Privacy Act (The Sequel): Considerations for the … Identifiable? Private Identity Information •...
Transcript of Privacy Act (The Sequel): Considerations for the … Identifiable? Private Identity Information •...
Privacy Act (The Sequel): Considerations for the
Technology Sector
Pierre Tagle, Ph.D. Practice Lead – GRC
1
Outline • Introduction – the Amended Privacy Act • What is Personal Information? • Privacy and the Digital Universe • Key Technology Trends and Privacy • Securing Personal Information – “reasonable steps” • Developing a Privacy Compliance Framework • Simplifying Compliance
2
The Long Awaited Sequel • Represents the most significant changes to Australian
privacy law since the Privacy Act in 1988 • Comes with new powers for the Privacy
Commissioner, including Investigatory powers • Penalties for a serious invasion of privacy or repeated
invasions of privacy, up to $1.7-M for organisations or $340,000 for individuals
• Came into effect 12 March 2014 • Applies to organisations with revenues over $3-M
3
Australian Privacy Principles (APP) Part 1 – Consideration of personal information privacy
APP1 – Open & transparent management of personal information
APP2 – Anonymity & pseudonymity
Part 2 – Collection of personal information
APP 3 – Collection of solicited personal information
APP 4 – Dealing with unsolicited personal information
APP 5 – Notification of the collection of personal information
Part 3 – Dealing with personal information
APP 6 – Use or disclosure of personal information
APP 7 – Direct marketing
APP8 – Cross-border disclosure of personal information
APP 9 – Adoption, use or disclosure of government related identifiers
Part 4 – Integrity of personal information
APP 10 – Quality of personal information
APP 11 – Security of personal information
Part 5 – Access to, and correction of, personal information
APP 12 – Access to personal information
APP 13 – Correction of personal information
4
What is Personal Information? • Personal information definition in
the Privacy Act refers to an individual who is “identified” or “reasonably identifiable”.
• The revised definition potentially means more data is subject to the Amended Act, e.g. data collected around a unique ID that relates to an individual even without the individual’s name.
“Personal Information” is defined as any “information or an opinion about an identified individual, or an individual who is reasonably identifiable: (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not.
Source: abine.com
5
-- OAIC APP Guidelines (February 2014)
Reasonably Identifiable? Private Identity Information • Full name • Postal address • Email address • Phone number • Username/Passwords • Calling card number • Credit card number • Medicare number • Mother’s maiden name • Place of work • Photos where you are identifiable
Other Personal Information? • Age (or Birthday) • Gender • Number of siblings • Favourite food, band • Names of family & friends • Opinion about an important
issue • Political, religious or group
affiliation • Health information • Income
6
Privacy in Today’s World • Social networks
• E-commerce
• Mobile apps
• Utilities, retailers
• Forums
• Etc.
Source: untsocialmedias13.wordpress.com
7
The Digital Universe • IDC Digital Universe
study estimates that the “data we create and copy annually” will reach 44 zettabytes (ZB) by 2020 – 44 trillion GB of data – More than 5-TB of
data for every person on Earth.
• “Internet of Things” (IoT)
8
Big Data Potential or Privacy Nightmare?
Digital Universe Study highlights • 22% of the data in 2013 were
potentially useful if analysed, with 5% being highly valuable or “target-rich”
• Less than 5% of the data is analysed • 40% required some form of data
protection, less than 20% had these protections
• 2/3 of data came from consumers but enterprises have contact with (and therefore potentially liability and responsibility) for 85%
• 60% of data in 2013 is from mature markets, data from emerging markets will make up 60% of data by 2020
9
Big Data
Source: ADMA Best Practice Guideline – Big Data (2013)
Types of Data • Web behaviour & content • User content • RFID data • Location data • Organisational data • Research, e.g. census,
health research • Environmental data
10
Big Data Challenges
• Typically used for tracking movements and interests of groups in a de-identified form.
