Privacy by Design - Beyond the buzz (Part 1)

Privacy by Design - Beyond the buzz (Part 1)

In this multi-part series, IIS Partner Nicole Stephensen explores Privacy by Design (PbD) – what it is, what it isn’t, why it’s important, how to implement it, and how to avoid turning it into insubstantial buzz.

Part 1 - It’s called ‘PbD’… not ‘PbD lite’

Privacy recap

Here we are – moving at lightning speed through the so-called ‘Fourth Industrial Revolution – where we have ‘gone digital’, interact and transact online, engage with internet enabled technologies and rely on government, industry, service providers, platforms and apps to securely manage and store our personal (and other) information. Privacy is widely relevant. It relates as much to our approach, as individuals, to the sharing of our personal information as it does to the treatment of that same information by the organisations we place our confidence in.

There is a highly normative value to privacy, and this digital age makes it difficult to define. When we provide training on privacy to our clients, the topic requires unpacking at the outset – considering everything from one’s ‘personal bubble’, to the crevices of physical and mental health, to the multitude of ways we communicate, to the information about ourselves we consider sacrosanct. What privacy means to the people in the room (and what they expect from organisations in terms of privacy protection) is slightly different for everyone, depending on their age and experiences, circumstances, access to (and comfort with) technology and other factors. This presents a challenging starting point for organisations.

Legislators have given us some guardrails here by setting out that privacy, as a duty owed to the community, is about (in the simplest of summaries) the collection, management and protection of personal information in accordance with the law – for example, the Australian Privacy Principles and other rules set out in the Privacy Act 1988, or whatever state, territory or other jurisdiction’s privacy law applies in the circumstance. Implicit in these guardrails, although a point often missed, is remaining aware of and responsive to community expectations.

Privacy by Design

Using guardrails effectively can be difficult if privacy isn’t part of organisational mindset. Enter Privacy by Design (PbD). PbD is a best practice approach to personal information management coined by former Ontario Privacy Commissioner Dr Ann Cavoukian in the 1990’s. It ‘[advances] the view that the future of privacy cannot be assured solely by compliance with regulatory frameworks; rather, privacy assurance must ideally become an organization’s default mode of operation. The original seven (7) PbD principles are shown at Figure 1:

PbD seeks to ensure that privacy is an organisation’s first thought, not an afterthought; that it is incorporated from the outset in proposed projects, initiatives or technologies as opposed to being retrofitted (if that’s even possible) at a later time. It extends to what Dr Cavoukian referred to as a ‘”[t]rilogy” of encompassing applications’, impacting privacy design (or engineering) from a project perspective and privacy culture from an organisational perspective.

Importantly, PbD requires commitment to all of the principles, as opposed to cherry-picking those that appear to serve the organisation (remembering that PbD isn’t about the organisation; it is, foremost, about the people entrusting the organisation with their personal information). For Australian organisations, a PbD ethos and attention to PbD principles in project design and decision-making offers a compliance edge in respect of meeting their APP 1.2 obligations.

Our colleague R Jason Cronk wrote the IAPP textbook Strategic Privacy by Design in an effort to address challenges governments, organisations, project teams and developers face when seeking to take a PbD approach – that is, PbD offers principles that are lacking in specificity (they tell us what when we’d really like to know how). While perhaps unintentional as a take-away, the most striking aspect of Cronk’s book is the patient attention to all of the PbD principles while presenting his approach to designing for privacy, as opposed to simply highlighting those most useful or expedient.

PbD is not easy, and there is no one way to do it best, but taking all the principles together is the intent of the exercise. In Dr Cavoukian’s introduction to PbD, she states that ‘[t]he objectives of Privacy by Design… may be met by practicing the following 7 Foundational Principles [emphasis added]’. Playing on the oft-used cooking analogy (that PbD ‘bakes privacy in’), it’s unlikely that a complex layer cake will materialise without using all the key ingredients.

The trouble with ‘PbD lite’

A selective approach to PbD – ‘PbD lite’ – is becoming increasingly mainstream. We have recently seen acknowledgement, on the basis of ‘shopfront’ reviews of organisations and their services, that meeting the benchmark set by one PbD principle is award-worthy. It is vital to recognise and champion hard work happening in the privacy space, and it is useful to analyse where organisations are achieving greatest successes in respect of PbD; however, meeting the requirements of one principle does not necessarily signal the big-picture, holistic, inclusive, privacy mindset-meets-action concept of PbD.

Rather, it can create an impression for the community and competitors that an organisation has got privacy ‘in the bag’ and can be trusted over others. The Australian Broadcasting Corporation (ABC), for example, recently received an award for ‘visibility and transparency’… however, a well-executed privacy policy (assuming that’s the award-winning part) cannot, in isolation, suggest that PbD is what the ABC does well (and certainly not in the wake of the ABC iView privacy debacle).

