Viewing entries tagged
Privacy

Digital ID Bill introduced to the Senate

Digital ID Bill introduced to the Senate

By Natasha Roberts

On 30 November 2023, the Minister for Finance and the Attorney General announced that the Digital ID Bill had been introduced into the Senate, a historic step to strengthen and expand Australia’s Digital ID System and do more to protect Australians’ privacy and security settings in the digital age.

The Government released an Exposure Draft of a Digital ID Bill in September 2023, aimed at formalising in legislation a digital ID system that has been under development in Australia for many years. IIS Partners made a submission on the 2023 Exposure Draft and a submission to an earlier 2021 Exposure Draft identifying ways in which its protections could be strengthened.

It is gratifying to see suggestions presented in our submission taken up in the Bill as introduced – or at least this is our understanding from an admittedly quick review of the Bill.

Voluntariness

In particular, it is pleasing to see a strengthening of provisions protecting the voluntariness of digital IDs. Guaranteeing that participation in digital ID systems will be voluntary and non-compulsory is one of the strongest protections available to individuals to avoid overreach by government or other entities and worsening of the power imbalance over individuals.

To that end, our submission raised concern over an exception in the Exposure Draft that would override the voluntary use requirement where ‘a law of the Commonwealth, a State or a Territory requires verification of the individual’s identity solely by means of a digital ID.’ Such a provision, we pointed out, would allow future encroachment on voluntary use. We are pleased to see the removal of that exception from the Bill.

Law enforcement and national security exceptions

Another major area of concern for us was the permissiveness of law enforcement and national security exceptions in the Exposure Draft. IIS has been on the record in a July 2021 submission and again in a October 2021 submission regarding our concern about such exceptions which we find to be too broad, establishing too low a bar for disclosure to these agencies, and too weak a framework for oversight.

With this Bill, we see some narrowing of law enforcement and national security exceptions. For example, one of the main clauses enabling disclosure for law enforcement purposes (clause 54) now formally excludes biometric information – disclosure of biometric information for law enforcement purposes is regulated under a separate provision and requires the higher bar of a warrant before disclosure.

We also see that certain exceptions within clause 54 appear to have been narrowed. In the Exposure Draft personal information could be disclosed for law enforcement purposes where the accredited entity was satisfied that the enforcement body reasonably suspected that a person had committed an offence or breached a law imposing a penalty or sanction. In the Bill this has been narrowed to allow disclosure where the accredited entity is satisfied that the enforcement body has started proceedings against a person for an offence or in relation to a breach of a law imposing a penalty or sanction. The penalty for breaching clause 54 has also been increased from 300 penalty units in the Exposure Draft to 1500 penalty units in the Bill as introduced.

IIS remains of the view that the Minister’s stated goal of ‘inclusivity’ is likely to be threatened by an overly permissive approach to law enforcement access to information handled and generated by digital ID systems. Law enforcement or national security access has the potential to negatively impact trust in the system which in turn will negatively impact inclusion, especially for individuals who already have a low trust in government or generally on the margins of society.

Looking ahead

In our view, these changes are in the right direction and we will continue to advocate for strict limits on law enforcement and national security access to digital ID system information. IIS continues to be very engaged in this space with Malcolm Crompton, Founder and Partner at IIS, appointed to the Ministerial Digital ID Expert Panel to provide independent advice on Australia’s digital ID program.

The Digital ID Bill was introduced to the Senate where it was referred to the Senate Economics Legislation Committee. The Committee is due to report on the Bill by the end of February 2024. Noting that much of the Committee review period is over December and January when people are busy or away, IIS urges anybody with a point of view on the Digital ID Bill to prioritise making a submission.

Safer Internet Day 2022

Safer Internet Day 2022

By David Zhu, Sarah Bakar, Sarah Brichet and Eugenia Caralt

IIS is proudly supporting the eSafety Commissioner to mark Safer Internet Day on 8 February 2022, an annual event to promote cyber safety and a healthier online environment. 

