Viewing entries tagged
Privacy Awareness Week

Getting back to privacy basics (PAW 2023)

Getting back to privacy basics (PAW 2023)

By Simon Liu and Chong Shao

For Privacy Awareness Week (PAW) 2023, IIS joined the OAIC and other organisations in promoting the importance of establishing a privacy foundation, as part of 2023’s theme ‘Privacy: Back to basics’.

This year’s theme puts the spotlight back on having a strong privacy foundation in light of recent high-profile data breaches in Australia and abroad. The OAIC has published its set of ‘Privacy 101’ tips for individuals, businesses, and government agencies.

IIS Partners Malcolm Crompton and Nicole Stephensen were invited to speak in various PAW events in Australia including IAPP Sydney KnowledgeNet and Office of the Information Commissioner Queensland, covering topics ranging from protecting your personal information in different settings, to a discussion about OAIC’s recommendations to the Attorney-General’s Department regarding the Privacy Act Review in 2022.

IIS mini bites: Getting back to privacy basics

At IIS, we strongly encourage organisations to proactively strengthen their privacy and security practices.

In this post, we summarise some key ‘Privacy 101’ basics that organisations can implement to be trustworthy, and therefore to be trusted by the customers and community that they serve.

1) Know your obligations

Understand the privacy laws and regulations that apply to you, and be aware of potential changes on the horizon (like the Privacy Act Review). Consider privacy as an integral part of your business. In other words, don’t just ‘tick the boxes’. Instead, build a privacy-aware culture and practice as part of your regular routine.

2) Have a privacy plan

Ensure that you have a Privacy Management Plan (PMP) in place to help build each component of the privacy foundation and introduce accountability for doing them. The OAIC has provided a PMP template to assess your current and future privacy practices here.

3) Appoint key privacy roles

Assign a senior staff member with overall responsibility for privacy, as well as staff member responsible for managing day-to-day privacy activities such as handling privacy enquiries and providing privacy advice. Ensure that the organisation’s leadership encourage a culture of privacy that values personal information and trust.

4) Assess privacy risks

Proactively undertake Privacy Impact Assessments (PIAs) that involve new or changed information handling practices, to assess the impact on privacy of individuals and steps to mitigate any risks. For high-profile or complex initiatives, consider engaging an independent expert to conduct the PIA.

5) Only collect or keep what you need

Minimise privacy risks by reviewing your products, services, and internal systems and processes to ensure that you only collect the personal information your organisation needs. Ensure that information that is no longer needed is destroyed or de-identified, to reduce the risk of data breach and possible impacts on customer trust and business objectives.

6) Secure personal information

Implement secure systems and processes to protect personal information from misuse, loss, and unauthorised access and disclosure. Start with the Essential Eight mitigation strategies. Recognise that the human element is often the ‘weak link’ – ensure that staff are aware of, and trained on, good security practices.

7) Simplify your privacy policy

Write your privacy policy in plain language and include a summary. Make it specific to your organisation and its information handling practices. Include information about how individuals and organisations can contact you about privacy matters.

8) Train your staff

Clearly outline how staff are expected to handle personal information in their direct duties. Provide tailored advice and training where their role requires it. Inform staff of the appropriate channel to report improper handling of personal information as well as data incidents and breaches.

9) Prepare for data breaches

Have a clear and practical data breach response plan that covers each stage of the data breach response. Regularly review and test out your plan to ensure staff and relevant team members know what actions to take.

10) Review your practices

Review and update your privacy policies and procedures regularly. Continually improve your privacy practices and anticipate future challenges, including keeping up-to-date with technological, market and regulatory changes.

Participating in Privacy Awareness Week 2023

IIS is proud to support PAW once again, as well as to help organisations with establishing privacy foundations. If you would like further information or assistance with raising privacy awareness and/or strengthening your organisation’s privacy and security practices, please reach out to us.

If you want to be trusted, you have to be trustworthy (PAW 2022)

If you want to be trusted, you have to be trustworthy (PAW 2022)

By Sarah Bakar, Sarah Brichet and Chong Shao

2022 Privacy Awareness Week (PAW) is scheduled for 2-8 May. The OAIC’s PAW theme is Privacy: The Foundation of Trust. Its most recent survey of Australian attitudes towards key privacy issues revealed that Australians want more protection – 70% see the protection of personal information as a major concern.