We have also seen PbD used to promote surveillance solutions for schools, where targeted website links and brochure-style comms focus on how privacy has been ‘designed in’ to the solution. While principles of end-to-end security and transparency may be touted by these vendors (e.g., ‘secure monitoring and communication with schools’ and ‘our PbD link tells you more’), this is not PbD at work nor is it PbD as a market differentiator. It’s a seamy consequence of ‘PbD lite’ – using privacy to sell platforms or services that, by their nature and design, violate privacy through covert monitoring of student activities in online environments.

A recent Human Rights Watch investigation highlighted that many EdTech platforms and services (those with and without an obvious or upfront surveillance component) have no compunctions about sharing personal information of children with their AdTech partners – making privacy, whether or not there is any hint of it ‘by design’, illusory indeed.

From ‘lite’ to right

Where ‘PbD lite’ may represent undercooked privacy practice at best and a drippy glaze for questionable privacy practice at worst – PbD of the intended variety offers something more solid. It speaks to the organisational ethos that comes with being privacy-minded and to the work (especially the constant attention and uplift) that comes with ensuring information practice is consistent with community expectations.

PbD requires diligence, patience and an enduring belief that privacy matters. Even if there are shortcomings or there is ‘work to do’ (and there almost always will be), organisations that subscribe to PbD have all the ingredients for success on hand to help elevate privacy from their to-do (compliance) list to being ‘just what we do here’.

>> Part 2, Bootstrapping PbD when the C-suite doesn’t care, will explore strategies for bringing PbD into your organisation (aka: winning hearts and minds).

If you want to be trusted, you have to be trustworthy (PAW 2022)

If you want to be trusted, you have to be trustworthy (PAW 2022)

By Sarah Bakar, Sarah Brichet and Chong Shao

2022 Privacy Awareness Week (PAW) is scheduled for 2-8 May. The OAIC’s PAW theme is Privacy: The Foundation of Trust. Its most recent survey of Australian attitudes towards key privacy issues revealed that Australians want more protection – 70% see the protection of personal information as a major concern.

This year’s PAW theme emphasises the importance of protecting privacy and building trust by putting in place the key foundations. The OAIC has published its set of privacy tips for individualsbusinesses and government agencies

IIS and building trust

At IIS, building trust has been a hallmark of our work. We consistently advocate that if an organisation wants to be trusted, it has to be trustworthy.

Trust was crucial in the advice we provided on the COVID Safe Check-In solutions for certain states, where it was important to establish and communicate the right privacy stance about the collection, use and storage of contact information, as well as location and potentially health information. We emphasised that failure to do so would result in the community not trusting the service and jeopardise the uptake of the solution.

Trust was also essential in our work with the Australian Bureau of Statistics (ABS). We helped develop the privacy strategy for its 2021 Census and encouraged ABS to demonstrate its trustworthiness by showing that their privacy undertakings were actually being delivered.

In this post, we provide our take on some key privacy foundations that organisations can implement to be trustworthy, and therefore to be trusted by the Australian community. 

1) Be honest - do not mislead

An early step for any organisation is to make a good promise about how it will handle the personal information it collects. This is usually presented in an organisation’s public-facing privacy documents, such as privacy policies, notices and consent forms.

The key is to not mislead consumers. Some questions for consideration:

  • If I cannot be honest about how I handle personal information or I need to obscure the truth then should I pursue this project/solution/process?

  • What does the community expect of us and do our promises meet these expectations?   

Being honest about how personal information is handled and communicating this in the right way helps to make an organisation trustworthy. 

2) Be clear, explicit and finite

The promises an organisation makes should be set out in its public-facing privacy communications and be clear, explicit and finite. As personal information is collected, used and disclosed in ever-greater ways, there is also a greater responsibility for organisations to get its privacy communication right.

Privacy legislation across Australia requires organisations to provide (i) contextual, just-in-time privacy collection notices, and (ii) a privacy policy that more comprehensively explains how an organisation handles personal information.

We believe privacy documents that are best at promoting trustworthiness will be clear, explicit and finite:

  • Clear – use simple, plain English to communicate to readers and active voice not passive voice if at all possible; avoid complex language and lengthy blocks of text 

  • Explicit – tell people exactly what you will do and how you will do it; avoid vague and general statements

  • Finite – make your promises bounded, ideally going as far as setting out what you will not do; avoid using open-ended phrases like “including” and “such as”

Developing privacy notices and policies is the baseline. For organisations pursuing best practice, they should creatively explore how they can communicate their privacy stance in different settings and audio-visual formats, as well as consider how to make privacy an enduring part of their brand.

3) Provide proof of performance

An under-appreciated but important step to building trust is to provide proof of performance. Once the organisation has made a promise, trust is strengthened when individuals can see that it is living up to the promise.

An organisation can demonstrate its privacy bona fides by conducting privacy impact assessments (PIAs) on its internal initiatives and privacy health checks on its wider organisational practice. Privacy bona fides will be reinforced by committing to remediation and improvement steps.