Australian Privacy regulators are leading the effort to improve online safety protections during a unique and uncertain time as remote learning and working have become commonplace. eSafety Commissioner Julie Inman Grant revealed that since the start of the COVID-19 pandemic, serious cyberbullying towards children was up by 30%, while adults experienced a nearly 40% rise in online harrassment. Because of the challenges presented by these circumstances, online safety risks are front of mind. 

Regulatory theme

This year, Safer Internet Day’s theme is “Play it Fair Onlinewhich comes as the Federal Government is seeking to reform online abuse laws after introducing the Social Media (Anti-Trolling) Bill late last year. To access useful eSafety resources, you can click on the following links: 

Workplace Safety Guidance

eSafety Toolkit for Schools

Safety by Design

IIS’s Safer Internet Day 2022 message: G.U.A.R.D. against online abuse 

As we look ahead to 2022 and beyond, IIS’s view is that strong privacy and security practices are paramount for organisations to prevent and respond to online abuse. It is also important for parents and educators to be aware of privacy controls and security settings in order to protect children on digital platforms, which often contain inappropriate or malicious content. 

This year, eSafety has published a set of privacy tips for educators, workplaces and the broader community. In this post, we have compiled these tips, along with our own commentary to help you G.U.A.R.D. against online abuse.

IIS’s top five tips for online safety

1) G is for: Get control of your location settings

Location settings are embedded into all types of technology and are important for geo-tracking services such as map apps. However, allowing the unrestricted use of these settings can allow others to track you with malicious intent. 

eSafety recommends users to safeguard their privacy by turning off location tracking features when not necessary and manually choosing when and with whom to share your location with. 

You can get more information on location settings here.  

2) U is for: Use conversation controls

Conversation controls can help manage who sees and interacts with you online. 

eSafety advises users to mute, block or unfollow cyber abusers, in order to minimise the harm caused. 

IIS also recommends the following Do’s and Don’ts to be fair and kind online:

·       Do treat others with the same respect that you would want others to treat you with.

·       Do consider others and be tolerant of different views and opinions.

·       Do speak up against online abuse when it is safe to do so.

·       Don’t share secrets or sensitive information. 

·       Don’t send insulting, mean or derogatory messages.

·       Don’t “diss” others or spread false rumours.

Check out The eSafety Guide for information on conversation controls for popular platforms such as Facebook, Instagram, Tiktok and most popular online games. 

3) A is for: Always update your security and privacy settings 

Cybercriminals, stalkers, and other malicious actors can exploit vulnerabilities in unsecured online accounts to access, steal and leak your personal information. 

To protect against this, eSafety recommends using unique and strong passwords for each online account, signing out of platforms when you’re not using them and turning on multi-factor authentication. Having strong security questions that only you can answer is also useful as an extra layer of protection.  

IIS further recommends updating and backing up your devices regularly, to minimise security vulnerabilities and keep your information secure. 

For guides on how to enhance your security and privacy settings, eSafety has a set of how-to-videos.

4) R is for: Raise your voice about online abuse

It’s important to report online abuse to the relevant online platforms and, depending on the level of harm, escalate it to the police and other authorities. This will help keep websites and social media platforms respectful and safe for users. 

For advice and support or to report online abuse, go to eSafety.gov.au.

5) D is for: Don’t forget to collect evidence

Collecting evidence of online abuse can help authorities track down offenders and ensure that your rights are protected. 

The eSafety commissioner recommends victims of online abuse to take a screenshot and save a URL of these incidents. However, evidence should only be collected when you feel it is absolutely safe to do so.

eSafety’s step-by-step guidance on collecting evidence can be accessed here.

Participating in Safer Internet Day 2022 

If you have been considering taking steps to raise online safety awareness and/or strengthen your organisation’s privacy practices, participating in Safer Internet Day 2022 is an excellent starting point.

Sign up here to support Safer Internet Day or contact IIS to help you and your organisation make online safety a priority. 

Privacy and vaccine passports: Considering the IATA Travel Pass

Privacy and vaccine passports: Considering the IATA Travel Pass

By Sarah Bakar, Lisa Hooper and Chong Shao

As governments roll out vaccinations and the COVID-19 pandemic begins to ease in certain parts of the world, tentative plans to reopen international travel have begun. Central to these plans is the ongoing discussion of having a kind of digital document to prove that individuals are vaccinated – that is, a ‘vaccine passport.’