• With improvements in data analysis capabilities, de-identified data across Big Data (from various sources) can lead to re-identification of individuals
11
Who is into Big Data? • Big Data is not just for the big
boys • Australian marketers:
– 78% say their ability to design and implement a strong Big Data strategy will define their business for years to come
– 82% say their marketing budget for Big Data will increase in the next two years
Source: Big Data Report 2014 )TorqueData / ADMA)
12
The Cloud
• Spending for cloud services increasing
• ANZ leads in the Asia-Pacific region in cloud adoption (Frost & Sullivan 2012)
• More companies looking into cloud services
Source: cio.com.au
13
Cloud Challenges • Cannot Locate Our User’s Data
(CLOUD) – Cross-border data – User consent – Incident handling
• In 2013, less than 20% of the data is “touched” by the cloud. By 2020, this is expected to grow to 40% -- IDC Digital Universe Study 2014
14
Mobile Devices, Apps & Data • Evolving usage of the phone smartphone
• Apps enable users to be constantly connected
Source: ACMA Mobile apps emerging issues in media communications paper Source: M2M and Big Data (DMI World Enterprise Solutions 2014)
15
Mobile Challenges • Mobile app behaviour
– Access user contacts – Access user calendar – Collect/determine location or
movements – Pass any or all information
• Appthority App Reputation report (Summer 2013): – 91% of IOS and 80% of Android apps
exhibited at least one risky behaviour – 95% of top free apps and 78% of top
paid apps exhibit at least one risky behaviour
Sou
rce:
AC
MA
Mo
bile
ap
ps
emer
gin
g is
sues
in m
edia
co
mm
un
icat
ion
s p
aper
16
Third Parties & Offshore Data
Source: Australian Data Privacy Index April/May 2013 (Informatica)
17
Third Parties & Offshore Data • Australian organisations obliged to “ensure” that third
parties (including offshore companies) receiving personal information from it complies with the APPs
• Australian organisation likely liable for breaches of the APPs by the offshore recipient of its information disclosure
• Information disclosure examples: – Transfer of information offshore – Access by offshore companies to managed databases
18
Securing Personal Information
Source: Australian Data Privacy Index April/May 2013 (Informatica)
19
Securing Personal Information Taking “reasonable steps” to ensure security of personal information
May depend on:
• Amount & sensitivity of information
• Nature of the entity
• Possible adverse effects for an individual
• Entity’s information handling practices
• Practicability, including time & cost
• Whether a security measure is itself privacy invasive
"We would take into account the size of an organisation, but it is only one factor…“
"We would be looking at what [security and risk] standards have been applied ... to see what may be applicable to the size of the entity in terms of availability of systems and their cost…“
-- Federal Privacy Commissioner Timothy Pilgrim
20
Reasonable Steps? • Governance • ICT security • Data breaches • Physical security • Personnel security & training • Workplace policies • Information life cycle • Standards • Regular monitoring & review
“At the end of the day an organisation can't be excused for [not] taking particular steps to protect the information they have -- they must be taking some steps…” -- Federal Privacy Commissioner Timothy Pilgrim
21
Source: SC Magazine, 5 Mar 2014
What Now?
Developing a privacy compliance framework
Identify Privacy Officer
Study the APPs
Conduct a PIA
Define the Framework
Publish Privacy Policies
Implement Procedures & Controls
22
Identify Privacy Officer • Appoint someone to
take ownership of the privacy framework, e.g. Privacy Officer
• Needs support of key stakeholders and cross-section of the organisation
23
Study the APPs • Review and understand
how the APPs relate and impact business practices
• Should involve cross section of the organisation to understand impact on business processes, technology controls, legal provisions, HR practices, etc.
24
Conduct Privacy Review
• Conduct a Privacy Impact Assessment (PIA)
– Review what information is collected and/or kept
– Review how information is used and with whom is the information shared
• Guidance is available
25
Information Life Cycle • Understand how
information flows throughout systems & processes
• Understand risks within each stage of the life cycle
• Note “transfers” of information
Update
Collect
Delete
Process
Storage
Transfer New cycle? Source: Adapted from ISACA Journal (2010)
26
Privacy Review – Sample Questions 1. What personal information is
collected and from whom?
2. How is it collected?
3. Why is it collected?
4. How is the information used?
5. Which business functions relate to these practices?
6. Who has access? (including third parties, overseas recipients)
7. How accurate is the information?
7. What consents are in place for use or disclosure (access)?
8. How can users access/review/update information about them?
9. How are complaints handled? 10. How is a potential breach
handled?
PRIVACY ACT?
27
Implement Compliance Framework
DEFINE IMPLEMENT MAINTAIN
• Use identified issues from review to develop the plans with stakeholders
• Get senior management approval
• Consult with legal
• Define the practices
• Enforce controls
• Educate staff of responsibilities, e.g. security, information handling, incident handling, etc.
• Update framework based on changes to business processes, industry regulations
• Conduct regular audits
• Retrain staff
• Conduct contingency testing
28
Publish Privacy Statements
PRIVACY STATEMENTS
WHAT
What types of personal information captured and/or stored?
HOW How is the information
collected and/or stored?
WHY Purpose for collecting, storing,
using or disclosing of information?
Who will have access to the information? Any overseas
recipients? WHO
Access and consent by individuals, and avenue
for correction of information
Complaint reporting and handling?
CONSENT
RECOURSE
29
Implement Procedures • Business processes
• Data lifecycle (capture, retention, disposal)
• User access
• Third party management
• Legal review & advice
• Incident handling (e.g. complaints, breaches)
• Physical security practices (e.g. paper forms)
• Technical support processes
• Compliance monitoring
• Security review / audit procedures
30
Technology Domains • Secure infrastructure • Identity and access control • Information protection
– Classification – Protection while stored (e.g.
encryption) – De-identification measures
• Auditing and reporting
Source: Australian Data Privacy Index April/May 2013 (Informatica)
31
Simplifying Compliance • Integrate privacy compliance into the security
framework – security driven compliance • Integrate compliance measures into “Business-as-
Usual” processes – not purely an IT issue but a whole-of-business concern
• Leverage or align with existing security frameworks & controls
• If you do NOT need it, do not store it!
32
Moving Forward • Enforce privacy policies throughout the
information life cycle • Mitigate risk of unauthorised access and/or
misuse of personal information • Minimise the impact of the loss or breach of
personal information • Document all controls and demonstrate/test
effectiveness
33
Thank you - Questions?
Pierre Tagle, Ph.D.
Head office is Level 8, 66 King Street, Sydney, NSW 2000,
Australia. Owner of trademark and all copyright is Sense of
Security Pty Ltd. Neither text or images can be reproduced
without written permission.
T: 1300 922 923
T: +61 (0) 2 9290 4444
F: +61 (0) 2 9290 4455
www.senseofsecurity.com.au
34