For organisations pursuing best practice, we think proof of performance involves:

  • Committing to a regular program of privacy assurance for BAU projects and for the organisation as a whole

  • Engaging external, independent experts to conduct assurance, especially where the stakes are high

  • Publishing the results of, and responses to, assurance activities

To sum up: we believe an organisation can increase its trustworthiness by providing evidence that it is following through and doing what it says it will do.

Participating in Privacy Awareness Week 2022

IIS is once again proudly supporting PAW this year. If you have been considering taking steps to raise privacy awareness and/or strengthen your organisation’s privacy practices, participating in PAW is an excellent starting point. Please reach out if you would like further information or assistance with your PAW initiatives.

Safer Internet Day 2022

Safer Internet Day 2022

By David Zhu, Sarah Bakar, Sarah Brichet and Eugenia Caralt

IIS is proudly supporting the eSafety Commissioner to mark Safer Internet Day on 8 February 2022, an annual event to promote cyber safety and a healthier online environment. 

Australian Privacy regulators are leading the effort to improve online safety protections during a unique and uncertain time as remote learning and working have become commonplace. eSafety Commissioner Julie Inman Grant revealed that since the start of the COVID-19 pandemic, serious cyberbullying towards children was up by 30%, while adults experienced a nearly 40% rise in online harrassment. Because of the challenges presented by these circumstances, online safety risks are front of mind. 

Regulatory theme

This year, Safer Internet Day’s theme is “Play it Fair Onlinewhich comes as the Federal Government is seeking to reform online abuse laws after introducing the Social Media (Anti-Trolling) Bill late last year. To access useful eSafety resources, you can click on the following links: 

Workplace Safety Guidance

eSafety Toolkit for Schools

Safety by Design

IIS’s Safer Internet Day 2022 message: G.U.A.R.D. against online abuse 

As we look ahead to 2022 and beyond, IIS’s view is that strong privacy and security practices are paramount for organisations to prevent and respond to online abuse. It is also important for parents and educators to be aware of privacy controls and security settings in order to protect children on digital platforms, which often contain inappropriate or malicious content. 

This year, eSafety has published a set of privacy tips for educators, workplaces and the broader community. In this post, we have compiled these tips, along with our own commentary to help you G.U.A.R.D. against online abuse.

IIS’s top five tips for online safety

1) G is for: Get control of your location settings

Location settings are embedded into all types of technology and are important for geo-tracking services such as map apps. However, allowing the unrestricted use of these settings can allow others to track you with malicious intent. 

eSafety recommends users to safeguard their privacy by turning off location tracking features when not necessary and manually choosing when and with whom to share your location with. 

You can get more information on location settings here.  

2) U is for: Use conversation controls

Conversation controls can help manage who sees and interacts with you online. 

eSafety advises users to mute, block or unfollow cyber abusers, in order to minimise the harm caused. 

IIS also recommends the following Do’s and Don’ts to be fair and kind online:

·       Do treat others with the same respect that you would want others to treat you with.

·       Do consider others and be tolerant of different views and opinions.

·       Do speak up against online abuse when it is safe to do so.

·       Don’t share secrets or sensitive information. 

·       Don’t send insulting, mean or derogatory messages.

·       Don’t “diss” others or spread false rumours.

Check out The eSafety Guide for information on conversation controls for popular platforms such as Facebook, Instagram, Tiktok and most popular online games. 

3) A is for: Always update your security and privacy settings 

Cybercriminals, stalkers, and other malicious actors can exploit vulnerabilities in unsecured online accounts to access, steal and leak your personal information. 

To protect against this, eSafety recommends using unique and strong passwords for each online account, signing out of platforms when you’re not using them and turning on multi-factor authentication. Having strong security questions that only you can answer is also useful as an extra layer of protection.  

IIS further recommends updating and backing up your devices regularly, to minimise security vulnerabilities and keep your information secure. 

For guides on how to enhance your security and privacy settings, eSafety has a set of how-to-videos.

4) R is for: Raise your voice about online abuse

It’s important to report online abuse to the relevant online platforms and, depending on the level of harm, escalate it to the police and other authorities. This will help keep websites and social media platforms respectful and safe for users. 

For advice and support or to report online abuse, go to eSafety.gov.au.

5) D is for: Don’t forget to collect evidence

Collecting evidence of online abuse can help authorities track down offenders and ensure that your rights are protected. 

The eSafety commissioner recommends victims of online abuse to take a screenshot and save a URL of these incidents. However, evidence should only be collected when you feel it is absolutely safe to do so.

eSafety’s step-by-step guidance on collecting evidence can be accessed here.

Participating in Safer Internet Day 2022 

If you have been considering taking steps to raise online safety awareness and/or strengthen your organisation’s privacy practices, participating in Safer Internet Day 2022 is an excellent starting point.

Sign up here to support Safer Internet Day or contact IIS to help you and your organisation make online safety a priority. 