There are many different versions that have been or are being developed by various organisations such as governments, airlines and industry groups, non-profits and technology companies. Vaccine passports are not only being developed to facilitate international travel. They have also been proposed to be used for domestic purposes, such as entry into restaurants and events. 

In the realm of international travel, several passes have been introduced: CommonPass, AOKPass and the IATA Travel Pass. To date, the IATA Travel Pass has received the most uptake from airlines. These include Singapore Airlines, Qatar Airways, and Emirates Airlines to name a few. 

The Travel Pass was developed by the International Air Transport Association (IATA). It is a mobile app that allows travellers to store and manage their verified certifications for Covid-19 tests and vaccines.

Nick Careen, Senior Vice President, Airport Passenger Cargo and Security at IATA said‘It’s about trying to digitize a process that happens now and make it into something that allows for more harmony and ease, making it easier for people to travel between countries without having to pull out different papers for different countries and different documents at different checkpoints.’

How the Travel Pass app will work

Travel Pass will ask users to create a profile, enter their flight details, and direct the users about their requirements for travel such as suggesting verified testing facilities. Travel Pass will integrate with testing facilities so that the results can be sent directly to the app. Moreover, when governments start to issue digital vaccine certificates, the individual can opt to upload this certificate onto the app as well. Once the appropriate data has been uploaded, the user will receive a confirmation or ‘okay to travel’ notification which is relied upon by airlines.

In the app’s current state, a physical passport will still be used to confirm a person’s identity in conjunction with the app; COVID-19 results and vaccination status will not be ‘linked’ to a person’s physical passport. IATA’s plan is that Travel Pass will eventually be able to store an individual’s passport details on the app and thus be able to link COVID-19 results and vaccination status in one place. 

Travel Pass and privacy

While Travel Pass is still in the early stages of being released to the wider public, we note that its cautious approach to data handling is in line with public sentiment. For example, the Australian Community Attitudes to Privacy Survey 2020 found that 9 in 10 Australians want more control over their data.

From what has been published by IATA, Travel Pass appears to be mostly sound from a privacy and security perspective. Based on the current Travel Pass privacy policy, we note the following privacy positives:

  • Use of Travel Pass is voluntary 

  • IATA conducted a Data Protection Impact Assessment (DPIA) of the Travel Pass (although we note that this has not been published) 

  • IATA built Travel Pass from the beginning with privacy by design principles 

  • The app gives control to the user in terms of what information is entered (such as using the digital passport facility and/or uploading their vaccination certificates) and who it is shared with (no information is shared with an airline or government without their authorisation)

  • All Travel App data is stored locally on the device – this includes verified COVID-19 test results and vaccinations certificate (however, the IATA server will temporarily process data in order to facilitate an action such as receiving test results from a testing facility or sharing data with a partner)

  • Deletion of the app means the deletion of all data 

  • If an individual chooses to share data with a partner, the data is encrypted and sent directly to them from the mobile device. 

There are some remaining issues where more clarity and transparency would be welcome, for example:

  • What is the procedure involved in an airline verifying an individual’s ‘Okay to travel’ status? Do airline staff sight the status or are individuals required to share their test results/vaccination status? 

  • What will be the mechanism for oversight and assurance that what is described in the privacy policy is the reality? 

  • Can we be sure about the assurances that IATA will immediately delete the processed data from its servers? What happens in case of technical issues? Is the data retrievable? 

As more and more airlines participate and adopt Travel Pass, we hope and expect more information to be made available on how Travel Pass handles user data and the benefits of having such tool. 

Contact tracing data and function creep: A case study in Singapore

Contact tracing data and function creep: A case study in Singapore

By Sarah Bakar, Lisa Hooper and Chong Shao

In March 2020, upon the World Health Organisation’s declaration of the COVID-19 pandemic, Singapore became one of the very first countries to launch a contact tracing app to manage the spread of COVID-19. By October 2020, it became mandatory for citizens to either download the app onto their smart phone or carry an electronic token.