This year’s PAW theme emphasises the importance of protecting privacy and building trust by putting in place the key foundations. The OAIC has published its set of privacy tips for individualsbusinesses and government agencies

IIS and building trust

At IIS, building trust has been a hallmark of our work. We consistently advocate that if an organisation wants to be trusted, it has to be trustworthy.

Trust was crucial in the advice we provided on the COVID Safe Check-In solutions for certain states, where it was important to establish and communicate the right privacy stance about the collection, use and storage of contact information, as well as location and potentially health information. We emphasised that failure to do so would result in the community not trusting the service and jeopardise the uptake of the solution.

Trust was also essential in our work with the Australian Bureau of Statistics (ABS). We helped develop the privacy strategy for its 2021 Census and encouraged ABS to demonstrate its trustworthiness by showing that their privacy undertakings were actually being delivered.

In this post, we provide our take on some key privacy foundations that organisations can implement to be trustworthy, and therefore to be trusted by the Australian community. 

1) Be honest - do not mislead

An early step for any organisation is to make a good promise about how it will handle the personal information it collects. This is usually presented in an organisation’s public-facing privacy documents, such as privacy policies, notices and consent forms.

The key is to not mislead consumers. Some questions for consideration:

  • If I cannot be honest about how I handle personal information or I need to obscure the truth then should I pursue this project/solution/process?

  • What does the community expect of us and do our promises meet these expectations?   

Being honest about how personal information is handled and communicating this in the right way helps to make an organisation trustworthy. 

2) Be clear, explicit and finite

The promises an organisation makes should be set out in its public-facing privacy communications and be clear, explicit and finite. As personal information is collected, used and disclosed in ever-greater ways, there is also a greater responsibility for organisations to get its privacy communication right.

Privacy legislation across Australia requires organisations to provide (i) contextual, just-in-time privacy collection notices, and (ii) a privacy policy that more comprehensively explains how an organisation handles personal information.

We believe privacy documents that are best at promoting trustworthiness will be clear, explicit and finite:

  • Clear – use simple, plain English to communicate to readers and active voice not passive voice if at all possible; avoid complex language and lengthy blocks of text 

  • Explicit – tell people exactly what you will do and how you will do it; avoid vague and general statements

  • Finite – make your promises bounded, ideally going as far as setting out what you will not do; avoid using open-ended phrases like “including” and “such as”

Developing privacy notices and policies is the baseline. For organisations pursuing best practice, they should creatively explore how they can communicate their privacy stance in different settings and audio-visual formats, as well as consider how to make privacy an enduring part of their brand.

3) Provide proof of performance

An under-appreciated but important step to building trust is to provide proof of performance. Once the organisation has made a promise, trust is strengthened when individuals can see that it is living up to the promise.

An organisation can demonstrate its privacy bona fides by conducting privacy impact assessments (PIAs) on its internal initiatives and privacy health checks on its wider organisational practice. Privacy bona fides will be reinforced by committing to remediation and improvement steps.

For organisations pursuing best practice, we think proof of performance involves:

  • Committing to a regular program of privacy assurance for BAU projects and for the organisation as a whole

  • Engaging external, independent experts to conduct assurance, especially where the stakes are high

  • Publishing the results of, and responses to, assurance activities

To sum up: we believe an organisation can increase its trustworthiness by providing evidence that it is following through and doing what it says it will do.

Participating in Privacy Awareness Week 2022

IIS is once again proudly supporting PAW this year. If you have been considering taking steps to raise privacy awareness and/or strengthen your organisation’s privacy practices, participating in PAW is an excellent starting point. Please reach out if you would like further information or assistance with your PAW initiatives.

Top five picks for making privacy a priority (PAW 2021)

Top five picks for making privacy a priority (PAW 2021)

By Lisa Hooper and Chong Shao

The 2021 Privacy Awareness Week (PAW) is scheduled for 3-9 May. The OAIC’s PAW theme is Make Privacy a Priority. Its recent survey of Australian attitudes towards key privacy issues revealed that most Australians have a clear understanding of why they should protect their personal information (85% agree) but half say they don’t know how (49% agree).

