With our homes filled with real and virtual people, many of us have struggled with finding a private space. It can be a confronting experience realising that the space between our private and public spaces have merged, leaving us just a little overwhelmed. At the same time, we have participated in the sharing of our personal travel details in an attempt to trace and track the spread of infections. It is little wonder our understanding of privacy has changed, and I think it might be timely for us to remember the importance of privacy, consent and some safeguards available to us even in a pandemic.
In this blog we touch on:
// Why does privacy matter?
// What are the rules about the collection of personal information in Australia, and how that data is stored and shared? Noting that there are similar laws in other parts of the world.
// When is consent required, and what are the exceptions to the requirement for consent?
// When data is transferable without consent and who owns your email and personal details.
// When and how do you make complaints about your information, or about potential misuse of that information.
// A reminder of damage to reputation, and the potential for backfire, when privacy rules are ignored.
What is privacy and why does it matter?
Over the years I have heard people say privacy does not matter because “well if you had nothing to hide, then you won’t have a problem”. Such a comment is naive and frustrating because it forgets that
“Privacy is foundational to who we are as human beings, and every day it helps us define our relationships with the outside world. It gives us space to be ourselves free of judgement, and allows us to think freely without discrimination. It gives us the freedom of autonomy, and to live in dignity.“ Resource
Let’s face it, we all want the freedom to think our thoughts, read and communicate respectfully without that information being tracked and used against us. If you are in a relationship, and your ability to think or have your own thoughts is diminished and controlled by another person it is classified as “coercive control”. When you are in a country where your thoughts and ideas are monitored we enter the Orwellian nightmare of dictatorship.
In the last year of oversharing and limited space, many of us have become so much more aware of the importance of the mental, physical and digital space that allows us privacy. However, we often don’t appreciate that privacy is considered a Human Right as detailed in the Universal Declaration of Human Right, the International Covenant on Civil and Political Rights (ICCPR). In Australia this is enshrined within the Privacy Act (1988) (“the Act”).
Sharing of private information
Our starting point is that the collection of personal information about yourself or your clients is regulated by law. A person’s details is not the possession of a company or its agents. We each own our personal information, and we can consent to give that information to another entity, but when we do so there is an element of trust. When our privacy is not respected, our trust is also broken, and that can be very damaging for the people trying to convince us to buy something, or to see them for a service etc. In the course of our daily business as movement teachers and educators we will collect information about people. Personal information includes address details, phone numbers, date of birth and even bank account details. This information can be given to you by clients, employees, contractors or even business associates. It is generally drilled into us all that health information cannot and should not be shared without the person who “owns this information” providing a clearly signed consent.
Personal information can only be shared without consent, when it is within the “public interest”.
When we were first allowed out of our lockdowns, to attend cafes, restaurants etc the collection of personal information was often on paper sheets, where you would fill out your personal information and be able to see the details of other customers. This information could be shared with government agencies if there was a health need to contact these people, which is an example of “public interest”. I recall being horrified about how privacy was so easily compromised. Imagine how such a system could have allowed a person to identify an individual who may have been trying to hide from a former violent partner. I shudder to think of the consequence of such little acts of random unthinking sharing of information. Government agencies then began the scramble to collect the necessary data without the inappropriate breaches of privacy. It took awhile, but now we all just QRcode ourselves in using our phones without leaving a trail for the next customer to access.
Consent must be explicit?
When I think about privacy concerns, in times of a pandemic I also think about how people were happily sharing screenshots of zoom classes, inappropriately identifying clients and colleagues. As a person running large zoom seminars I realised at times that many of us (me included) did not really understand how to protect the privacy of individuals who may have joined in on a zoom class. It was only after I looked at a recording that I realised names of participants were easily apparent on the replay, and I had no idea how to correct this problem or even prevent this happening. At the time most people were tolerant of these breaches of privacy, because of an immediate need. We assumed a form of consent because people were participating in the process, but when it comes to privacy and so many other things we should never assume consent. I eventually managed to stumble through the technological processes to rectify this inadvertent sharing of information.