Timeline of events

  • March 2020

    Launch of TraceTogether – the digital system for contact tracing

  • April 2020

    Launch of SafeEntry – national digital check-in system 

  • October 2020

    Launch of BluePass – a specifically-designed contact tracing device for migrant workers

  • January 2021

    The country’s widely-used COVID-19 contact tracing application TraceTogether made international headlines after Minister of State Desmond Tan revealed during a parliamentary session that data collected through the TraceTogether app fell under the purview of the country’s Criminal Procedure Code and as such the data can be used for criminal inquiries. The Minister’s comment means that police can use data from the TraceTogether, SafeEntry and BluePass systems in criminal investigations unrelated to COVID-19 contact tracing efforts. Soon after this statement, it was revealed by another minister that such data had in fact already been used in a murder investigation.

    These revelations caused a public backlash.

  • February 2021

    In its attempt to rectify the situation, the government passed a law to restrict the use of the data: the COVID-19 (Temporary Measures) (Amendment) Bill. 

COVID-19 (Temporary Measures) (Amendment) Bill

The law allows for the personal data collected by a digital contact tracing system to be used for investigation into “serious offences”. Digital contact tracing systems include the three main ones noted above. 

The bill defines serious offences to include unlawful use or possession of explosives, firearms or dangerous weapons; any offence relating to terrorism; any offence relating to causing death or concealment of death; a drug offence that is punishable by death; kidnapping, abduction or hostage-taking; and any offence involving serious sexual assault such as rape.

As of January 2021, it is estimated that 4.2 million people or 78% of residents have downloaded the app. This is a significant number, illustrating how the public was eager to cooperate with the government in tackling COVID-19 but more importantly just how vast the amount of data available is. However, the revelation that contact tracing data had already been being used by enforcement authorities caused a public outcry with people calling out the government and some even deleting the app altogether. It is important to call out that this revelation came 10 months after the launch of the app, and after users were continuously assured that the data will only be used for contact tracing.

Function creep and its consequences

The pandemic triggered an emergency situation throughout the globe, creating urgency for governments to manage and respond effectively. As such, contact tracing apps emerged quickly, including in Singapore. However, the data generated by such apps has become a tempting honeypot for law enforcement.

On the one hand, the enactment of the Bill shows that the Singaporean government is explicitly limiting the (secondary) use of contact tracing data. On the other hand, as it comes 10 months after the launch of TraceTogether, the Bill can also be viewed as a way for the government to attempt to regain the public’s trust and fix its reputation after it was obvious that the public felt betrayed and cheated.

This is yet another lesson in how mishandling of data will no longer go unchecked by the public, even for a population who tends to be deferential to their government in the case of Singapore.

Privacy should not be undermined for the sake of other worthy but unrelated goals. There are consequences not only for the individuals involved, but also the broader public health goals of the government. Given that the effectiveness of contact tracing apps depends on the number of people who use them, public trust and confidence that their privacy will be respected is a key ingredient to controlling the pandemic.

Needless to say, this function creep will not be the only one of its kind as valuable data continues to be collected for contact tracing across the world. In light of this, we strongly advocate for the inclusion of Privacy By Design in the development of such apps, to ensure that privacy is not left as an afterthought.

This can include explicit purpose limitations on the use of data, as well as built-in data retention limits to prevent a honeypot situation. New South Wales’ COVID Safe Check-In tool is a good example of this – individuals’ details can only be used for contact tracing purposes, and if no such action is taken, their details are permanently deleted by Service NSW after 28 days.

IIS Newsletter #6 2020 - Year in Review and Seasons Greetings

IIS Newsletter #6 2020 - Year in Review and Seasons Greetings

2020, the year that was…

As 2020 draws to a close, we are taking this moment to step back and reflect on the year. IIS has made a few logistical changes in 2020. This year we moved our Sydney office from Chippendale to The Vines co-working space in Waterloo. We expanded and diversified our team across Brisbane, Hong Kong, Malaysia, Melbourne and Perth. We also fully embraced working from home (WFH) and flexibly, which have always been a part of our culture.