Security Legislation Amendment (Critical Infrastructure) Act 2021

By Mike Trovato

Security Legislation Amendment (Critical Infrastructure) Act 2021 (SLACI) - An Act to amend legislation relating to critical infrastructure, and for other purposes

As of December 2021, SLACI is now law. It was the first of two additions to the Security of Critical Infrastructure Act 2018 (SOCI Act) which initially only included four industry sectors. SLACI expanded the law to apply to 11 industry sectors, plus added notification requirements which do not align with, but are generally supportive of, the Notifiable Data Breaches (NDB) Scheme. 

The second bill will start the consultation process shortly and contains additional requirements which could require significant effort for a regulated entity to comply with. Most of the obligations for the first bill still need to be ‘switched-on’ by the Minister for Home Affairs, with assets already proposed by the Cyber and Infrastructure Security Centre (CISC).

The first bill (SLACI):

  • Extends the definition of critical infrastructure from 4 to 11 sectors and extends the existing reporting requirements to those sectors.

  • Mandates timely cyber incident reporting for specified critical infrastructure.

  • Legislates government assistance measures (i.e., gather information, action requests, invention request) by providing powers to respond to security incidents which seriously prejudice Australia’s prosperity, national security, or defence.

The second bill will arguably have a bigger impact to regulated entities and looks to:

  • Introduce additional Positive Security Obligations and a Risk Management Program, which will be applied to entities responsible for critical infrastructure.

  • Introduce Enhanced Cyber Security Obligations, including vulnerability reporting and cyber incident response planning and exercises, for entities responsible for assets most critical to the nation (known as systems of national significance).

Critical Infrastructure owners and operators are required to report a cyber security incident if they are captured by the critical infrastructure asset definitions:

  • 12 hours if having a significant impact on the availability of the asset (up to 84 hours in writing); or,

  • 72 hours if having a relevant impact on the availability, integrity, reliability, or confidentiality of the asset.

These changes are likely to support better privacy though enhanced data protection and urgent notification, increasing the spotlight on assessment for CI and NDB purposes.

News and notables – November 2021

By Mike Trovato and Chong Shao

In our third newsletter in 2021, we pointed to two recent privacy and security stories of note:

  • The Critical Infrastructure Bill

  • IIS makes submission on DTA Digital Identity Legislation

The Critical Infrastructure Amendment Bill 2020 

The rapidity with which cyber threats are evolving and the stress on the systems created by the COVID-19 crisis have been driving further government response. Following Australia’s Cyber Security Strategy 2020, the Department of Home Affairs introduced the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (Cth) (the Draft Bill) into Parliament.

The Draft Bill seeks to amend the Security of Critical Infrastructure Act 2018 which currently applies to operators of assets in only four critical infrastructure sectors: electricity, gas, water and ports. It proposes to extend the Act to 11 sectors, including communications, financial services, data storage and processing, defence industry, higher education and research, energy, food and grocery and transports.

The proposed amendments introduce wider powers to the Federal Government, with the ability to intervene and direct organisations to provide information or do specified acts when responding to cyber security. It also puts forward new obligations: ‘positive security obligation’ for critical infrastructure, including mandatory cyber incident reporting and a risk management program, and enhanced cyber security obligations for systems deemed to be of ‘national significance’.

The Draft Bill creates opportunities but also challenges for the concerned sectors, as it increases the complexity of the regulatory landscape applying to information security and creates additional reporting burden. It has also raised concerns across professional cyber security industry in relation to excessive Government powers.

IIS is supportive of the government’s efforts for improving cyber security resilience and hope that numerous submissions offered in November 2020 will be used to improve the legislation so that entities take a primary role in improving their resilience to attacks.

IIS makes submission on Exposure Draft of the DTA’s Trusted Digital Identity Bill

IIS participated in the Digital Transformation Agency’s call for submissions on the DTA Trusted Digital Identity Legislation. IIS Lead Privacy Advisor, Malcolm Crompton and IIS Managing Director Michael Trovato drafted an extensive paper addressing the Legislation’s intention to help expand the Australian Government’s Digital Identity system into a whole-of-economy Digital Identity solution by establishing robust governance, strengthening data and consumer protections, and enabling entities in other digital identity systems to apply for Trusted Digital Identity Framework (TDIF) accreditation.

IIS Lead Privacy Advisor, Malcolm Crompton and IIS Managing Director Michael Trovato submitted an extensive paper during the consultation process, with an emphasis on respecting and protecting individuals’ interests. IIS subsequently consulted with DTA and provided a submimssion for the Draft Exposure Bill. 

Key to IIS’ position on the design of the Legislation is to recognise that digital identities obtained and verified through TDIF are likely to dominate every aspect the lives of individuals as digital continues to increase its dominance of how lives, business and government are conducted. Indeed, the policy intent is that TDIF facilitates this evolution. 

Overall, IIS identified that more emphasis needs to be placed on the system being respectful of Users as individual people not just economic units and be symmetric in its treatment of the parties. 

We raised the following key points:

  • Ensuring that Users / advocates will have continuing and genuine influence as the system evolves.

