Office of the Australian Information Commissioner - Home

Australian Government - Office of the Australian Information Commissioner
Australian Government - Office of the Australian Information Commissioner

Main menu

Privacy governance

Presentation by Timothy Pilgrim to iappANZ, Sydney

Good afternoon, everyone. I would like to begin by acknowledging the Gadigal people of the Eora Nation, the traditional custodians of this land and pay my respects to their Elders both past and present.

We’re all here today to talk about privacy in the context of risk. Richard has provided a great overview of a risk-based approach to privacy. I would like to continue that discussion, and talk about how a risk approach to privacy translates into privacy governance and the overall business management framework in the context of Australian regulatory requirements.

We have been talking for a long time about the need to build privacy into ‘business as usual processes’, and how essential it is to include in business and project planning. Our messages around this aren't going to change, but now that we have had almost a year to settle into the changes to privacy laws, we'd like to start talking about more than just basic compliance, and shift the conversation to ongoing governance. A key component of a successful end-to-end privacy program is regular monitoring. This will ensure that privacy policies, procedures and guidance are being followed and that they remain relevant to your business and the privacy risks it faces.

The European Union’s Article 29 Data Protection Working Party states that there are three core components of an accountability framework:

  • the establishment of internal privacy policies and processes,
  • the building of a privacy governance structure, and
  • the establishment and performance of review mechanisms.

Well, by now I assume that you, and your clients, all have well established policies and processes, but what we are seeing is that a lot of organisations don't have an adequate privacy governance structure in place.

This raises the question — where does the responsibility for privacy lie in an organisation? Obviously the answer to that question is going to depend on the type and size of the organisation — some businesses might have an entire section devoted to privacy compliance and governance, whereas some will have only a single person. However, I think the key to answering this question lies with understanding the value of personal information.

Personal information is an asset to any business, and should be treated as such. Business assets are available to be used, but in order for their value to be fully realised they must also be protected.  

So, while the day-to-day responsibility for personal information and privacy may sit within various areas of a business, in my view, responsibility for privacy governance sits firmly with the CEO, the Executive, the board or the management of any organisation. It is these roles that must promote privacy as an asset to be respected, managed and protected.

The recently released Telstra Cyber Security Report 2014[1] has reported that the responsibility for security is changing within organisations. With IT security incidents having a greater impact on business continuity and reputation of an organisation, C-level executives are being held more accountable for the security decisions within organisations.

Among the organisations surveyed, it was reported that 84% of CEOs/CFOs and COOs, and 71% of CTOs and CIOs are getting involved in the final stages of decision making of IT security services spending. This is certainly very encouraging.

Just last week we saw reports of the Anthem health insurance data breach in the US where the personal information of 80 million customers was un-encrypted and left vulnerable to unauthorised access.

Increasingly, data breaches are due to issues of technology and connectivity — hacking, malware, online scams. But you only have to look at these data breaches to understand the vital importance of privacy governance. In many cases there is a clear failure of governance, creating a vulnerability that is able to be exploited. The maturity of an organisation’s governance and leadership can be clearly seen in the importance placed on privacy, the way in which it is invested in, and how an organisation responds to a data breach.

To give you an example in the local Australian context, you will recall the investigation I carried out into the Department of Immigration’s handling of asylum seeker’s personal information. This data breach occurred after the publication of statistical data on the internet without the appropriate steps being taken to de-identify the information. I found that the Department was aware of the privacy risks of embedding personal information in publications, but that the systems and processes failed to adequately address those risks. This type of breach is not unique to the Department — we have seen similar failures in the private sector.

We are just getting ready to conduct an assessment of the online privacy policies of 21 entities against the requirements of Australian Privacy Principle 1. These assessments will look at whether the policies are clearly expressed and up-to-date, cover the content and contact requirements and are available in an appropriate form. This demonstrates that the OAIC is proactively looking at entities responses to the new requirements.

Forward thinking and actively managing privacy risk are essential to understanding and acting on your privacy responsibilities. Simply maintaining the status quo, whether in relation to a data breach, or in relation to the changing landscape of data protection and information handling, is the most ineffective way of dealing with the challenges of the information age. Privacy leadership, and from this, a robust culture of accountability and governance, is the most effective way of rising beyond mere box-ticking compliance to best practice.