In April this year when lockdowns began, we published a guide on how we do WFH including a page on privacy and security. As WFH is becoming a standard in how we work, we recommend a review of the aforementioned guide.

Our shared achievements

Despite the challenges of COVID-19, 2020 has been a busy time for our clients.

Notably, we completed a Privacy Impact Assessment for the Australian Bureau of Statistics (ABS) about the use of integrated administrative data in the next Census, which the ABS has published. We were asked to identify privacy issues and risks associated with the Census admin data project – including matters of compliance with law and policy, as well as broader considerations such as stakeholder expectations and social licence.

The Office of the National Data Commissioner (ONDC) and Department of the Prime Minister & Cabinet (PM&C) engaged us to conduct a PIA on a draft of the landmark Data Availability and Transparency Bill (DATB), formerly known as the ‘Data Sharing and Release Bill’. The 13 recommendations and PM&C’s responses are published in our PIA here.

IIS proudly supported Commonwealth, NSW, and Victorian Privacy Awareness Weeks in 2020. The OAIC’s theme was Reboot Your Privacy, focusing on the current challenges that Australian entities are facing to adapt to the new demands of remote working and online interactions. Among IIS activities, Lead Privacy Advisor, Malcolm Crompton spoke at the Australian Computer Society’s NSW Privacy Summit seminar, available here. The seminar asked: Why is there so much debate about the trustworthiness of government uses of data? This session explored the ways in which existing law and its implementation are not meeting the needs of citizens or the needs of government seeking to retain citizen trust.

IIS also authored National Security or Privacy? in CyberAustralia magazine, as part of the Risk & Cyber Week virtual conference by the Risk Management Institute of Australasia (RMIA) and the Australia Information Security Association (AISA). The article puts forth the “4A framework,” as a way to examine how we can have stronger protections for stronger national security powers.

Looking ahead

The past 12 months have been met with brand new challenges and the importance of data protection has never been greater in this time of change and uncertainty.

In particular, we have provided increased support in terms of agile Privacy by Design work, privacy compliance and performance audits, and data breach response. We envisage this will continue as organisations expand their digital efforts in a landscape of hybrid work environments, higher customer expectations and changing legal regimes (Privacy Act review, new data sharing regime, Consumer Data Right, to name a few!).

The growing shift in attitude towards privacy and security was highlighted in a recent OAIC survey which showed that privacy is a major concern for 70% of Australians, and almost 9 in 10 want more choice and control over their personal information.

Thank you to all our clients for the trust that you have placed in IIS this year and your enthusiastic efforts to promote better privacy and security. We look forward to the challenges and projects that 2021 may bring and working with you again.

Have a safe and happy Christmas and New Years!

New Zealand reforms its privacy law

New Zealand reforms its privacy law

By Sarah Bakar and Natasha Roberts

In June 2020, New Zealand’s Parliament passed a bill reforming the nation’s privacy law. The new Privacy Act 2020 replaces the 27-year-old Privacy Act 1993. The Privacy Commissioner John Edwards has stated: “The new Privacy Act provides a modernised framework to better protect New Zealanders’ privacy rights in today’s environment.” 

The Act introduces significant changes to the privacy law. According to the New Zealand Privacy Commissioner’s website the key changes include: 

1. Mandatory notification of harmful privacy breaches.
If organisations or businesses have a privacy breach that poses a risk of serious harm, they are required to notify the Privacy Commissioner and affected parties. This change brings New Zealand in line with international best practice.

2. Introduction of compliance orders.
The Commissioner may issue compliance notices to require compliance with the Privacy Act. Failure to follow a compliance notice could result in a fine of up to $10,000.

3. Binding access determinations. 
If an organisation or business refuses to make personal information available upon request, the Commissioner will have the power to demand release.

4. Controls on the disclosure of information overseas. 
Before disclosing New Zealanders’ personal information overseas, New Zealand organisations or businesses will need to ensure those overseas entities have similar levels of privacy protection to those in New Zealand.