  • Effective governance, compliance, enforcement, and remediation/redress for the individual User.

  • Protection from (or genuine oversight of) surveillance by law enforcement and national security agencies.

  • Ensuring that alternatives to using the TDIF system continue to be available for years to come, if not forever. There must be genuine alternatives to the use of digital identities (i.e., practical, available, not cumbersome or coerced); otherwise, any ‘consent’ is rendered meaningless and arguably invalid under law.  

Once again, you can read the full submission here.

Privacy and vaccine passports: Considering the IATA Travel Pass

Privacy and vaccine passports: Considering the IATA Travel Pass

By Sarah Bakar, Lisa Hooper and Chong Shao

As governments roll out vaccinations and the COVID-19 pandemic begins to ease in certain parts of the world, tentative plans to reopen international travel have begun. Central to these plans is the ongoing discussion of having a kind of digital document to prove that individuals are vaccinated – that is, a ‘vaccine passport.’

There are many different versions that have been or are being developed by various organisations such as governments, airlines and industry groups, non-profits and technology companies. Vaccine passports are not only being developed to facilitate international travel. They have also been proposed to be used for domestic purposes, such as entry into restaurants and events. 

In the realm of international travel, several passes have been introduced: CommonPass, AOKPass and the IATA Travel Pass. To date, the IATA Travel Pass has received the most uptake from airlines. These include Singapore Airlines, Qatar Airways, and Emirates Airlines to name a few. 

The Travel Pass was developed by the International Air Transport Association (IATA). It is a mobile app that allows travellers to store and manage their verified certifications for Covid-19 tests and vaccines.

Nick Careen, Senior Vice President, Airport Passenger Cargo and Security at IATA said‘It’s about trying to digitize a process that happens now and make it into something that allows for more harmony and ease, making it easier for people to travel between countries without having to pull out different papers for different countries and different documents at different checkpoints.’

How the Travel Pass app will work

Travel Pass will ask users to create a profile, enter their flight details, and direct the users about their requirements for travel such as suggesting verified testing facilities. Travel Pass will integrate with testing facilities so that the results can be sent directly to the app. Moreover, when governments start to issue digital vaccine certificates, the individual can opt to upload this certificate onto the app as well. Once the appropriate data has been uploaded, the user will receive a confirmation or ‘okay to travel’ notification which is relied upon by airlines.

In the app’s current state, a physical passport will still be used to confirm a person’s identity in conjunction with the app; COVID-19 results and vaccination status will not be ‘linked’ to a person’s physical passport. IATA’s plan is that Travel Pass will eventually be able to store an individual’s passport details on the app and thus be able to link COVID-19 results and vaccination status in one place. 

Travel Pass and privacy

While Travel Pass is still in the early stages of being released to the wider public, we note that its cautious approach to data handling is in line with public sentiment. For example, the Australian Community Attitudes to Privacy Survey 2020 found that 9 in 10 Australians want more control over their data.

From what has been published by IATA, Travel Pass appears to be mostly sound from a privacy and security perspective. Based on the current Travel Pass privacy policy, we note the following privacy positives:

  • Use of Travel Pass is voluntary 

  • IATA conducted a Data Protection Impact Assessment (DPIA) of the Travel Pass (although we note that this has not been published) 

  • IATA built Travel Pass from the beginning with privacy by design principles 

  • The app gives control to the user in terms of what information is entered (such as using the digital passport facility and/or uploading their vaccination certificates) and who it is shared with (no information is shared with an airline or government without their authorisation)

  • All Travel App data is stored locally on the device – this includes verified COVID-19 test results and vaccinations certificate (however, the IATA server will temporarily process data in order to facilitate an action such as receiving test results from a testing facility or sharing data with a partner)

  • Deletion of the app means the deletion of all data 

  • If an individual chooses to share data with a partner, the data is encrypted and sent directly to them from the mobile device. 

There are some remaining issues where more clarity and transparency would be welcome, for example:

  • What is the procedure involved in an airline verifying an individual’s ‘Okay to travel’ status? Do airline staff sight the status or are individuals required to share their test results/vaccination status? 

  • What will be the mechanism for oversight and assurance that what is described in the privacy policy is the reality? 

  • Can we be sure about the assurances that IATA will immediately delete the processed data from its servers? What happens in case of technical issues? Is the data retrievable? 

As more and more airlines participate and adopt Travel Pass, we hope and expect more information to be made available on how Travel Pass handles user data and the benefits of having such tool. 

Top five picks for making privacy a priority (PAW 2021)

Top five picks for making privacy a priority (PAW 2021)

By Lisa Hooper and Chong Shao

The 2021 Privacy Awareness Week (PAW) is scheduled for 3-9 May. The OAIC’s PAW theme is Make Privacy a Priority. Its recent survey of Australian attitudes towards key privacy issues revealed that most Australians have a clear understanding of why they should protect their personal information (85% agree) but half say they don’t know how (49% agree).

