If businesses do not want regulators to prescribe solutions for them, they have to fix problems themselves, says one GC.
When cars were first introduced, Marion Hemphill mused, there were no specific speed limits, other than a need to drive at a reasonable pace.
“But we humans couldn’t interpret reasonableness on the road in the same way,” she reflected, and as such, governments stepped in with prescriptive rules and regulations that offered clarity and certainty.
Strict road rules are, almost always, a good thing. But there are other instances, Ms Hemphill argued, whereby businesses should determine the best paths forward so as to avoid the need for regulators to step in and decide what should happen.
Speaking last week at the 2020 Corporate Counsel Summit, Ms Hemphill – who is the general counsel and chief privacy officer at Australian Red Cross Lifeblood – said she is concerned that Australia’s regulatory future may see a trend towards one-size-fits-all approaches, which “might not allow businesses to generate the same benefits” as others.
“I’m suggesting that we don’t necessarily want to have heavy regulation. And, if that’s the case, then entities have to perform better within the current framework and the current regulations. If we don’t want regulators to prescribe a solution for us, then we have to fix the problem ourselves,” she outlined.
Businesses haven’t been suitably transparent with notifications about data and privacy breaches, Ms Hemphill referenced as an example, “and as a result, the government introduced the mandatory breach notification requirements in the Privacy Act”.
“It might’ve been better at businesses that had the opportunity to appropriately manage this themselves, but they didn’t grasp that opportunity. And so, it was taken from them quite fairly,” she said.
As a result, a key question for businesses looking ahead – at least with regards to the newly announced review of the Privacy Act – “will be how to create a compliance framework that ensures that they meet and they can also demonstrate that they meet the regulatory requirements appropriately, and that they’re meeting the objectives of the Privacy Act”, Ms Hemphill surmised.
This is where we lawyers come in, she said.
“Obviously, it’s not practical for internal or external legal teams to advise on every occasion of collection of information or use of information. So, what we need to do is to help our clients build their own framework to determine what is needed. And if we don’t, it’ll be regulated for them,” she warned.
“Each entity collecting, using, disclosing information needs to build its own set of rules for what it can do and it can’t do. It needs to build a process for ensuring compliance and it needs to be transparent with stakeholders. Essentially, they need to decide on what is reasonable upfront, then just stick to it.”
Moreover, Ms Hemphill added, they need to tell consumers what they’re doing.
“It’s not enough for us to train our clients into what the regulation says. I think we have to translate it for them and to allow them to have a translation within their own business operations. Training people isn’t enough because it’s abstract and it relies on memory and attention. It can be hit and miss,” she outlined.
“Some people will respond quite well and some won’t, but also the training might be a very long way away from when you actually make the choices. And so human memory is just not designed to work that way. Instead, I think a better way is to make it easier to make the right choice by actually not requiring any choice to be made at all.”
An effective internal regulatory compliance framework, Ms Hemphill advised, “takes out the need to have individual decisions, and instead has cleared guard rails from the beginning of any project or matter that involves personal information or data”.
“It’s not an easy task, but if it’s included in the design or project of a matter, it’ll be more effective,” she said.
“To return to my analogy about cars, it’s the difference between telling people to drive at a reasonable speed and driving at 50 kilometres per hour, but the business is the one choosing that speed restriction based on its own conditions in its environment to reach its outcome, rather than waiting for it to be imposed by government.”
To view this full session, and others from the 2020 Corporate Counsel Summit, click here.