5. New criminal offences. 
It will be an offence to mislead an organisation or business in a way that affects someone’s personal information or to destroy personal information if a request has been made for it.  The maximum fine for these offences is $10,000.

More significantly, in line with its aim to better protect New Zealander’s privacy rights, the new Act has greater extraterritorial reach as it will also apply to entities that carry on business in New Zealand regardless of whether or not they have a legal or physical presence in New Zealand (Section 3A (1)(b)). The Act states that an overseas agency may be treated as carrying on business in New Zealand without necessarily being: 

  • a commercial operation; or 

  • having a place of business in New Zealand; or

  • receiving any monetary payment for the supply of goods and services; or 

  • intending to make a profit from its business in New Zealand. 

This will have implications for Australian businesses that collect or hold the personal information of New Zealanders as part of their business operations. They will be obliged to comply with this law regardless of where they or their servers are based. The Act will come into effect on 1 December 2020.

As such, IIS suggests that businesses check their coverage under the reformed legislation and start preparing to ensure compliance. 

COVIDSafe - A turning point for privacy?

COVIDSafe - A turning point for privacy?

By Malcolm Crompton and Chong Shao

The Australian Government’s COVIDSafe app has been met by both widespread scrutiny and widespread adoption. Is the app safe? Is the public’s response revealing the true Australian character? Are the privacy fears overblown? The picture is fascinating when you step back and look at what this app says about privacy in Australia both now and going forward.

Making the grade

Let’s address the most important thing upfront: the app appears to be mostly sound from a privacy and security perspective. Contrary to the FUD (fear, uncertainty and doubt) swirling around – no, the app does not collect any location information; no, it does not “track and monitor” you at all times (contrary to existing apps in other countries). Here is a good explainer on how the app actually works. 

The Australian Government commissioned a Privacy Impact Assessment from a law firm which it has published. From our perspective, the key privacy protections are:

  • The layers of opt-in consent and control built into the app, from registration to uploading information to the National COVIDSafe Data Store

  • Access to the information in the Data Store will be strictly limited to health officials in the States and Territories, and the purpose will be strictly limited to COVID-19 contract tracing and notification – these restrictions will be backed by federal legislation

  • All data held in the Data Store will be deleted at the end of the pandemic – this is very important because retaining information is a necessary feature of the centralised model (as opposed to the decentralised model proposed by the Apple-Google partnership), which could lead to potential misuse or compromise of the information.

There are some remaining issues where more clarification would be welcome:

  • What will be the arrangements that govern how State and Territory officers use the gathered information? What will be the mechanisms for oversight, enforcement and responding to failure in those jurisdictions?

  • The government has stated that it will introduce regulations to prevent police and other government agencies from accessing the information collected by the app. This is a good move to increase trustworthiness, but will it extend to national security agencies (as it should)? Will it extend to State and Territory police forces?

  • Why the delay in the promised release of the source code and will the source code of the inevitable updates also be released? Has it been sufficiently security tested? 

  • Can we be sure about the assurances that Amazon Web Services will abide by Australian law rather than US laws should the US demand (secret) access to the data?

  • Why hasn’t there been wider consultation with interested parties beyond the chosen federal agencies? Will there be such consultations from now on?

The big missing piece

While the app’s privacy protections are commendable, as always, the proof of the pudding is in the eating. A recent post by the UK Information Commissioner, summarising the discussions of more than 250 participants from the privacy domain on the use of technology to combat the pandemic, highlighted the importance of governance and accountability processes.

This is where we think the government’s current implementation is lacking. For example: how will we know that only the right people are accessing the information and using it for the right reasons? How will we know that the information will be deleted once the pandemic is over? How secure is the system – in the exchange of Bluetooth signals, the information in transit to and from the Data Store, and information at rest in the Data Store?

The PIA recommends additional independent assurance and testing from security experts, and to make this publicly available. This should extend to all aspects of data handling by participants in the ecosystem including Commonwealth, State and Territory agencies as well as private sector participants such as Amazon.

To maximise privacy and trust, the government should not only make the right promises, but also (i) explain how it will keep them and (ii) demonstrate, via expert and independent validation, that they are indeed being kept.