This year, the OAIC has published their privacy tips for the home and the workplace. In this post, we have compiled our own top picks that align with OAIC’s message for workplaces, along with our own commentary.

IIS top five picks

1. Making privacy a priority starts from the top

  • OAIC message: A strong leadership commitment to a culture of privacy is reflected in good privacy governance 

  • IIS view: Privacy needs to be front-of-mind for boards 

Good privacy governance enables innovative and trustworthy uses of personal information. This in turn promotes both performance (e.g., improve productivity, offer new digitally enabled products and services) as well as compliance (e.g., meet local and global privacy requirements, reduce and respond to privacy risks).

IIS believes that privacy should be a key consideration for boards and they should provide clear direction for the executive team to implement a privacy management framework that sets out the organisation’s privacy governance.

It is important for organisations in this rapidly changing environment to adopt a forward-looking posture. Organisations should actively monitor the latest privacy developments – including in technology, law and policy – and consider how they may be impacted. Privacy performance and developments should also be reported back up to the board level. 

This is discussed extensively in the book The New Governance of Data and Privacy: Moving beyond compliance to performance, co-authored by Mike Trovato (Managing Director) and Malcolm Crompton AM (Lead Privacy Advisor) and published by the Australian Institute of Company Directors (AICD).

2. Reduce the risks of data breaches caused by human error and prepare a data breach response plan 

  • OAIC message:

    • Reduce the risks of a human error data breach by educating staff and putting controls in place

    • Ensure that your organisation is prepared and equipped for a data breach 

  • IIS view:

    • Educate, prepare, rehearse and assess

    • Your data breach response plan needs to be up to date and fit for purpose. This needs to include the role of third-party providers that would play a key role in the response.

Over the past year, data breaches have continued to increase around the world. Many cyber-attacks are occurring in the context of wider disruptions caused by COVID-19. As large portions of the professional workforce transitioned to working remotely, there was a significant reliance on the use of personal devices and home networks to conduct work tasks, thereby increasing the security vulnerability for organisations.

It is vital for staff to continue to be educated on proper data handling and receive privacy training for their respective roles. How an organisation handles a data breach can significantly impact their reputation; ensuring that staff are well equipped to report a breach is an important factor when implementing action plans for handling a breach. 

IIS believes that now more than ever, organisations must ensure that staff are adequately trained, controls are regularly assessed and that data breach response plans are up to date and fit for purpose. Like other safety drills, the plan should be rehearsed periodically so that the organisation can respond efficiently and effectively if/when the real thing happens. It is better to be proactive than reactive. Is your organisation data breach ready?

3. Build in privacy by design (PbD)

  • OAIC message: Adopt a PbD approach to minimise, manage or eliminate privacy risks 

  • IIS view: Embedding PbD from the very start helps organisations with both privacy compliance and performance

IIS has been a strong advocate for PbD. We believe that implementing PbD strategically helps organisations to achieve their objectives while maintaining a high level of privacy protection. This saves the time and costs of “bolting on” measures down the track. Furthermore, PbD helps organisations  to focus on user-centric practices that are key to building trust with customers and reducing privacy risk over the long run.  

PbD should be prioritised in contexts where the value of the data and the associated privacy risks are high, for example: linking and matching big datasets, mobile location analytics, biometrics, and customer loyalty programs.

4. Put secure systems in place

  • OAIC message: Having strong and secure systems in place helps to protect personal information from misuse, loss or unauthorised access or disclosure

  • IIS view: Ensuring secure systems and appropriate controls are in place is one of the top priorities for preventing privacy breaches.

Cyber security and privacy should not be “set and forget”. Rather, organisations must regularly monitor the operation and effectiveness of their ICT security measures to ensure that they remain responsive to changing threats and vulnerabilities and other issues that may impact the security of personal information. This means cyber security is not just an IT issue, but a business and risk issue.

Having policy and procedure documents in place are necessary but not sufficient. Overall, organisations should focus on the basics: know your data assets, manage identity and least privileged access, protect endpoints, train staff and prepare for incidents.

5. Undertake a PIA

  • OAIC message: A PIA is an essential tool for protecting privacy, identifying solutions and building trust 

  • IIS view: A PIA an essential component of the organisation’s risk management process 

A privacy impact assessment (PIA) is an assessment of new or changing technologies (e.g., adopting a new CRM system), products (e.g., introducing a location-based customer service) and/or operational processes (e.g., revising the data governance policy) that might have an impact on the privacy of individuals.

When the organisation proposes to introduce a new project that involves (or could involve) the handling of personal information, it could lead to both anticipated benefits as well as unanticipated consequences. Conducting a PIA prior to and during the project – as part of the project’s overall risk management processes – can ensure that privacy risks are considered and that the potential impacts are mitigated. 

In IIS’s experience, a PIA is more than a compliance check. Conducting a PIA can provide organisations with a wider view on privacy throughout the business, which in turn can help organisations improve their privacy practices beyond the single project under review.

