Mike focuses on assisting key stakeholders with understanding the obligations and outcomes of effective privacy and cyber security. This includes solving an organisation’s issues with respect to regulatory, industry, and company policy compliance and to protect what matters most in terms of availability, loss of value, regulatory sanctions, or brand and reputation impacts balanced with investment.

At IIS, Mike has led over 100 privacy and security governance, risk, and compliance client engagements across government, health care, education, retail, financial services, and technology sectors. He has also advised clients about the direct impact of cyber security on privacy and data protection and how to provide greater resilience to assure better organisational outcomes.

Mike also serves as ICG’s Global Cyber Practice Leader and IIS is an ICG Affiliate. Prior to joining IIS, he was the Founder and Managing Partner of Cyber Risk Advisors. Before then, he was Asia Pacific, Oceania and FSO Lead Partner EY Cyber Security; GM Technology Risk and Security for NAB Group; a Partner within Information Risk Management at KPMG in New York; and has held financial services industry roles at Salomon Brothers and Mastercard International. At EY, Mike was responsible for creating the largest, sustained “Big-4” cyber security practice, deploying Privacy and Data Protection solutions, and building the Melbourne Advanced Security Centre (ASC), specialised in attack and penetration testing.

Mike is a Non-Executive Director of au Domain Administration Limited (auDA), a not-for-profit organisation established by the Australian Internet community to administer a trusted .au for the benefit of all Australians, and champion an open, free, secure and global Internet. Mike is a Graduate of the Australian Institute of Company Directors (GAICD), Member Australian Information Security Association (MAISA), an AISA Board Member, ISACA Melbourne Chapter Board Member, Member of National Standing Committee on Digital Trade.

Mike’s professional credentials include being a Certified Information Systems Manager (CISM); Certified Data Privacy Solutions Engineer (CDPSE); and Certified Information Systems Auditor (CISA). He is also a member of the International Association of Privacy Professionals (IAPP) and is an ICG Accredited Professional. He has an MBA, Accounting and Finance and BS, Management Science, Computer Science, and Psychology.

Mike is the co-author of The New Governance of Data and Privacy: Moving from compliance to performance, Australian Institute of Company Directors, November 2018.

Malcolm was the founding President of the International Association of Privacy Professionals Australia New Zealand (iappANZ), an affiliate of the US based International Association of Privacy Professionals (IAPP). He was a Director of IAPP from 2007 to 2011.

He is a Director of Bellberry Limited, a private not-for-profit company which provides health ethics advisory services. He is also a member of the New South Wales Government Information and Privacy Advisory Committee and the Palantir Council of Advisors on Privacy and Civil Liberties (PCAP), of Palantir Technologies.

Malcolm is a highly sought-after independent expert and has advised a wide range of industry sectors. This includes advising the Australian Bureau of Statistics on various matters (such as trust and social licence for the 2021 Census), a major Australian retailer on privacy issues on the horizon, Service NSW on its significant 2020 data breach, and the NSW and Victorian governments on their QR-code based COVID Safe check-in apps. He has also consulted to the Asia Pacific Economic Cooperation forum (APEC) regularly on implementation of the APEC privacy framework and to the Organisation for Economic Cooperation and Development (OECD).

Malcolm chaired the board of PRAXIS Australia Ltd, a private not-for-profit company that promotes the conduct of ethical research involving human participants, for the first five years through its start up phase until 2019. For many years he was a member of the Microsoft Trustworthy Computing Academic Advisory Board as well as a number of projects funded by the EU Framework Programmes for Research and Technological Development.

Between 1996 and 1999, Malcolm was Manager of Government Affairs for AMP Ltd. In the previous 20 years he was a senior executive in the Federal Department of Finance, was founder and trustee of a new industry superannuation scheme and worked in the Transport and Health portfolios.

Malcolm has degrees in Chemistry and Economics. He is a Fellow of the Australian Institute of Company Directors (FAICD) and is an IAPP Certified Information Privacy Professional (CIPP).