This year, the OAIC has published their privacy tips for the home and the workplace. In this post, we have compiled our own top picks that align with OAIC’s message for workplaces, along with our own commentary.

IIS top five picks

1. Making privacy a priority starts from the top

  • OAIC message: A strong leadership commitment to a culture of privacy is reflected in good privacy governance 

  • IIS view: Privacy needs to be front-of-mind for boards 

Good privacy governance enables innovative and trustworthy uses of personal information. This in turn promotes both performance (e.g., improve productivity, offer new digitally enabled products and services) as well as compliance (e.g., meet local and global privacy requirements, reduce and respond to privacy risks).

IIS believes that privacy should be a key consideration for boards and they should provide clear direction for the executive team to implement a privacy management framework that sets out the organisation’s privacy governance.

It is important for organisations in this rapidly changing environment to adopt a forward-looking posture. Organisations should actively monitor the latest privacy developments – including in technology, law and policy – and consider how they may be impacted. Privacy performance and developments should also be reported back up to the board level. 

This is discussed extensively in the book The New Governance of Data and Privacy: Moving beyond compliance to performance, co-authored by Mike Trovato (Managing Director) and Malcolm Crompton AM (Lead Privacy Advisor) and published by the Australian Institute of Company Directors (AICD).

2. Reduce the risks of data breaches caused by human error and prepare a data breach response plan 

  • OAIC message:

    • Reduce the risks of a human error data breach by educating staff and putting controls in place

    • Ensure that your organisation is prepared and equipped for a data breach 

  • IIS view:

    • Educate, prepare, rehearse and assess

    • Your data breach response plan needs to be up to date and fit for purpose. This needs to include the role of third-party providers that would play a key role in the response.

Over the past year, data breaches have continued to increase around the world. Many cyber-attacks are occurring in the context of wider disruptions caused by COVID-19. As large portions of the professional workforce transitioned to working remotely, there was a significant reliance on the use of personal devices and home networks to conduct work tasks, thereby increasing the security vulnerability for organisations.

It is vital for staff to continue to be educated on proper data handling and receive privacy training for their respective roles. How an organisation handles a data breach can significantly impact their reputation; ensuring that staff are well equipped to report a breach is an important factor when implementing action plans for handling a breach. 

IIS believes that now more than ever, organisations must ensure that staff are adequately trained, controls are regularly assessed and that data breach response plans are up to date and fit for purpose. Like other safety drills, the plan should be rehearsed periodically so that the organisation can respond efficiently and effectively if/when the real thing happens. It is better to be proactive than reactive. Is your organisation data breach ready?

3. Build in privacy by design (PbD)

  • OAIC message: Adopt a PbD approach to minimise, manage or eliminate privacy risks 

  • IIS view: Embedding PbD from the very start helps organisations with both privacy compliance and performance

IIS has been a strong advocate for PbD. We believe that implementing PbD strategically helps organisations to achieve their objectives while maintaining a high level of privacy protection. This saves the time and costs of “bolting on” measures down the track. Furthermore, PbD helps organisations  to focus on user-centric practices that are key to building trust with customers and reducing privacy risk over the long run.  

PbD should be prioritised in contexts where the value of the data and the associated privacy risks are high, for example: linking and matching big datasets, mobile location analytics, biometrics, and customer loyalty programs.

4. Put secure systems in place

  • OAIC message: Having strong and secure systems in place helps to protect personal information from misuse, loss or unauthorised access or disclosure

  • IIS view: Ensuring secure systems and appropriate controls are in place is one of the top priorities for preventing privacy breaches.

Cyber security and privacy should not be “set and forget”. Rather, organisations must regularly monitor the operation and effectiveness of their ICT security measures to ensure that they remain responsive to changing threats and vulnerabilities and other issues that may impact the security of personal information. This means cyber security is not just an IT issue, but a business and risk issue.

Having policy and procedure documents in place are necessary but not sufficient. Overall, organisations should focus on the basics: know your data assets, manage identity and least privileged access, protect endpoints, train staff and prepare for incidents.