Participating in PAW 2021

IIS will once again be proudly supporting PAW this year. We have previously partnered with our clients during PAW to deliver presentations and participate in live Q&A sessions. If you have been considering taking steps to raise privacy awareness and/or strengthen your organisation’s privacy practices, participating in PAW is an excellent starting point.

Sign up today with the OAIC or contact IIS to help you and your organisation make privacy a priority.

Contact tracing data and function creep: A case study in Singapore

Contact tracing data and function creep: A case study in Singapore

By Sarah Bakar, Lisa Hooper and Chong Shao

In March 2020, upon the World Health Organisation’s declaration of the COVID-19 pandemic, Singapore became one of the very first countries to launch a contact tracing app to manage the spread of COVID-19. By October 2020, it became mandatory for citizens to either download the app onto their smart phone or carry an electronic token.

Timeline of events

  • March 2020

    Launch of TraceTogether – the digital system for contact tracing

  • April 2020

    Launch of SafeEntry – national digital check-in system 

  • October 2020

    Launch of BluePass – a specifically-designed contact tracing device for migrant workers

  • January 2021

    The country’s widely-used COVID-19 contact tracing application TraceTogether made international headlines after Minister of State Desmond Tan revealed during a parliamentary session that data collected through the TraceTogether app fell under the purview of the country’s Criminal Procedure Code and as such the data can be used for criminal inquiries. The Minister’s comment means that police can use data from the TraceTogether, SafeEntry and BluePass systems in criminal investigations unrelated to COVID-19 contact tracing efforts. Soon after this statement, it was revealed by another minister that such data had in fact already been used in a murder investigation.

    These revelations caused a public backlash.

  • February 2021

    In its attempt to rectify the situation, the government passed a law to restrict the use of the data: the COVID-19 (Temporary Measures) (Amendment) Bill. 

COVID-19 (Temporary Measures) (Amendment) Bill

The law allows for the personal data collected by a digital contact tracing system to be used for investigation into “serious offences”. Digital contact tracing systems include the three main ones noted above. 

The bill defines serious offences to include unlawful use or possession of explosives, firearms or dangerous weapons; any offence relating to terrorism; any offence relating to causing death or concealment of death; a drug offence that is punishable by death; kidnapping, abduction or hostage-taking; and any offence involving serious sexual assault such as rape.

As of January 2021, it is estimated that 4.2 million people or 78% of residents have downloaded the app. This is a significant number, illustrating how the public was eager to cooperate with the government in tackling COVID-19 but more importantly just how vast the amount of data available is. However, the revelation that contact tracing data had already been being used by enforcement authorities caused a public outcry with people calling out the government and some even deleting the app altogether. It is important to call out that this revelation came 10 months after the launch of the app, and after users were continuously assured that the data will only be used for contact tracing.

Function creep and its consequences

The pandemic triggered an emergency situation throughout the globe, creating urgency for governments to manage and respond effectively. As such, contact tracing apps emerged quickly, including in Singapore. However, the data generated by such apps has become a tempting honeypot for law enforcement.

On the one hand, the enactment of the Bill shows that the Singaporean government is explicitly limiting the (secondary) use of contact tracing data. On the other hand, as it comes 10 months after the launch of TraceTogether, the Bill can also be viewed as a way for the government to attempt to regain the public’s trust and fix its reputation after it was obvious that the public felt betrayed and cheated.

This is yet another lesson in how mishandling of data will no longer go unchecked by the public, even for a population who tends to be deferential to their government in the case of Singapore.

Privacy should not be undermined for the sake of other worthy but unrelated goals. There are consequences not only for the individuals involved, but also the broader public health goals of the government. Given that the effectiveness of contact tracing apps depends on the number of people who use them, public trust and confidence that their privacy will be respected is a key ingredient to controlling the pandemic.

Needless to say, this function creep will not be the only one of its kind as valuable data continues to be collected for contact tracing across the world. In light of this, we strongly advocate for the inclusion of Privacy By Design in the development of such apps, to ensure that privacy is not left as an afterthought.

This can include explicit purpose limitations on the use of data, as well as built-in data retention limits to prevent a honeypot situation. New South Wales’ COVID Safe Check-In tool is a good example of this – individuals’ details can only be used for contact tracing purposes, and if no such action is taken, their details are permanently deleted by Service NSW after 28 days.

IIS Newsletter #6 2020 - Year in Review and Seasons Greetings

IIS Newsletter #6 2020 - Year in Review and Seasons Greetings

2020, the year that was…

As 2020 draws to a close, we are taking this moment to step back and reflect on the year. IIS has made a few logistical changes in 2020. This year we moved our Sydney office from Chippendale to The Vines co-working space in Waterloo. We expanded and diversified our team across Brisbane, Hong Kong, Malaysia, Melbourne and Perth. We also fully embraced working from home (WFH) and flexibly, which have always been a part of our culture.