Malcolm was made a Member of the Order of Australia in the 2016 Queen’s Birthday Honours for significant service to public administration, particularly to data protection, privacy, and identity management, and to the community. Malcolm received the 2012 Privacy Leadership Award in Washington DC from the IAPP in recognition of his global reputation and expertise in privacy. He received the inaugural Chancellor’s Medal for distinguished contribution to the Australian National University in 2004.

Malcolm is a co-author of The New Governance of Data and Privacy: Moving from compliance to performance, Australian Institute of Company Directors, November 2018.

Eugenia has been leading privacy and security engagements across the education, health, critical infrastructure and government sectors. Recent client engagements include:

• An independent review of an organisation in response to an enforceable undertaking from the Office of the Australian Information Commissioner
• Supporting a long-term data breach response and recovery as part of a multi-disciplinary team for the NSW Government for a major cyber incident, and PIA to support Service NSW’s application for a Public Interest Direction under s 41 of the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act)
• Directing and completing over 20 PIAs and cyber security risk assignments in Commonwealth, NSW and Victorian governments, and in the education, health, not for profit, ICT, retail and financial services sectors
• Assisting clients with strategic privacy and security advice and thought leadership.

Prior to joining IIS, Eugenia worked in France, Spain and the UK on complex IT and telecommunications projects. Eugenia worked for EY IT Risk and Security Advisory for more than 10 years and then joined Colt Technology Services in Europe where she was the Group Head of Business Continuity. Returning to Australia in 2017, she worked in the NBN Co’s Risk & Resilience team.

Eugenia has a law degree from the University of Barcelona, a Master in Law from ISDE Business School and a Post Master in Technology Law from ESADE Business School. She has recently lectured at the IE Law School in Madrid as part of their annual EU GDPR Course.

Eugenia joined the Barcelona Bar Association in 1999.

She is a ISACA Certified Information Systems Auditor (CISA) and a Data Privacy Solutions Engineer (CDPSE) and a Qualified Associate Fellow of the Business Continuity Institute (AFBCI). She is a member of ISACA and BCI Melbourne Chapters, the Australian Information Security Association (MAISA), and the International Association of Privacy Professionals (IAPP).

In addition to English, Eugenia speaks Spanish and French.

At IIS, Sascha has led major cyber security, risk, and compliance client engagements, including:

• Assessing cyber security posture and creating an improvement plan for a critical infrastructure provider
• Assisting in various ‘Chief Security Officer as a Service’ activities
• Performing cyber security due diligence of a short term labour platform
• Auditing a configuration change management process for a government transportation provider.

Before joining IIS, Sascha served as the Chief Security and Operations Officer at Tyro Payments. In his 12 years at Tyro, he was instrumental in building out the organisation’s cyber security capability, including:

• Developing and operationalising cyber security strategy
• Establishing and developing security, IT operations and corporate services teams with required capabilities
• Building and maintaining a highly available payments platform within an agile, complex and fast-growing environment
• Managing compliance and cyber risk across numerous standards and regulators, including APRA, IRAP and PCI.

Sascha’s other previous work experience includes security consultant roles at EY Australia and technology companies in Switzerland.

Sascha is passionate about people, technology, innovation and security; and approaches client engagements with a strong focus on delivering expert and clear guidance that is straightforward for organisations to implement.

Sascha’s professional credentials include being a Certified Information Systems Security Professional (CISSP); Certified Information Systems Auditor (CISA); and Certified Ethical Hacker (CEH). He holds a Master of Science from the Swiss Federal Institute of Technology. In addition to English, Sascha speaks German.

Chong has led key privacy and security engagements across multiple industry sectors and for both domestic and global organisations. He has extensive depth and breadth to his privacy experience, including:

• Recent privacy impact assessments (PIAs) on the data sharing scheme proposed under the Australian Data Availability and Transparency Bill (DATB) and on a digital identity solution for a major global financial services company
• Conducting over 40 PIAs and Privacy Health Check (PHCs) for a diverse range of public and private organisations, including in government, retail, financial services, education, health, technology, law enforcement, energy, and transport sectors
• Helping organisations with tailored privacy and security audits and risk assessments, including in response to Office of the Information Commissioner (OAIC) enforceable undertakings, audit office findings, and legislative requirements
• Formulating privacy, governance and strategic advice and research for identity management, data sharing and linkage, de-identification of personal information, open data, privacy law reform and data ethics, including for one of the largest global digital platforms
• Drafting privacy notices, policies and internal governance frameworks
• Developing privacy tools, templates and programs specifically tailored for clients
• Conducting privacy and security audits on the handling of the first-of-its-kind NSW cross-agency Human Services Data Set, in accordance with the requirements set out in a Public Interest Direction and Health Public Interest Direction.

