Tim Robinson on privacy, FOI and recordkeeping

Posted on May 24, 2012 by Cassie Findlay

Transcript of talk by Tim Robinson from the Freedom of information? panel discussion held in Sydney on February 29  2012.

I’ve suddenly thought of… some years ago, just after the State Records Act was introduced I was at a retreat, at a couple day retreat for senior admin staff at the university and I was going to tell them about the State Records Act, and the Deputy Vice Chancellor who was chairing the session introduced me and as he walked off the microphone said “This will be boring.”

[LAUGHTER]

He was actually a terrific bloke, he really was, he just didn’t get the records bit. He really was, I wish he was back.

Now, I don’t do PowerPoints but actually I thought I might do it today but we don’t have it, but anyway, not to worry. One of my daughters tells me in Switzerland there’s an anti-PowerPoint party which seems like a good idea. I wanted to read three quick quotes. This comes from Peter Timmins, who’s sitting in the audience, his blog from last week, and it’s the NSW Commission of Audit Interim Report on Public Management that was released on 22 February. It said the Commission did find that information systems are complex and cumbersome and often non-existent, and it identified a culture of risk aversion, insularity, adherence to procedure and powerlessness, even defeatism. Sydney Morning Herald reporting on the same document said, “The Audit said continual agency amalgamations have contributed to gross inefficiencies. One example identified in the transport cluster showed 130 separate systems were in place to support business processes and reporting. The audit anticipated this could be reduced to between 12 and 24, saving $100 million a year.”

The final quick quote comes from the 2009 NSW Ombudsman report, Opening Up Government: Review of the FOI Act 1989, was the Act that was replaced in New South Wales by our beloved GIPA (Government Information Public Access Act). Anyhow, this will be something dear to the heart of many people present. In the report the Ombudsman said, “The most extensive open [disclosure 02:41] of legislation and policies will be of little use if agencies cannot identify and locate what information they hold and recover it in a timely way.” We all know about that.

So the kinds of stuff that I’m concerned about comes from that kind of thing. Yes, things get stuffed up; yes, governments can interfere with the release of information, and it’s that kind of thing, I think, that results in the phenomena of Wikileaks and Anonymous. It’s like we’ve got two parallel universes operating. We have the world of the people who can get into the systems and do and go and go “Whammo, here it is guys, the lot.” Though, interestingly, they also manage the information they have; you can’t not. And then you’ve got the world, I guess, that I live in and some of the people in this world live in, which is the orderly I guess, the legislative regime for access to information.

Now it’s not orderly in New South Wales, as we know. There’s at least four Acts specifically that will give you access to information; there’s a lot more but there’s four that we deal with most of the time. And I feel that practitioners and record-keepers, that we are operating a cottage industry in the face of an industrial revolution. Now I’m stealing this from John Cross and some of you will know John Cross, who was the last State Archivist for New South Wales. He was talking about archivists in the face of electronic record keeping, but I think it’s similar. The tools and techniques that we use as GIPA FOI privacy practitioners would be quite comfortable for someone working in the 19th century; it really wouldn’t be a problem to them at all. Yes, the records mightn’t necessarily be on paper but the concepts are there and you’d read the legislation.

So we’ve got a bunch of problems, and I don’t say that I know what an answer… I don’t know what the answer is but what I wanted to do briefly in talking to you this evening was to see some of those kind of problems that I see where — mm, I don’t know what the solutions are. Try and articulate the questions better. The legislation in New South Wales, I might start there.

We’ve got a new Act that replaced the old Freedom of Information Act. Now those of you who are perhaps not practitioners in this area mightn’t appreciate what the difference has been – I know there are people in the room who do but I forgive me if I bore you to death or if I’m boring you, just tell me to stop. One of the significant changes from the old FOI Act to the GIPA Act and to the new breed of access legislation is the old FOI was known as the pull model; someone applied for something and then you’d go and try and find it, barring information systems that didn’t work, and essentially you’d get the file and you’d look at it and you’d block out some bits and then it’d be released. That is still sort of in the GIPA – well it is in the GIPA Act – how you make the decisions about what’s not going to be released has changed, and I’ll talk about that very, very briefly. But the most significant change in the GIPA legislation, in the new generation of access legislation is that it moved very much to emphasising the push model, and I think this is where we do actually have to go. As I said, the cottage industry approach is not going to cut it. Agencies throughout the country need to be proactively releasing information.

