By Mike Trovato and Eugenia Caralt
IIS is a proud supporter of 2020 Privacy Awareness Week (PAW), 4-10 May, an annual event to raise awareness of privacy issues and the importance of protecting personal information.
Australian privacy regulators are leading the effort to increase privacy awareness in the midst of a unique and uncertain time as we face the COVID-19 pandemic. Because of the challenges presented by the pandemic, compliance and risk to personal information in government, industry, education, and non-profits are front of mind.
Regulatory themes
This year the Office of the Australian Information Commissioner’s (OAIC) theme is “Reboot Your Privacy”. As Information and Privacy Commissioner Angelene Falk indicates, this year’s theme is in line with the current challenges that Australian entities are facing to adapt to the new demands of remote working and online interactions. To access the Commonwealth and state-based PAW information, events and resources, click on the links below:
Office of Australian Information Commissioner – Reboot Your Privacy
Office of the Victorian Information Commissioner – Privacy – Protect Yours and Respect Others’
Office of the Information Commissioner Queensland – Be Smart About Privacy
Information and Privacy Commission New South Wales – Prevent, Detect, Protect
IIS and partner events
In addition to being a PAW partner, IIS is supporting efforts to raise privacy awareness through the following activities:
Privacy Masterclass – Data and Privacy with Malcolm Crompton and Lyria Bennett Moses as part of the Australian Computer Society’s NSW Privacy Summit
When: Wednesday, April 29, 4:00 PM AEST
Theme: Why is there so much debate about the trustworthiness of government uses of data?
This session will explore the ways in which existing law and its implementation are not meeting the needs of citizens or the needs of government seeking to retain citizen trust.
To pre-register to the free webinar click here (Link will be posted 2 hours before the event commencing).
OneTrust webinar – Privacy in a Pandemic with the Privacy Commissioners from Australia and New Zealand and IDCare’s Managing Director
When: Wednesday, May 6, 2:00 PM AEST
Theme: As the world rapidly changes to address the COVID-19 pandemic, what’s at stake for privacy?
Panel discussion of issues and practical advice for maintaining privacy during the pandemic.
To pre-register to the free webinar click here.
IIS’ PAW 2020 message
The OAIC’s theme is Reboot your Privacy using Ctrl+Alt+Del. What does Ctrl+Alt+Del practically look like?
1) Ctrl – OAIC message: Check and update your privacy and security controls; IIS view: Undertake privacy and security health checks – Know where you stand and take action!
At IIS, we are often asked by potential and current clients seeking to improve privacy practice: “Where should we start?” or “What should we do?” We find that this question is best answered by more questions! For example:
When did you last review your entity’s privacy and security practices?
Does your management and board of directors have a clear view of where the entity standards in terms of personal information as an asset? Is the current culture and practice appropriate to the entity’s strategy, risk appetite and privacy stance?
Are your management and board of directors aware of the risks and do you have their support (including financially) to address them?
As you are all aware, the Privacy Act requires entities to take reasonable steps to protect their personal information, considering, among other things, the nature of the entity, the amount and sensitivity of the information it holds. If your entity’s privacy management and governance are insufficient taking into account the above, both your entity and your customers are at risk.
A ‘privacy and security health check’ will assist entities to assess the extent to which their current practices, procedures and systems are compliant with the law, vulnerable to privacy and security risks, and/or meet privacy and security best practice. The assessment will provide a point-in-time assessment to assist entities in deciding where they want to be.
Entities that do not understand their position and have not taken appropriate actions could be deemed as deficient by regulators and will likely be subject to enforceable undertakings after the inevitable breach.
2) Alt – OAIC message: Consider the alternative when giving or asking for personal information; IIS view: Implement Privacy by Design!
What can you do with less? How can you cut unnecessary collection of personal information, or even creatively achieve the same goal without any personal information? These practices are best implemented by embedding Privacy by design (PbD) from the very start.
Applying PbD strategically helps entities internalise user-centric practices that are key to building trust with customers and reducing risk to the entity over the long run. Furthermore, it heads off the often costly and time-consuming process of ‘bolting on’ privacy fixes at the end of a project, or finding a project has to be shelved altogether due to privacy concerns.
PbD should be actively adopted in contexts where the value of the data and the associated privacy risks are high, for example: big data, especially involving information; mobile location analytics; biometrics, including facial recognition; and customer loyalty programs.
IIS believes that now more than ever entities cannot hit the PAUSE button on thinking and doing privacy. Rather, they should adapt to this current moment, such as by using short-form Privacy Impact Assessments, as Australian privacy regulators have recently indicated.
3) Delete – OAIC message: Delete any data from old devices and securely destroy or deidentify personal information if it’s no longer needed for a legal purpose; IIS view: develop data retention policies, enforce it and prove it!
Data is a liability because of the risk of a privacy or security breach and the resulting toxic effects. Security and privacy are related but distinct. An entity can have the world’s best security practices for its personal information but still should not have collected it in the first place or should not have used it for an unexpected purpose. To highlight this point, consider the tech giants like Google and Facebook. Presumably they have industry-leading security practices, but this has not stopped them from getting into privacy mishaps over the years.
To minimise both privacy and security failures, entities should have a retention policy in place for all types of data, including personal information. They should be familiar with their legal requirements and transparent about their data handling practices. When data is no longer needed, they should act to ensure that the appropriate steps are carried out (such as deletion or deidentification) – this includes thinking about their supply chain and external service providers.
More and more we are seeing the policy and best practice landscape shift towards favouring stronger assurance. Entities that are able to prove what they say (including data deletion) will be in a much stronger position with respect to building trust and credibility with individuals, clients and regulators.
Summing up: The importance of governance and directors’ key role in driving privacy and security
Privacy awareness should lead to not only better compliance but also contribute to valued business and strategic goals. Reflecting on this year’s OAIC’s theme, IIS’s view is that given the growing importance of personal information as a mission critical asset, we encourage entities seeking to leverage awareness into better practice to start with a privacy and security health check.
As we look ahead to 2020 and beyond, the governance of personal information will be a growing area of interest for regulators (not just in privacy, but specific sectors as well). A board that is not asking relevant questions of management, or is unable to assure itself of how personal information is being handled and protected, is demonstrating a failure of governance that could compromise the entity’s mission and potentially open it up to external scrutiny and consequences.
It has been just over a year since the launch of “The New Governance of Data and Privacy: Moving beyond compliance to performance”, co-authored by Mike Trovato (Managing Director) and Malcolm Crompton AM (Lead Privacy Advisor) and published by the Australian Institute of Company Directors (AICD).
The book discusses why privacy governance is a top line strategic and compliance issue for boards and sets out a framework for boards to lead and direct privacy governance in their entity. The main themes of the book have also been adapted into the Data and privacy governance director tool jointly published by the AICD and the Australian Information Security Association (AISA), available here.