Chong has written on diverse topics such as the privacy legal landscape, Privacy by Design, trust, accountability and cross-border data flows, including for Microsoft, the National Centre for APEC, iappANZ and the Institute of Electrical and Electronics Engineers. His most recent work, co-authored with Malcolm Crompton and Michael Trovato, is The New Governance of Data and Privacy: Moving from compliance to performance, Australian Institute of Company Directors, November 2018.

Chong is a certified OneTrust Privacy Management Professional and GRC Solutions Expert. He is a member of the Australian Information Security Association (MAISA), the ISACA Sydney Chapter, and the International Association of Privacy Professionals (IAPP).

Chong is a graduate of Sydney Law School (Hons 1) and contributed to the Sydney Law Review as a student editor. He also holds an Honours Degree in Psychology and a Master of Teaching from the University of Sydney.

Natasha led the privacy impact assessment (PIA) work on the administrative data use by the Australian Bureau of Statistics and the data sharing scheme proposed under the Data Availability and Transparency Bill.

In addition to conducting numerous PIAs at IIS, Natasha has also led research on projects examining emerging privacy issues and regulatory responses. This has included options for international privacy regulatory harmonisation for a global digital platform, as well as research on the international regulation of digital platforms for the Office of the Australian Information Commissioner.

Prior to her time at IIS, Natasha worked for a decade at the federal privacy regulator during which time she engaged on a wide range of privacy issues, particularly in relation to new technologies, data analytics, de-identification, electronic health records and APEC privacy enforcement cooperation.

She was a member of the secretariat supporting the Government 2.0 Taskforce. During a secondment to the New Zealand Office of the Privacy Commissioner, Natasha drafted a major research paper and guide on privacy and CCTV. In 2008 she was awarded an Australia Day Achievement Medallion for her work supporting the Australian Privacy Commissioner.

Along with an in-depth knowledge of privacy regulation, Natasha has expertise in information law and policy more generally including freedom of information law and trends in open government.

Natasha holds a Bachelor of Arts (Hons 1) from the University of Sydney. She has also completed training courses on Fundamentals of internal audit; Administrative power and the law; Machinery of Government; and Policy Formulation.

Natasha is a member of the Australian Information Security Association (MAISA) and the International Association of Privacy Professionals (IAPP).

Alexander has led privacy and security engagements for a wide range of public and private clients from various industry sectors. Alexander has experience conducting privacy impact assessments (PIAs), privacy and cyber security health checks, privacy by design advice, researching on privacy and security trends and laws globally, and providing written strategic and practical advice.

Recent privacy engagements that Alexander has been involved in include conducting PIAs for various NSW and Victorian government departments and agencies on digitisation initiatives, and Privacy Health Checks for ASX-listed companies including a large health insurance provider and a hospitality group.

Recent security engagements that Alexander has been involved in include conducting a comprehensive assessment against cybersecurity industry standards for a project within a Victorian Government agency and conducting a privacy and security audit on the implementation of a NSW Government agency’s data handling practices in accordance with the requirements set out in a Public Interest Direction and Health Public Interest Direction.

Prior to joining IIS, Alexander worked at international law firm Herbert Smith Freehills. As a lawyer in the Private Equity practice group, he advised clients on a variety of transactions including capital raisings, mergers and acquisitions. Alexander also has extensive international business experience having worked at a multinational IT service provider in Paris, a private equity firm in New York and a top-tier tax consultancy in Berlin. Complementing his understanding of global corporates, Alexander has spent time working within international political organisations including the Human Rights division of the United Nations and SME division of the OECD.