Now on my own experiences at the university, bizarrely this is actually happening but it’s not necessarily that people are aware that we’re doing it. It’s in new business systems. When we get involved in the development of a number of business systems – not all of them but a number of them – the technology allows people to do stuff for themselves that in the past it wasn’t possible, in a paper world you couldn’t do. It’s also cheaper if you get the client to do the work for you, if you get them to enter the data in from their screen, wherever they happen to be, that’s a lot better and if you can give them access to the stuff they’ve put in, to correct it, change it, do whatever. We’ve got just on 50,000 students; the more work we can get them to do the better for the university. It’s much cheaper, it’s much more efficient and they’re happier because they can see what happens. I watched my youngest daughter last night vary her enrolment online with no great problem at all. In days gone by you would have rocked up to the counter, filled in forms, talked about it, gone this, that and the other. So in an interesting way more information is being made available to the public in different forms. The public doesn’t necessarily, in my view at least, mean everybody at once; there are lots of different publics and privacy, of course, is a prime consideration. It’s been one of my things as well and I will come back to that.

So the technology is actually allowing things to change. I find quite often that our business systems, part of it is everyone loves the web and if you’ve ever looked at, certainly my university’s website, I mean it’s just ginormous; it’d take the rest of your life to read through it. And a university is perhaps an unusual place but it exists on information and we’ve got arcane and enormous, complex rules which we want people to know about and so they’re all out there. So as systems are developed there is a real attempt — well not an attempt, it’s deliberate to put stuff out there so people can know what it is they’re supposed to be doing and how things work. So some of that GIPA stuff was actually happening; the technology is there, it’s in the mindsets of the IT people. You come up against the barriers, absolutely, and sometimes you… unfortunately they don’t come up against the barriers, they don’t see that they’re there and they do things you get worried about. I mean we could talk about cloud computing; we’ve done that before, I won’t go into it now. But in the IT world cloud computing is where they want to go. The privacy aspects of that can give you kittens. So you need to be there, the record keepers – and this is the part of the thing, people have heard me say this before – we’re really not going to get any kind of rational regime for access to information unless we actually have the information managed appropriately in the first place in systems where people are actually thinking about what we know as being records. Sorry for the non-record keepers in the room – we’ve got a hierarchy of stuff going on here, we’ve been talking about information, we’ve mentioned documents occasionally and we’ve also… what we consider to be records, I won’t bore you with standard definitions but there’s very particular things. Cassie mentioned in her introduction the issue of metadata; we need to know. Okay, you might have all this stuff out there but how does the public know what it is? It’s that contextual information that’s vitally important that it goes out too. So the orderly release of information does involve basic record keeping principles if the people getting the information are going to make any sense out of it at all.

Years ago there was the issue of release of information, of emails by the CIA where they cut out the headers, so you just had the text. I can’t remember the case. Doesn’t matter. Anyway, classic example of the content of the message was almost meaningless if you didn’t know who it was from or to…

AUDIENCE MEMBER: DFAT still does it with cables.

TIM ROBINSON: Do they?

AUDIENCE MEMBER: Even now, cutting out… cutting out contextual information saying “It’s not relevant to your application.”

[LAUGHTER]

TIM ROBINSON: Well one of the ways we talk about records is that it’s composed of content, context and structure. So you take one of those bits out and it’s utterly meaningless. Actually while we’re talking about that, the way the legislation even defines what it’s talking about or doesn’t define what it’s talking about is interesting because in the Acts we’re concerned about at the university, and other practitioners like me, there’s not a great consistency across the legislation in what we’re even talking about. In the old world, the old FOI Act, it was much more marked because the FOI Act used to talk about information concerning a person’s personal affairs, and then you had the Privacy legislation which talked about personal information. Where do they meet together? Anyway, that was a slight tangent.

Yeah, the information that doesn’t deal with the technology – I was thinking when Stil talked about the five million Stratfor emails released  I was thinking god, who’d want to be the FOI officer who had to go through those… and so thinking about it, the Deputy NSW Ombudsman, Chris Whelan, has a story that he’d say the agency that had a big FOI application had got all the documents together – and this was the world of paper – two piles, you know, the exempt in those days and to be released. Someone packed up the wrong stuff and sent it. Nothing happened! Nothing happened ‘cause it was all boring crap.

[LAUGHTER]

Okay, so we are stuck with legislation at that micro level of the cottage industry approach to dealing with an access application. I mean, yes, it’s open to abuse and I think you’ve found how the deadlines and things can be used to an agency’s advantage and wouldn’t pretend for a second that that doesn’t happen often; it shouldn’t happen but I don’t know how you get the legislation around that because, of course, as you’ve said Phillip, openness is a fine and wonderful thing but at some point you’re going to have to draw limits now. The particular concern in my mind is the issue of privacy and you’ve always got the attention. Now the university that I work for, just about everything we’ve got, it relates to students or people in some way or other. So the open go stuff raises immediately problems.