5. Undertake a PIA

  • OAIC message: A PIA is an essential tool for protecting privacy, identifying solutions and building trust 

  • IIS view: A PIA an essential component of the organisation’s risk management process 

A privacy impact assessment (PIA) is an assessment of new or changing technologies (e.g., adopting a new CRM system), products (e.g., introducing a location-based customer service) and/or operational processes (e.g., revising the data governance policy) that might have an impact on the privacy of individuals.

When the organisation proposes to introduce a new project that involves (or could involve) the handling of personal information, it could lead to both anticipated benefits as well as unanticipated consequences. Conducting a PIA prior to and during the project – as part of the project’s overall risk management processes – can ensure that privacy risks are considered and that the potential impacts are mitigated. 

In IIS’s experience, a PIA is more than a compliance check. Conducting a PIA can provide organisations with a wider view on privacy throughout the business, which in turn can help organisations improve their privacy practices beyond the single project under review.

Participating in PAW 2021

IIS will once again be proudly supporting PAW this year. We have previously partnered with our clients during PAW to deliver presentations and participate in live Q&A sessions. If you have been considering taking steps to raise privacy awareness and/or strengthen your organisation’s privacy practices, participating in PAW is an excellent starting point.

Sign up today with the OAIC or contact IIS to help you and your organisation make privacy a priority.

Privacy Awareness Week 2020: A message from IIS

By Mike Trovato and Eugenia Caralt

IIS is a proud supporter of 2020 Privacy Awareness Week (PAW), 4-10 May, an annual event to raise awareness of privacy issues and the importance of protecting personal information. 

Australian privacy regulators are leading the effort to increase privacy awareness in the midst of a unique and uncertain time as we face the COVID-19 pandemic. Because of the challenges presented by the pandemic, compliance and risk to personal information in government, industry, education, and non-profits are front of mind. 

Regulatory themes

This year the Office of the Australian Information Commissioner’s (OAIC) theme is “Reboot Your Privacy”. As Information and Privacy Commissioner Angelene Falk indicates, this year’s theme is in line with the current challenges that Australian entities are facing to adapt to the new demands of remote working and online interactions. To access the Commonwealth and state-based PAW information, events and resources, click on the links below: 

Office of Australian Information Commissioner – Reboot Your Privacy

Office of the Victorian Information Commissioner – Privacy – Protect Yours and Respect Others’ 

Office of the Information Commissioner Queensland – Be Smart About Privacy

Information and Privacy Commission New South Wales – Prevent, Detect, Protect

IIS and partner events

In addition to being a PAW partner, IIS is supporting efforts to raise privacy awareness through the following activities:

Privacy Masterclass – Data and Privacy with Malcolm Crompton and Lyria Bennett Moses as part of the Australian Computer Society’s NSW Privacy Summit

When: Wednesday, April 29, 4:00 PM AEST

Theme: Why is there so much debate about the trustworthiness of government uses of data? 

This session will explore the ways in which existing law and its implementation are not meeting the needs of citizens or the needs of government seeking to retain citizen trust. 

To pre-register to the free webinar click here (Link will be posted 2 hours before the event commencing). 

OneTrust webinar – Privacy in a Pandemic with the Privacy Commissioners from Australia and New Zealand and IDCare’s Managing Director 

When: Wednesday, May 6, 2:00 PM AEST

Theme: As the world rapidly changes to address the COVID-19 pandemic, what’s at stake for privacy? 

Panel discussion of issues and practical advice for maintaining privacy during the pandemic.

To pre-register to the free webinar click here.

 

IIS’ PAW 2020 message

The OAIC’s theme is Reboot your Privacy using Ctrl+Alt+Del. What does Ctrl+Alt+Del practically look like?

1) Ctrl – OAIC message: Check and update your privacy and security controls; IIS view: Undertake privacy and security health checks – Know where you stand and take action!

At IIS,  we are often asked by potential and current clients seeking to improve privacy practice: “Where should we start?” or “What should we do?” We find that this question is best answered by more questions! For example:

  • When did you last review your entity’s privacy and security practices?

  • Does your management and board of directors have a clear view of where the entity standards in terms of personal information as an asset? Is the current culture and practice appropriate to the entity’s strategy, risk appetite and privacy stance?

