Big data privacy in AustraliaThree actions you can take towards compliance

Article 5

Five-article series

2

There are three actions that organizations can take to help manage big data & privacy. Big data fundamentally changes the way information is gathered, stored, used, altered and managed and it is vital to consider these differences to effectively protect against breach or regulatory issues in the future.

Big data privacy impact assessmentA big data privacy impact assessment (PIA) will help you identify the privacy related considerations for your proposed use of big data and what is required to mitigate those risks.

It can highlight how personal information flows through a project/organization, the possible impacts on privacy that may exist and how to avoid, minimize or mitigate these, as well as how to include “privacy by design” into projects to ensure compliance.

From a regulatory point of view, performing a PIA is critical to demonstrating that organizations have considered all of the risks associated with big data, and how these risks will be mitigated, prior to the initiative being implemented.

Beyond compliance, from an operational risk perspective, performing a big data PIA over the big data can avoid any “nasty surprises” and ensure that the appropriate controls and processes have been considered up front.

Big data and privacy Three actions you can take towards compliance

| Big data privacy in Australia Three actions you can take towards compliance

3Big data privacy in Australia Three actions you can take towards compliance |

An effective privacy governance perspective provides the “top down” guidance around privacy management, including for big data initiatives. The PIA provides the “bottom up” view of where the data is and what it is being used for, as well as the process and technology controls in place to ensure privacy compliance including security.

Other important considerations for any big data initiative include staff culture, training and awareness (people are usually the weakest link), as well as your reliance on third parties (particularly if your big data initiative involves vendors or cloud technologies) as well as incident management. What would you do if something went wrong? How would you deal with the inevitable media and customer fall out?

Finally, how would you ensure on a regular basis that these controls are all operating effectively such as through the use of your internal risk management teams or internal audit.

The aim of a privacy management framework is to help organisations develop good privacy governance which can lead to improved business productivity, more effective business processes, better risk mitigation and management of privacy breaches and how you respond should one occur.

Personal information is a valuable asset in many organizations and embedding a respectful culture around privacy will help you build a reputation that inspires trust and confidence, in addition to meeting your legal obligations.

Big data privacy management framework; Privacy by design

There are four main steps to develop a privacy management framework as outlined by the OAIC. How and who undertakes each step will depend on your specific environment. Broadly, the steps are:

• Embed a culture of privacy that supports compliance.

• Establish robust, effective practices, procedures, systems. Up to date, clear policies around personal information management.

• Evaluate your systems, procedures, processes and practices to enable ongoing effectiveness and compliance.

• Enhance your response to privacy issues.

The OAIC outlines each step in detail and what should be done to develop this framework

4 | Big data privacy in Australia Three actions you can take towards compliance

The more personal information you collect and aggregate as an organization, the greater your security obligation is under APP II.

An information security risk assessment can help identify potential problem areas within your organization and allows you to address and secure these before a breach occurs. An information security risk assessment is more specific than a PIA because it covers identifying and evaluating risks, threats and problem areas relating to information. Selecting a framework that works for you and developing the right methodology is based on your environment.

The elements to consider no matter what the framework or method include:

• Data quality, information security and data accuracy.

• Can the data be effectively anonymised/depersonalised, negating the need for ongoing privacy compliance?

• Assess third parties that you share information with or source information from.

• Know your requirements, especially around personal information ‘via creation’ or re-identification with analytics.

• Use encryption to mask personal identities.

• Ensure reasonable steps are taken to destroy and/or de-identify personal information once it has been used for the notified purpose for which it was collected.

• Access and prevention

• Limit internal access to personal information to those who require access to do their job (i.e. providing access on a ‘need to know’ basis).

• Maintain a chronological and detailed audit trail of all users.

• Install network security intrusion prevention and detection systems.

• Run regular penetration testing on the enterprise data warehouses to identify vulnerabilities.

• Response planning

• Effective security monitoring procedures to identify unusual behaviours on your network that could be indicative of a breach.

• Develop a clear response plan in case of data breach (and train staff on it).

• Review your information security controls once risks have been uncovered to protect against further exposure.

The OAIC also provides a detailed guide on securing personal information which may be helpful in your organization.

Information security risk assessmentData breach in some form is now inevitable for organizations today. A successful hack or an unwitting data leak is now a matter of when, not if. Advanced organisations are building on preventative controls (e.g. access controls) to detect and respond controls, such as holistic security monitoring and incident response procedures.

5Big data privacy in Australia Three actions you can take towards compliance |

Additional articlesin this seriesBig data and privacy is a serious organizational consideration for anyone using big data analytics. This five-article series will help you understand some of the risks, technical considerations, actions to take and assessments to consider when addressing big data and privacy. The series includes:

• Big data and privacy: an overview

• Big data and privacy: know the risks and be in a position to respond fast

• Big data and privacy: tips to help shape your future capability

• Big data and privacy: assessment areas to protect personal information

EY’s holistic approach to big data and privacy This series of articles provides a holistic view of the big data and privacy, information security and data sovereignty issues facing global organizations today. It requires both strategic thinking and tactical action across multiple business dominions including data and analytics, law and risk.

In response, we have combined the expertise of partners from these three competencies within EY to provide this rounded, whole-of-business view. For more information on big data and privacy, contact the following contributing partners:

Conrad BatesManaging Partner EYC3, data and advanced analytics. conrad.bates@c3.com.au C3 Business Solutions Pty Ltd

Alec ChristiePartner EY Digital Law, privacy law. alec.christie@au.ey.com Ernst & Young Law Pty Limited

Charlie OfferPartner EY CyberSecurity, advisory and risk. charlie.offer@au.ey.com Ernst & Young Services Pty Ltd

EY | Assurance | Tax | Transactions | Advisory

About EYEY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organisation, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organisation, please visit ey.com.

About EYC3eyc3.com | ey.com/analytics

analytics@eyc3.com

EYC3 creates intelligent client organizations using data & advanced analytics. Our team of data scientists, analysts, developers, business consultants and industry professionals work with clients at all stages of their information evolution. We implement information-driven strategies and systems that help grow, optimize and protect client organizations, and create a lasting culture that encourages people to use information creatively and intelligently to improve business outcomes

© 2016 Ernst & Young, Australia. All Rights Reserved. ED None. M1629993.

This communication provides general information which is current at the time of production. The information contained in this communication does not constitute advice and should not be relied on as such. Professional advice should be sought prior to any action being taken in reliance on any of the information. Ernst & Young disclaims all responsibility and liability (including, without limitation, for any direct or indirect or consequential costs, loss or damage or loss of profits) arising from anything done or omitted to be done by any party in reliance, whether wholly or partially, on any of the information. Any party that relies on the information does so at its own risk. Liability limited by a scheme approved under Professional Standards Legislation.

eyc3.com ey.com/analytics