Now the question of privacy, and I think I heard someone mention that… I’m not sure, someone talked about privacy and people’s different perceptions of privacy. I know it’s often said that young people today don’t care about privacy; they put stuff on Facebook. Yeah, they do but they’re putting it on so it’s their information, so they’re making the judgement about what’s going there and what’s not and I have – yeah, one’s still a teenager – children that age where their life exists online and they’re very conscious of what… And when I said I was going to use Facebook because my eldest daughter was working overseas for a year, they gave me lessons and said to me what you do and what you don’t do ‘cause I’d say “How does this…?” and “Who gets that?” and all that. So they’re very conscious of it, so they know the technology, providing they’re told it though, and the bit in the paper this morning about Google. Yeah, I mean I didn’t understand that history stuff that it was logging, and my colleagues who drew my attention to that article this morning. So it gets back to do you know how it’s working?

One of the things we need to do is to simplify the legislative context for agencies and for individuals. I often think if agencies find working the legislation complicated, what chance has the poor bloody public got? We’re dealing with this stuff on a daily basis and we’re not sure, we’ve got to work out what’s going on. So how does the public understand what it is that they’re going to be embarking on? You really do need to assist greatly people who are making applications. We certainly try and make it as simple as possible at the university. Again, the new breed of legislation is good like this because it promotes ‘informal’ release of information, not going through that formal process, setting up administrative procedures. It’s much easier and simpler and I think you get through the cultural change within some agencies and it’s easier if you’re dealing with — in some respects you’re dealing with information about people most of the time, as we do, because the person is going to get it anyway, so let’s just stop the mucking around and within a couple of parameters just make the access as easy and as quick as possible; don’t go through the business of going down formal processes.

Simplifying legislation – one of the things that I wanted to talk about as well in relation to record keeping, because as I said, quoting from the Ombudsman’s report and one of the things in thinking about this session, I was thinking how has stuff changed from 1989 when we first had Freedom of Information introduced in New South Wales? And I’m afraid it was a fairly depressing sort of thought actually, because the same kind of problems we knew then in ’89 – that was the first time I was involved in FOI in a college I worked for at the time – the big thing was seeing that record keeping would be really important and that would enable the success of FOI. Well sadly I don’t think we’ve had great success in that area at all and I’m concerned that the problem is getting worse probably, if not better, and I will talk briefly about New South Wales State Records – sorry, there are people here who work for State Records but I don’t so I can talk about it – deeply concerned at the funding situation for New South Wales State Records. They are the people who actually promote record keeping in the public sector who can provide the expertise that will assist with efficiency of the operation of agencies and in achieving the ideals of the GIPA legislation and protecting privacy at the same time. You can’t do that if you haven’t got decent record keeping, it just doesn’t happen. A great concern there, as in all, I know all in New South Wales public sector agencies the budgets are being cut. I am particularly concerned with State Records because I know the work they do and how important it is. One of the things that particularly is worrying is that the Digital State Archives Project, the funding I understand – and please correct me if I’m wrong – does run out next year. Is that correct or am I mislead on that?

CASSIE FINDLAY: It’s somewhat of a grey area, depending on the whim of Treasury but there is a serious risk.

TIM ROBINSON: Yeah, it gets back to all electronic records. The Wikileaks I think are classic. How is the stuff that’s being released through Wikileaks, how is it going to be preserved over time?  I mean that’s exactly the same problem. Yeah, you need a…

[LAUGHTER]

You’re managing massive amounts of data, as we all know, in an ephemeral form. Yes, you can drop a notebook in a puddle, but you can pick it up and dry it. Drop your iPad… I bet you there are conservators out there who could bring it back.

[LAUGHTER]

But, yeah, drop your iPad in the water and I don’t know, I have no idea. But the management of electronic records isn’t something that can be just left to chance. It has got… and we’re not going to have records available for accountability, current and future, unless we actually have the means of managing them over time and I’m deeply concerned that the funding is not guaranteed for that initiative, because really what’s the point? Honestly, what is the point? Sorry, I’m speaking to the converted, I realise that. Oh god, I should shut up. I should shut up because I think I really… I didn’t want to talk for long because I wanted us to talk about questions.

Okay, I will wind up by saying, yeah, you know, yeah, it’s all based on the records. If you haven’t got decent records forget it. So thanks.

[APPLAUSE]

About Cassie Findlay

Digital recordkeeping, archives and privacy professional, co-founder of the Recordkeeping Roundtable. @CassPF on Twitter.
This entry was posted in Report and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s