As we proceed into a new era we realise that there needs to be better ways and strategies in place so that privacy is protected in our zoom and social media interactions. As we catch up with technology we find ourselves returning to the discussions and debates about consent and what people should know about us, including our participation in a zoom class. It would be useful to have our pilates associations provide some sort of policy or procedural guidelines about information protection through forums such as zoom.
Portability of information between entities?
When a person provides their personal information e.g. their email or postal addresses, their consent to the use of that information is limited to only the people explicitly detailed in their signed form. The material is not portable beyond that specific entity.
Julia has signed up with Red Pty Ltd. That company has been working for many years teaching Pilates. The owner of Red is called Mrs Pink, a person Julia has known for many years. Mrs Pink sells her company Red Pty Ltd to Mr and Mrs Blue and goes on holidays.
Six months later Mrs Pink decides to establish a new business and sends out emails about this business to all her old clients. The email addresses were all from her database collected when she was the owner of Red.
Many people reading this will automatically think that she can’t do that to Mr and Mrs Blue, she sold the business and that includes the intellectual property of databases and email lists owned by Red Pty LTd. Many people forget poor Julia, who had trusted her details to Red Pty Ltd. and now thinks that Red has sold her data to some other company. Julia has had her privacy rights invaded and at the same time her trust eroded in Mrs Pink and in the company Red Pty Ltd
Julia , Mr and Mrs Blue may both make complaints to the Privacy Commission about how Mrs Pink is misusing personal information.
An additional scenario
What happens if in the case above Mrs Pink was an Allied Health Practitioner or part of other such professional associations? In that case there could be arguments that her misuse of personal information has breached her professional code of conduct. In that case Mrs Pink could be reported and disciplined for that misconduct.
How do I complain about privacy breaches?
For many of us if we just unsubscribe from an email, that is simple. However, there will be times when you think actually this is bigger than just getting an email. There will be times that you think that this was more than a little mistake, this has been a more systemic misuse of my information and the information of other people, in other words a significant breach of trust. In such cases you can complain to the Privacy Commissioner of the breach of privacy. When pursuing a complaint through the Privacy Commission, you must first notify the Company who sent the emails of your concerns.
It is important to note that in Europe digital privacy is strictly regulated and protected. The EU has taken amazing steps to protect digital privacy largely thanks to the activist Max Schrems. These steps have had considerable benefits for us all, and reminds us of the importance of vigilance when it comes to our privacy.
What are simple strategies for you to respect privacy?
// When there is a group zoom session, pin only your video on the zoom session at the beginning. Clarify with participants if they want to have their names or details shared on the zoom session and if not encourage them to keep their cameras off. Also allow those individuals to change their identity or image on zoom (there are some details for this in the zoom settings).
// Do not take photos of people when they are in a class, either in person or digitally without their expressed permission. Do not share those images without expressed permission. Each of these steps require different permissions and explicit consent.
// If you are an employee of a company, don’t have your client’s phone or email numbers on your personal phone, without expressed permission from the client and your employer. When you leave that employment (or sell your company if you’re the owner) delete those details from your phone. People will contact you after you leave, if they want to maintain contact. In doing so you allow these people to make the decision to share their details with you personally rather than as part of the entity they are attending.
// When you leave a company either as an employee or when you sell a business remember that the information you have collected during that time is not your portable information. The consent for access to that information was not given to you personally, but to a specific entity. When you take that information you show no respect for privacy and you have breached trust. That breach of trust could ultimately undermine your standing with the very clients or customers you are seeking.
Let’s remember that privacy matters, and like so many things it’s only when we lose it, even temporarily, do we realise how essential it is to our physical and mental safety. As practitioners and educators it is our responsibility to respect that personal information given to us is not our property, that we can take with us into our new ventures and into our daily lives. Personal information is and always remains the property of an individual client, who may consent to our temporary access to that information. It is not our right to imply consent but it is our responsibility at all times to clarify consent and respect privacy.
If in doubt check the Privacy Act, if in Australia or the various privacy legislations in your country.
links for further information – OAIC website