You will all be aware of new requirements in the Australian Privacy Principle 1.2 to take reasonable steps to establish and maintain internal practices, procedures and systems that ensure compliance with the APPs. The APP guidelines outlines ways that this could occur in practice, providing a list of important steps, including implementing governance mechanisms, regular staff training, and a program of proactive review and audit of the adequacy and currency of your privacy policy and of the practices, procedures and systems implemented under APP 1.2. This obligation is a continuous and proactive one, and we have recognised that this is an area that organisations need help with.

We will soon launch a Privacy Management Framework to assist organisations develop or review their privacy program, and to meet the requirements set out in APP 1.2. You may have seen work from our colleagues in Hong Kong, New Zealand and NSW IPC in this area recently — there is a growing international awareness of the need for this kind of framework to assist organisations with the fundamentals of privacy governance. Our framework will emphasise governance, leadership and accountability as forming the basis of a robust management framework.

It will provide a practical guide on how to establish a privacy management framework, including elements such as planning and strategy, risk assessment, breach and incident management and regular evaluation and review. The framework will also encourage organisations to go beyond mere compliance and commit to best practice.

Information lifecycle

As I have noted, organisations must be aware of the value of personal information, both to the organisation and also to their customers, so that decisions can be made about the measures put in place to protect it. Technology becomes more important to business every day. But the technologies that currently make the biggest difference — like Cloud Computing, Big Data and Mobility — also increase the privacy risks your organisation faces.

With this in mind, I am going to talk a little bit about the information lifecycle, which can be found in our new Guide to securing personal information. Anyone in the room who has read the new guide, and hopefully that’s most of you, will have seen the graphical representation of the information lifecycle, as a process that starts before collection, raises issues when you collect or hold personal information, and then moves to destruction and de-identification when you no longer need the information.

We have represented this as a cyclical lifecycle to emphasise the dynamic nature of information and the need to consider your information handling in relation to all processes, projects and business units. 

In this electronic age the way that organisations collect and store personal information is constantly changing. For example, de-identified information may be added to over the course of a relationship with a client, or moved to a different storage solution, and by being added to, or associated with another piece of information, become personal information.

If previously non-identifiable information becomes identifiable personal information, then your obligations under the Privacy Act will change. If you haven’t accounted for that risk in your planning, you may not adequately fulfil your privacy obligations.

There was an interesting MIT study recently that looked at the ease with which information could be re-identified, and showed how quickly the shift from ‘anonymous data’ to ‘personal information’ can occur. And it can happen quickly. This study found that with four pieces of information that were not considered personal information — so no names, addresses, or credit card numbers — the researchers were able to identify 90% of people in a data-set of 1.1 million users over 3 months.[2]

This type of study is a great example for us of the risks of not thinking ahead about how you handle information. Having a governance and accountability framework in place will help you manage the dynamic nature of information and allow you to be privacy aware at all stages of information handling, rather than considering it in isolation or in relation to discrete projects.

Conclusion

I feel confident that everyone in the room today knows how important privacy management is.  That’s why you are here — because you understand the importance of accountability and risk management, and ensuring you are proactive in implementing your accountability and governance commitments.

Over the last 12 months we have reviewed and launched a range of guidance to help you do this. The Privacy Management Framework will build on this guidance by not only joining the dots between our various guidance, but also between your obligations under the Privacy Act and its practical implementation in your organisation. The Framework will be launched during Privacy Awareness Week 2015. And I encourage you to visit the OAIC’s website and become a Privacy Awareness Week partner, a non-financial arrangement, and a great way to demonstrate that your organisation takes privacy seriously.

The OAIC’s theme for 2015 is Privacy everyday. The theme emphasises the need for organisations to embed privacy practices into business as usual processes and succinctly captures what I have been talking about today. Your organisation must commit (from the top down) to grow a robust privacy culture of continual improvement. And, should I have to ‘visit’ an organisation as a result of a privacy incident, I will be focusing equally on assessing the privacy culture of that organisation, from the top down, as much as I will on process and technology solutions.

To achieve this privacy culture, you must regularly review your processes and policies, and the implementation of those processes and policies, to ensure that your organisation stands ready to address and respond to the risks to privacy that arise everyday.

Footnotes

[1] The report draws on analysis of security event data gathered from Telstra infrastructure, security products and third-party security partners.

[2] Just four credit card clues can identify anyone <www.newscientist.com/article/dn26879-just-four-credit-card-clues-can-identify-anyone.html>