The creation and the creator

We have observed an interesting dichotomy in the responses to the COVIDSafe app. There is widespread recognition, even from usually sceptical voices, that the app is not especially problematic from a privacy perspective. At the same time, there is a general sense of concern about a new method of data collection by the Australian Government. The problem is not with the creation, but with the creator.

It would be an understatement to say that the government has a chequered past with respect to privacy and data handling (see here for a recent history lesson). This has resulted in a trust deficit where anything it proposes is subject to negative publicity. So far, adoption rates indicate that many Australians are willing to try the app notwithstanding the government’s track record. 

Is this because of the objectively strong privacy measures implemented and promoted by the government? And/or is this because of the extraordinary circumstances we are in, with Australians doing their part to help combat the pandemic and hasten the reopening of our society? It may be too soon to tell, although it is fair to hypothesise that both are playing a role.

Our hope is that this augurs well for future government initiatives, that the Australian Government will take lessons from the positive response to the app – achieved through a combination of taking privacy seriously (including legislatively) and appealing to public solidarity. This represents a break from its past behaviour and could serve as the new and better precedent going forward.

Privacy Awareness Week 2020: A message from IIS

By Mike Trovato and Eugenia Caralt

IIS is a proud supporter of 2020 Privacy Awareness Week (PAW), 4-10 May, an annual event to raise awareness of privacy issues and the importance of protecting personal information. 

Australian privacy regulators are leading the effort to increase privacy awareness in the midst of a unique and uncertain time as we face the COVID-19 pandemic. Because of the challenges presented by the pandemic, compliance and risk to personal information in government, industry, education, and non-profits are front of mind. 

Regulatory themes

This year the Office of the Australian Information Commissioner’s (OAIC) theme is “Reboot Your Privacy”. As Information and Privacy Commissioner Angelene Falk indicates, this year’s theme is in line with the current challenges that Australian entities are facing to adapt to the new demands of remote working and online interactions. To access the Commonwealth and state-based PAW information, events and resources, click on the links below: 

Office of Australian Information Commissioner – Reboot Your Privacy

Office of the Victorian Information Commissioner – Privacy – Protect Yours and Respect Others’ 

Office of the Information Commissioner Queensland – Be Smart About Privacy

Information and Privacy Commission New South Wales – Prevent, Detect, Protect

IIS and partner events

In addition to being a PAW partner, IIS is supporting efforts to raise privacy awareness through the following activities:

Privacy Masterclass – Data and Privacy with Malcolm Crompton and Lyria Bennett Moses as part of the Australian Computer Society’s NSW Privacy Summit

When: Wednesday, April 29, 4:00 PM AEST

Theme: Why is there so much debate about the trustworthiness of government uses of data? 

This session will explore the ways in which existing law and its implementation are not meeting the needs of citizens or the needs of government seeking to retain citizen trust. 

To pre-register to the free webinar click here (Link will be posted 2 hours before the event commencing). 

OneTrust webinar – Privacy in a Pandemic with the Privacy Commissioners from Australia and New Zealand and IDCare’s Managing Director 

When: Wednesday, May 6, 2:00 PM AEST

Theme: As the world rapidly changes to address the COVID-19 pandemic, what’s at stake for privacy? 

Panel discussion of issues and practical advice for maintaining privacy during the pandemic.

To pre-register to the free webinar click here.

 

IIS’ PAW 2020 message

The OAIC’s theme is Reboot your Privacy using Ctrl+Alt+Del. What does Ctrl+Alt+Del practically look like?

1) Ctrl – OAIC message: Check and update your privacy and security controls; IIS view: Undertake privacy and security health checks – Know where you stand and take action!

At IIS,  we are often asked by potential and current clients seeking to improve privacy practice: “Where should we start?” or “What should we do?” We find that this question is best answered by more questions! For example:

  • When did you last review your entity’s privacy and security practices?

  • Does your management and board of directors have a clear view of where the entity standards in terms of personal information as an asset? Is the current culture and practice appropriate to the entity’s strategy, risk appetite and privacy stance?