Alexander holds a Bachelor of Commerce and a Juris Doctor degree from the University of Sydney. Alexander was admitted as a solicitor to the New South Wales Supreme Court in 2016. He is a Member of the Australian Information Security Association (MAISA), ISACA Sydney Chapter, and the International Association of Privacy Professionals (IAPP). He is also an ICG Accredited Professional.

In addition to English, Alexander speaks German.

Della works with clients to build privacy into organisational practices, including through strategy, governance initiatives, privacy impact assessments (PIAs) and training. She has a passion for assisting clients to strengthen their privacy program, including by establishing privacy as strategic priority and by building privacy protections into day-to-day work practices.

Della’s proficiency in policy and process development supports the intersection of privacy with complementary organisational business areas, including information governance, security, risk management, procurement, business continuity, disaster management and project management.

Della assists clients to build a privacy aware culture through the development of privacy training and awareness resources that ensure staff understand the value and importance of privacy and their expectations. She has experience in developing training content and materials, and creates both face-to-face and e-learning courses that are interactive and understandable, and tailored to the client’s privacy objectives.

Della has led significant privacy management projects for local governments, government departments, and private organisations operating in local and international jurisdictions. Furthermore, she has developed Privacy by Design frameworks, PIA artefacts, and local government privacy resources; and assisted in PIAs and data breach assessments.

Della holds a Bachelor of Business from the Queensland University of Technology and is a member of the International Association of Privacy Professionals (IAPP).

Selected projects Sarah has worked on include:

• Department of Premier and Cabinet, Victorian Government – Providing PbD advice and conducting a PIA for the government’s Digital Visitor Registration (DVR) Solution
• Service NSW – Providing PbD advice on the development of the COVIDSafe Check In tool for Service NSW app
• Office of the Australian Information Commissioner (OAIC) – Researching and drafting paper on global scan of privacy regulation of digital platforms
• State Records of South Australia – Researching and drafting brief paper on web tracking tools and preparing PIA template
• NSW Department of Customer Service – Conducting a PIA with respect to the release of an NSW digital photo card
• Digital Health Company – Preparing privacy documents for its health programmes and providing privacy advice.

Prior to joining IIS, Sarah worked at international professional services firm EY, Kuala Lumpur as an Associate involved in advising clients from different industries on a variety of tax matters.

Sarah has also worked with data protection in Malaysia, where she has conducted research and prepared training materials on matters such as the Malaysian Privacy Data Protection Act (PDPA) and the European Union General Data Protection Regulation (GDPR). Sarah has also co-authored a number of journal articles which have been published, among others, in the European Data Protection Law Review and the Malaysian Law Journal.

Sarah holds a Bachelor of Laws from Queen Mary University of London and a Master of Laws from King’s College London. She is a member of the International Association of Privacy Professionals (IAPP).

In addition to English, Sarah speaks Malay.

Prior to joining IIS, Jacky worked as a research assistant and Project Officer for Professor Kimberlee Weatherall, who is a Chief Investigator with the ARC Centre of Excellence for Automated Decision-Making and Society, and Fellow at the Gradient Institute. Jacky contributed to research in the interaction between commercial/private law doctrines and potentially harmful practices of surveillance capitalism and data misuse. Through this, Jacky worked on consultation responses to various proposed changes to the privacy landscape such as the Australian Government Digital Identity System and the Trusted Digital Identity Framework.

Jacky also worked as a consultant in the Risk and Regulations team of PwC Australia, where he was involved in engagements with high profile financial institutions providing assurance for corporate risk management processes in line with APRA Prudential Standard CPS 220 Risk Management. Further, he advised C-Suite executives of insurers and superannuation trustees on the implementation of new financial laws and regulations such as the Financial Accountability Regime. Jacky also worked closely with several banks to develop and streamline their breach reporting processes, optimising for efficiency and accuracy.

Furthermore, Jacky has experience as a paralegal in the insurance law sector where he acquired extensive experience in legal research and gained proficiency with interpreting legislation and government guidance updates.

Jacky holds a Bachelor of Science and Laws from the University of Sydney. He is a member of the Australian Information Security Association (MAISA) and the International Association of Privacy Professionals (IAPP).

In addition to English, Jacky speaks Chinese (Mandarin).

