Will foreign governments comply with gdpr

Who will take Foreign Government’s privacy arrangements to task?5 min read

I’m lucky enough to be going to visit Australia in the next few months and in preparation I’ve had to get my documents in order.  The guidance from the UK Government was that I needed at least 6 months on my passport at date of travel and a visa.  A quick glance at my passport and I find that it will have less than 3 months left when we set off on our 3 week trip. Step 1 – Renew Passport!  This will be a great chance to see what the different government’s privacy arrangements are like.

A few months to get a passport and visa, that shouldn’t be a problem. 

As an opener, I have to say that the relaxing of the photography rules was refreshing.  I could take a photo with my mobile phone instead of spending time in one of those photo booths in the supermarket (See the rules for passport photos).  It took a few tries in odd areas of my office building, with plain walls, lighting and not smiling all being issues – but it was free and not too public.

The UK Passport application

The online application was also easy.  A step by step procedure and the ability to get text or email updates as to the progress of my application was a great experience.  As soon as I had completed all the steps, I had a text reminder to send back my old passport.  I posted it off and the next day I was reminded again… ok, fair enough.  The day after, they had it, and told me so.

Throughout all of this, my only gripe was the privacy arrangements.  I expect our governmental organisations to lead the way in applying of the Data Protection Act 2018 or the GDPR.  I expected each prompt to adequately evidence why the information was needed.  Ok, I was applying for a passport and I should expect to provide significant personal data to the process, but it would be nice if the government showed the very best practice in action.  Maybe I’m being unfair, I pondered.  Then I looked at the “Privacy Information Notice” and, after scanning the 21 page document, felt justified in saying the approach needed work.

The result of it all was I received my passport 8 days after submitting my online application – what a great digital service… ish.

Step 2… Next Government please!

So, I have my brand new UK (and EU!) passport in hand, I can get our visas for Australia.  First, what visa do I need… there are 70, or so, Australian visas.  Fortunately just 6 visitor visas and an essential visa finder to get me down to the two types I needed to check.  Phew, the free e-Visitor (sub-class 651) fits the bill – another digital application to enjoy and scrutinise.

This online application process was not as simple as the UK passport, but it was easy enough.  It kicked off with the phrase “All the information provided in this application is important to the decision to grant an eVisitor.” – well at least I know I have the right form.  The sign up to the ImmiAccount I had done prior for a previous visit to Oz, so maybe I missed out on some of the privacy stuff. I went hunting.

The Aussie Government’s Privacy Acts

The Australian Government Department for Home Affairs privacy policy was quite concise and reasonably clear.  Australia has the Privacy Act of 1988 as well as some additions in the Privacy Regulation 2013 and, most recently, for security breach reporting Privacy Amendment (Notifiable Data Breaches) Act 2017.  The Privacy Acts have 13 principles:

Roadsign with major world cities and distances
Are all government’s privacy arrangements sound?
  1. Open and transparent management of personal information
  2. Anonymity and pseudonymity
  3. Collection of solicited personal information
  4. Dealing with unsolicited personal information
  5. Notification of the collection of personal information
  6. Use or disclosure of personal information
  7. Direct marketing
  8. Cross-border disclosure of personal information
  9. Adoption, use or disclosure of government related identifiers
  10. Quality of personal information
  11. Security of personal information
  12. Access to personal information
  13. Correction of personal information

On the face of it there is an alignment with the Data Protection Act 2018, and GDPR.  There are few differences surrounding breach notification requirements, timescales, organisational size and reporting requirements but nothing to bother me.  Is that enough to be sure my data is safe?  I am the citizen of the EU, at the moment, and the UK is equally data aware, surely the Australian government should comply with GDPR.  Australian companies who deal with Europe have had to!

On with the visa application

Having vaguely satisfied myself that Australia was taking the security of personal data seriously, I continued.  Let’s face it, my only alternative was to not go to my brother-in-law’s wedding.  That was not an option!

Not much more to say really.  The process was a little dated, but provided reasonable information through the steps and the whole thing is managed digitally.  No paper visa required.  Within 4 hours our visas were finalised and our passports ‘tagged’ to that end.  So if I have my passport, I have my visa.  Sweet!

However…

Who is going to take the governments of non-EU countries to task if they are not complying with the DPA/GDPR?  Should the ICO start raising concerns or even consider issuing fines to other governments?  Will foreign travel advice be provided on data security issues as well as physical, health and financial security?

I guess the question is, would the EU and UK Governments ever take action on other countries for our data security?

Should we be making more of a stink when we spot weak privacy, especially in our own government?  It may be down to us, as citizens, to point out what is unacceptable as a traveller and raise concerns with the ICO.


If you are unclear as to why you should be interested in your personal datas security, read this article next.