In April this year when lockdowns began, we published a guide on how we do WFH including a page on privacy and security. As WFH is becoming a standard in how we work, we recommend a review of the aforementioned guide.

Our shared achievements

Despite the challenges of COVID-19, 2020 has been a busy time for our clients.

Notably, we completed a Privacy Impact Assessment for the Australian Bureau of Statistics (ABS) about the use of integrated administrative data in the next Census, which the ABS has published. We were asked to identify privacy issues and risks associated with the Census admin data project – including matters of compliance with law and policy, as well as broader considerations such as stakeholder expectations and social licence.

The Office of the National Data Commissioner (ONDC) and Department of the Prime Minister & Cabinet (PM&C) engaged us to conduct a PIA on a draft of the landmark Data Availability and Transparency Bill (DATB), formerly known as the ‘Data Sharing and Release Bill’. The 13 recommendations and PM&C’s responses are published in our PIA here.

IIS proudly supported Commonwealth, NSW, and Victorian Privacy Awareness Weeks in 2020. The OAIC’s theme was Reboot Your Privacy, focusing on the current challenges that Australian entities are facing to adapt to the new demands of remote working and online interactions. Among IIS activities, Lead Privacy Advisor, Malcolm Crompton spoke at the Australian Computer Society’s NSW Privacy Summit seminar, available here. The seminar asked: Why is there so much debate about the trustworthiness of government uses of data? This session explored the ways in which existing law and its implementation are not meeting the needs of citizens or the needs of government seeking to retain citizen trust.

IIS also authored National Security or Privacy? in CyberAustralia magazine, as part of the Risk & Cyber Week virtual conference by the Risk Management Institute of Australasia (RMIA) and the Australia Information Security Association (AISA). The article puts forth the “4A framework,” as a way to examine how we can have stronger protections for stronger national security powers.

Looking ahead

The past 12 months have been met with brand new challenges and the importance of data protection has never been greater in this time of change and uncertainty.

In particular, we have provided increased support in terms of agile Privacy by Design work, privacy compliance and performance audits, and data breach response. We envisage this will continue as organisations expand their digital efforts in a landscape of hybrid work environments, higher customer expectations and changing legal regimes (Privacy Act review, new data sharing regime, Consumer Data Right, to name a few!).

The growing shift in attitude towards privacy and security was highlighted in a recent OAIC survey which showed that privacy is a major concern for 70% of Australians, and almost 9 in 10 want more choice and control over their personal information.

Thank you to all our clients for the trust that you have placed in IIS this year and your enthusiastic efforts to promote better privacy and security. We look forward to the challenges and projects that 2021 may bring and working with you again.

Have a safe and happy Christmas and New Years!

New Zealand reforms its privacy law

New Zealand reforms its privacy law

By Sarah Bakar and Natasha Roberts

In June 2020, New Zealand’s Parliament passed a bill reforming the nation’s privacy law. The new Privacy Act 2020 replaces the 27-year-old Privacy Act 1993. The Privacy Commissioner John Edwards has stated: “The new Privacy Act provides a modernised framework to better protect New Zealanders’ privacy rights in today’s environment.” 

The Act introduces significant changes to the privacy law. According to the New Zealand Privacy Commissioner’s website the key changes include: 

1. Mandatory notification of harmful privacy breaches.
If organisations or businesses have a privacy breach that poses a risk of serious harm, they are required to notify the Privacy Commissioner and affected parties. This change brings New Zealand in line with international best practice.

2. Introduction of compliance orders.
The Commissioner may issue compliance notices to require compliance with the Privacy Act. Failure to follow a compliance notice could result in a fine of up to $10,000.

3. Binding access determinations. 
If an organisation or business refuses to make personal information available upon request, the Commissioner will have the power to demand release.

4. Controls on the disclosure of information overseas. 
Before disclosing New Zealanders’ personal information overseas, New Zealand organisations or businesses will need to ensure those overseas entities have similar levels of privacy protection to those in New Zealand.

5. New criminal offences. 
It will be an offence to mislead an organisation or business in a way that affects someone’s personal information or to destroy personal information if a request has been made for it.  The maximum fine for these offences is $10,000.

More significantly, in line with its aim to better protect New Zealander’s privacy rights, the new Act has greater extraterritorial reach as it will also apply to entities that carry on business in New Zealand regardless of whether or not they have a legal or physical presence in New Zealand (Section 3A (1)(b)). The Act states that an overseas agency may be treated as carrying on business in New Zealand without necessarily being: 

  • a commercial operation; or 

  • having a place of business in New Zealand; or

  • receiving any monetary payment for the supply of goods and services; or 

  • intending to make a profit from its business in New Zealand. 

This will have implications for Australian businesses that collect or hold the personal information of New Zealanders as part of their business operations. They will be obliged to comply with this law regardless of where they or their servers are based. The Act will come into effect on 1 December 2020.

As such, IIS suggests that businesses check their coverage under the reformed legislation and start preparing to ensure compliance.