wearable digital health technology) of what is and isn't a health service.
