privacy act (the sequel): considerations for the … identifiable? private identity information •...

Privacy Act (The Sequel): Considerations for the

Technology Sector

Pierre Tagle, Ph.D. Practice Lead – GRC

1

Outline • Introduction – the Amended Privacy Act • What is Personal Information? • Privacy and the Digital Universe • Key Technology Trends and Privacy • Securing Personal Information – “reasonable steps” • Developing a Privacy Compliance Framework • Simplifying Compliance

2

The Long Awaited Sequel • Represents the most significant changes to Australian

privacy law since the Privacy Act in 1988 • Comes with new powers for the Privacy

Commissioner, including Investigatory powers • Penalties for a serious invasion of privacy or repeated

invasions of privacy, up to $1.7-M for organisations or $340,000 for individuals

• Came into effect 12 March 2014 • Applies to organisations with revenues over $3-M

3

Australian Privacy Principles (APP) Part 1 – Consideration of personal information privacy

APP1 – Open & transparent management of personal information

APP2 – Anonymity & pseudonymity

Part 2 – Collection of personal information

APP 3 – Collection of solicited personal information

APP 4 – Dealing with unsolicited personal information

APP 5 – Notification of the collection of personal information

Part 3 – Dealing with personal information

APP 6 – Use or disclosure of personal information

APP 7 – Direct marketing

APP8 – Cross-border disclosure of personal information

APP 9 – Adoption, use or disclosure of government related identifiers

Part 4 – Integrity of personal information

APP 10 – Quality of personal information

APP 11 – Security of personal information

Part 5 – Access to, and correction of, personal information

APP 12 – Access to personal information

APP 13 – Correction of personal information

4

What is Personal Information? • Personal information definition in

the Privacy Act refers to an individual who is “identified” or “reasonably identifiable”.

• The revised definition potentially means more data is subject to the Amended Act, e.g. data collected around a unique ID that relates to an individual even without the individual’s name.

“Personal Information” is defined as any “information or an opinion about an identified individual, or an individual who is reasonably identifiable: (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not.

Source: abine.com

5

-- OAIC APP Guidelines (February 2014)

Reasonably Identifiable? Private Identity Information • Full name • Postal address • Email address • Phone number • Username/Passwords • Calling card number • Credit card number • Medicare number • Mother’s maiden name • Place of work • Photos where you are identifiable

Other Personal Information? • Age (or Birthday) • Gender • Number of siblings • Favourite food, band • Names of family & friends • Opinion about an important

issue • Political, religious or group

affiliation • Health information • Income

6

Privacy in Today’s World • Social networks

• E-commerce

• Mobile apps

• Utilities, retailers

• Forums

• Etc.

Source: untsocialmedias13.wordpress.com

7

The Digital Universe • IDC Digital Universe

study estimates that the “data we create and copy annually” will reach 44 zettabytes (ZB) by 2020 – 44 trillion GB of data – More than 5-TB of

data for every person on Earth.

• “Internet of Things” (IoT)

8

Big Data Potential or Privacy Nightmare?

Digital Universe Study highlights • 22% of the data in 2013 were

potentially useful if analysed, with 5% being highly valuable or “target-rich”

• Less than 5% of the data is analysed • 40% required some form of data

protection, less than 20% had these protections

• 2/3 of data came from consumers but enterprises have contact with (and therefore potentially liability and responsibility) for 85%

• 60% of data in 2013 is from mature markets, data from emerging markets will make up 60% of data by 2020

9

Big Data

Source: ADMA Best Practice Guideline – Big Data (2013)

Types of Data • Web behaviour & content • User content • RFID data • Location data • Organisational data • Research, e.g. census,

health research • Environmental data

10

Big Data Challenges

• Typically used for tracking movements and interests of groups in a de-identified form.

• With improvements in data analysis capabilities, de-identified data across Big Data (from various sources) can lead to re-identification of individuals

11

Who is into Big Data? • Big Data is not just for the big

boys • Australian marketers:

– 78% say their ability to design and implement a strong Big Data strategy will define their business for years to come

– 82% say their marketing budget for Big Data will increase in the next two years

Source: Big Data Report 2014 )TorqueData / ADMA)

12

The Cloud

• Spending for cloud services increasing

• ANZ leads in the Asia-Pacific region in cloud adoption (Frost & Sullivan 2012)

• More companies looking into cloud services

Source: cio.com.au

13

Cloud Challenges • Cannot Locate Our User’s Data

(CLOUD) – Cross-border data – User consent – Incident handling

• In 2013, less than 20% of the data is “touched” by the cloud. By 2020, this is expected to grow to 40% -- IDC Digital Universe Study 2014

14

Mobile Devices, Apps & Data • Evolving usage of the phone smartphone

• Apps enable users to be constantly connected

Source: ACMA Mobile apps emerging issues in media communications paper Source: M2M and Big Data (DMI World Enterprise Solutions 2014)

15

Mobile Challenges • Mobile app behaviour

– Access user contacts – Access user calendar – Collect/determine location or

movements – Pass any or all information

• Appthority App Reputation report (Summer 2013): – 91% of IOS and 80% of Android apps

exhibited at least one risky behaviour – 95% of top free apps and 78% of top

paid apps exhibit at least one risky behaviour

Sou

rce:

AC

MA

Mo

bile

ap

ps

emer

gin

g is

sues

in m

edia

co

mm

un

icat

ion

s p

aper

16

Third Parties & Offshore Data

Source: Australian Data Privacy Index April/May 2013 (Informatica)

17

Third Parties & Offshore Data • Australian organisations obliged to “ensure” that third

parties (including offshore companies) receiving personal information from it complies with the APPs

• Australian organisation likely liable for breaches of the APPs by the offshore recipient of its information disclosure

• Information disclosure examples: – Transfer of information offshore – Access by offshore companies to managed databases

18

Securing Personal Information

Source: Australian Data Privacy Index April/May 2013 (Informatica)

19

Securing Personal Information Taking “reasonable steps” to ensure security of personal information

May depend on:

• Amount & sensitivity of information

• Nature of the entity

• Possible adverse effects for an individual

• Entity’s information handling practices

• Practicability, including time & cost

• Whether a security measure is itself privacy invasive

"We would take into account the size of an organisation, but it is only one factor…“

"We would be looking at what [security and risk] standards have been applied ... to see what may be applicable to the size of the entity in terms of availability of systems and their cost…“

-- Federal Privacy Commissioner Timothy Pilgrim

20

Reasonable Steps? • Governance • ICT security • Data breaches • Physical security • Personnel security & training • Workplace policies • Information life cycle • Standards • Regular monitoring & review

“At the end of the day an organisation can't be excused for [not] taking particular steps to protect the information they have -- they must be taking some steps…” -- Federal Privacy Commissioner Timothy Pilgrim

21

Source: SC Magazine, 5 Mar 2014

What Now?

Developing a privacy compliance framework

Identify Privacy Officer

Study the APPs

Conduct a PIA

Define the Framework

Publish Privacy Policies

Implement Procedures & Controls

22

Identify Privacy Officer • Appoint someone to

take ownership of the privacy framework, e.g. Privacy Officer

• Needs support of key stakeholders and cross-section of the organisation

23

Study the APPs • Review and understand

how the APPs relate and impact business practices

• Should involve cross section of the organisation to understand impact on business processes, technology controls, legal provisions, HR practices, etc.

24

Conduct Privacy Review

• Conduct a Privacy Impact Assessment (PIA)

– Review what information is collected and/or kept

– Review how information is used and with whom is the information shared

• Guidance is available

25

Information Life Cycle • Understand how

information flows throughout systems & processes

• Understand risks within each stage of the life cycle

• Note “transfers” of information

Update

Collect

Delete

Process

Storage

Transfer New cycle? Source: Adapted from ISACA Journal (2010)

26

Privacy Review – Sample Questions 1. What personal information is

collected and from whom?

2. How is it collected?

3. Why is it collected?

4. How is the information used?

5. Which business functions relate to these practices?

6. Who has access? (including third parties, overseas recipients)

7. How accurate is the information?

7. What consents are in place for use or disclosure (access)?

8. How can users access/review/update information about them?

9. How are complaints handled? 10. How is a potential breach

handled?

PRIVACY ACT?

27

Implement Compliance Framework

DEFINE IMPLEMENT MAINTAIN

• Use identified issues from review to develop the plans with stakeholders

• Get senior management approval

• Consult with legal

• Define the practices

• Enforce controls

• Educate staff of responsibilities, e.g. security, information handling, incident handling, etc.

• Update framework based on changes to business processes, industry regulations

• Conduct regular audits

• Retrain staff

• Conduct contingency testing

28

Publish Privacy Statements

PRIVACY STATEMENTS

WHAT

What types of personal information captured and/or stored?

HOW How is the information

collected and/or stored?

WHY Purpose for collecting, storing,

using or disclosing of information?

Who will have access to the information? Any overseas

recipients? WHO

Access and consent by individuals, and avenue

for correction of information

Complaint reporting and handling?

CONSENT

RECOURSE

29

Implement Procedures • Business processes

• Data lifecycle (capture, retention, disposal)

• User access

• Third party management

• Legal review & advice

• Incident handling (e.g. complaints, breaches)

• Physical security practices (e.g. paper forms)

• Technical support processes

• Compliance monitoring

• Security review / audit procedures

30

Technology Domains • Secure infrastructure • Identity and access control • Information protection

– Classification – Protection while stored (e.g.

encryption) – De-identification measures

• Auditing and reporting

Source: Australian Data Privacy Index April/May 2013 (Informatica)

31

Simplifying Compliance • Integrate privacy compliance into the security

framework – security driven compliance • Integrate compliance measures into “Business-as-

Usual” processes – not purely an IT issue but a whole-of-business concern

• Leverage or align with existing security frameworks & controls

• If you do NOT need it, do not store it!

32

Moving Forward • Enforce privacy policies throughout the

information life cycle • Mitigate risk of unauthorised access and/or

misuse of personal information • Minimise the impact of the loss or breach of

personal information • Document all controls and demonstrate/test

effectiveness

33

Thank you - Questions?

Pierre Tagle, Ph.D.

pierret@senseofsecurity.com.au

Head office is Level 8, 66 King Street, Sydney, NSW 2000,

Australia. Owner of trademark and all copyright is Sense of

Security Pty Ltd. Neither text or images can be reproduced

without written permission.

T: 1300 922 923

T: +61 (0) 2 9290 4444

F: +61 (0) 2 9290 4455

info@senseofsecurity.com.au

www.senseofsecurity.com.au

34