Sarah has assisted public and private clients on a wide range of privacy engagements, including conducting privacy impact assessments (PIAs), privacy program management and culture building projects, Privacy and Cyber Security Health Checks and providing written strategic and practical advice.

Selected projects that Sarah has assisted in include:

• Online Education Services – Privacy Officer as a Service services including assistance in building a Privacy Management Framework and Privacy Management Plan, and raising privacy awareness
• Ambulance Victoria – assessment of Ambulance Victoria’s current information privacy practices in key divisions through an information gathering and analysis tool developed by IIS
• Victorian Department of Transport and Planning – conducting PIAs on various projects, including the Distracted Driver Camera Project, the Digital Driver Licence project, and the Fines Reform project
• Office of the Australian Information Commissioner (OAIC) – assistance with Privacy assessment of General Practice (GP) clinics’ compliance with the APPs and Rule 42 of the My Health Records Rule 2016; and Credit Reporting Code independent review
• Mastercard – Privacy Impact Assessment (PIA) on ID Network, assistance with TDIF accreditation
• Askable – Privacy Officer as a Service services including general advisory, international privacy legislation review and assistance with vendor onboarding.

Prior to joining IIS, Sarah was an Economic Intelligence Intern doing risk analysis for one of France's industrial nuclear energy companies, Framatome. Working within the Protection department, she provided the other business units of the company with due diligence reports, market studies and strategic advice on reputational risks and corruption. She also conducted an information protection audit on one of the company’s industrial sites.

Sarah also has diplomatic experience working at the French Consulate in Melbourne, where she assisted the Honorary Consul.

Sarah has a Master’s degree in European Security and International Stability from Sciences Po Strasbourg. She is a member of the Australian Information Security Association (MAISA) and the International Association of Privacy Professionals (IAPP).

In addition to English, Sarah speaks French.

Prior to joining IIS, Simon worked with the United Nations Capital Development Fund in New York where he improved the efficacy of humanitarian responses in African countries. He also worked as a paralegal at KPMG Law’s Sydney office, where he assisted on international banking, regulatory enforcement and technology policy matters.

Simon holds a combined Bachelor’s degree in Commerce and Laws from the University of Sydney. He has a lecturer position at the university, teaching data analytics and professional writing.

Simon is a member of the International Association of Privacy Professionals (IAPP) and the Australian Information Security Association (MAISA).

He has assisted in projects including:

• Project-managing the development of the OAIC’s first major position and issues paper on Australian Government Information Policy, published on the opening of the new Office
• Australian Bureau of Statistics – Designing a tailored privacy management plan for the ABS and conducting privacy impact assessments with respect to the use of census data for sampling purposes
• A Large Hospitality, Resort, and Entertainment company – Reviewing Membership Programs and mapping out data flows with respect to its Sales’ Systems, and followed up with designing training programs
• A Global Strategy Consultancy – Researching and providing advice in the transferring of personal information or health related data to a different database
• Cancer Institute NSW – Conducting a PIA with respect to the releasing of a new platform which allows GP to get automatic updates from Medicare
• Austroads – Assisting with a PIA to evaluate the privacy impacts that may be associated with each state and territory road transport agency using the Face Matching Services provided by the National Facial Biometric Matching Capability
• Australian Institute of Company Directors (AICD) – Contributing to the The New Governance of Data and Privacy, a book co-authored by Malcolm Crompton, Michael Trovato, and Chong Shao.

Joshua holds a Hong Kong Lawyer License and is based in Hong Kong.

Before joining IIS, Joshua worked for the Privacy Commissioner for Personal Data, Hong Kong and was posted to the Policy and Research Division. He was directly supervised by the Privacy Commissioner of Hong Kong and was tasked with research projects relating to the European Union General Data Protection Regulation (GDPR), and emerging technologies such as electronic mobile payments, video analytics and location tracking, etc.

Joshua is a recent graduate from the Chinese University of Hong Kong, holding a Juris Doctorate degree with a scholarship and a Bachelor of Social Science (First Class Honours) in Sociology. He is a member of the International Association of Privacy Professionals (IAPP).

In addition to English, Joshua speaks fluent Chinese, Spanish and Cantonese.