  • Are your management and board of directors aware of the risks and do you have their support (including financially) to address them? 

As you are all aware, the Privacy Act requires entities to take reasonable steps to protect their personal information, considering, among other things, the nature of the entity, the amount and sensitivity of the information it holds. If your entity’s privacy management and governance are insufficient taking into account the above, both your entity and your customers are at risk.

A ‘privacy and security health check’ will assist entities to assess the extent to which their current practices, procedures and systems are compliant with the law, vulnerable to privacy and security risks, and/or meet privacy and security best practice. The assessment will provide a point-in-time assessment to assist entities in deciding where they want to be. 

Entities that do not understand their position and have not taken appropriate actions could be deemed as deficient by regulators and will likely be subject to enforceable undertakings after the inevitable breach. 

2) Alt – OAIC message: Consider the alternative when giving or asking for personal information; IIS view: Implement Privacy by Design!

What can you do with less? How can you cut unnecessary collection of personal information, or even creatively achieve the same goal without any personal information? These practices are best implemented by embedding Privacy by design (PbD) from the very start. 

Applying PbD strategically helps entities internalise user-centric practices that are key to building trust with customers and reducing risk to the entity over the long run. Furthermore, it heads off the often costly and time-consuming process of ‘bolting on’ privacy fixes at the end of a project, or finding a project has to be shelved altogether due to privacy concerns.

PbD should be actively adopted in contexts where the value of the data and the associated privacy risks are high, for example: big data, especially involving information; mobile location analytics; biometrics, including facial recognition; and customer loyalty programs.

IIS believes that now more than ever entities cannot hit the PAUSE button on thinking and doing privacy. Rather, they should adapt to this current moment, such as by using short-form Privacy Impact Assessments, as Australian privacy regulators have recently indicated.

3) Delete – OAIC message: Delete any data from old devices and securely destroy or deidentify personal information if it’s no longer needed for a legal purpose; IIS view: develop data retention policies, enforce it and prove it!

Data is a liability because of the risk of a privacy or security breach and the resulting toxic effects. Security and privacy are related but distinct. An entity can have the world’s best security practices for its personal information but still should not have collected it in the first place or should not have used it for an unexpected purpose. To highlight this point, consider the tech giants like Google and Facebook. Presumably they have industry-leading security practices, but this has not stopped them from getting into privacy mishaps over the years. 

To minimise both privacy and security failures, entities should have a retention policy in place for all types of data, including personal information. They should be familiar with their legal requirements and transparent about their data handling practices. When data is no longer needed, they should act to ensure that the appropriate steps are carried out (such as deletion or deidentification) – this includes thinking about their supply chain and external service providers. 

More and more we are seeing the policy and best practice landscape shift towards favouring stronger assurance. Entities that are able to prove what they say (including data deletion) will be in a much stronger position with respect to building trust and credibility with individuals, clients and regulators.

Summing up: The importance of governance and directors’ key role in driving privacy and security

Privacy awareness should lead to not only better compliance but also contribute to valued business and strategic goals. Reflecting on this year’s OAIC’s theme, IIS’s view is that given the growing importance of personal information as a mission critical asset, we encourage entities seeking to leverage awareness into better practice to start with a privacy and security health check.

As we look ahead to 2020 and beyond, the governance of personal information will be a growing area of interest for regulators (not just in privacy, but specific sectors as well). A board that is not asking relevant questions of management, or is unable to assure itself of how personal information is being handled and protected, is demonstrating a failure of governance that could compromise the entity’s mission and potentially open it up to external scrutiny and consequences.

It has been just over a year since the launch of “The New Governance of Data and Privacy: Moving beyond compliance to performance”, co-authored by Mike Trovato (Managing Director) and Malcolm Crompton AM (Lead Privacy Advisor) and published by the Australian Institute of Company Directors (AICD).
The book discusses why privacy governance is a top line strategic and compliance issue for boards and sets out a framework for boards to lead and direct privacy governance in their entity. The main themes of the book have also been adapted into the Data and privacy governance director tool jointly published by the AICD and the Australian Information Security Association (AISA), available here.