  • Are your management and board of directors aware of the risks and do you have their support (including financially) to address them? 

As you are all aware, the Privacy Act requires entities to take reasonable steps to protect their personal information, considering, among other things, the nature of the entity, the amount and sensitivity of the information it holds. If your entity’s privacy management and governance are insufficient taking into account the above, both your entity and your customers are at risk.

A ‘privacy and security health check’ will assist entities to assess the extent to which their current practices, procedures and systems are compliant with the law, vulnerable to privacy and security risks, and/or meet privacy and security best practice. The assessment will provide a point-in-time assessment to assist entities in deciding where they want to be. 

Entities that do not understand their position and have not taken appropriate actions could be deemed as deficient by regulators and will likely be subject to enforceable undertakings after the inevitable breach. 

2) Alt – OAIC message: Consider the alternative when giving or asking for personal information; IIS view: Implement Privacy by Design!

What can you do with less? How can you cut unnecessary collection of personal information, or even creatively achieve the same goal without any personal information? These practices are best implemented by embedding Privacy by design (PbD) from the very start. 

Applying PbD strategically helps entities internalise user-centric practices that are key to building trust with customers and reducing risk to the entity over the long run. Furthermore, it heads off the often costly and time-consuming process of ‘bolting on’ privacy fixes at the end of a project, or finding a project has to be shelved altogether due to privacy concerns.

PbD should be actively adopted in contexts where the value of the data and the associated privacy risks are high, for example: big data, especially involving information; mobile location analytics; biometrics, including facial recognition; and customer loyalty programs.

IIS believes that now more than ever entities cannot hit the PAUSE button on thinking and doing privacy. Rather, they should adapt to this current moment, such as by using short-form Privacy Impact Assessments, as Australian privacy regulators have recently indicated.

3) Delete – OAIC message: Delete any data from old devices and securely destroy or deidentify personal information if it’s no longer needed for a legal purpose; IIS view: develop data retention policies, enforce it and prove it!

Data is a liability because of the risk of a privacy or security breach and the resulting toxic effects. Security and privacy are related but distinct. An entity can have the world’s best security practices for its personal information but still should not have collected it in the first place or should not have used it for an unexpected purpose. To highlight this point, consider the tech giants like Google and Facebook. Presumably they have industry-leading security practices, but this has not stopped them from getting into privacy mishaps over the years. 

To minimise both privacy and security failures, entities should have a retention policy in place for all types of data, including personal information. They should be familiar with their legal requirements and transparent about their data handling practices. When data is no longer needed, they should act to ensure that the appropriate steps are carried out (such as deletion or deidentification) – this includes thinking about their supply chain and external service providers. 

More and more we are seeing the policy and best practice landscape shift towards favouring stronger assurance. Entities that are able to prove what they say (including data deletion) will be in a much stronger position with respect to building trust and credibility with individuals, clients and regulators.

Summing up: The importance of governance and directors’ key role in driving privacy and security

Privacy awareness should lead to not only better compliance but also contribute to valued business and strategic goals. Reflecting on this year’s OAIC’s theme, IIS’s view is that given the growing importance of personal information as a mission critical asset, we encourage entities seeking to leverage awareness into better practice to start with a privacy and security health check.

As we look ahead to 2020 and beyond, the governance of personal information will be a growing area of interest for regulators (not just in privacy, but specific sectors as well). A board that is not asking relevant questions of management, or is unable to assure itself of how personal information is being handled and protected, is demonstrating a failure of governance that could compromise the entity’s mission and potentially open it up to external scrutiny and consequences.

It has been just over a year since the launch of “The New Governance of Data and Privacy: Moving beyond compliance to performance”, co-authored by Mike Trovato (Managing Director) and Malcolm Crompton AM (Lead Privacy Advisor) and published by the Australian Institute of Company Directors (AICD).
The book discusses why privacy governance is a top line strategic and compliance issue for boards and sets out a framework for boards to lead and direct privacy governance in their entity. The main themes of the book have also been adapted into the Data and privacy governance director tool jointly published by the AICD and the Australian Information Security Association (AISA), available here.