What every IT pro needs to know about privacy
Regardless of whether you believe the adage that data is the new oil, or the new gold, it is inescapable that every business needs good data to operate effectively. And with data management come privacy risks and privacy obligations.
Privacy compliance has become the responsibility of the whole organisation. A proactive privacy management program is now required by law for companies with an annual turnover of more than $3m, and federal government agencies must also appoint a Privacy Champion in the C-suite and conduct Privacy Impact Assessments on high-risk projects. No longer can privacy compliance be relegated to a junior role in Legal or Information Security.
Particularly since the introduction of data breach notification laws last year, which include fines of up to $2.1m for a poorly handled data breach, IT professionals need to be across their organisation’s privacy compliance priorities and risk profile, and engaged in a holistic view of data governance. Even smaller businesses are covered by the new notifiable data breach scheme.
Anna Johnston, Director of specialist consultancy and training provider Salinger Privacy, said that the tougher Australian laws have coincided with a growing awareness of reputational risks for businesses, driven both by the Facebook/Cambridge Analytica scandal and new privacy regulations from Europe which have global effect.
“In recent years, we have been receiving more and more enquiries from IT professionals, especially in the emerging tech sectors like data analytics and IoT — clients who intuitively know they need to get privacy right, but who don’t know where or how to start going about it,” she said.
Effective privacy management takes cooperation between IT and IS, and legal, risk and compliance teams, as well as the custodians and major users of data within an enterprise, such as marketing, customer service, HR and other data-hungry or customer-facing business units.
So what should businesses focus on?
Johnston suggests thinking more broadly than just the information security mantra of ‘CIA’.
“All too often, privacy is confused with secrecy, or confidentiality. So traditionally, efforts have been focused on keeping personal information from leaking out of the organisation. But in fact an organisation’s privacy obligations stretch across the entire life cycle of information management,” she said. “When we conduct a privacy compliance review, we are looking at both data flows, and data governance, in the broadest sense.”
Privacy laws regulate what personal information can be collected in the first place (and how), create obligations in relation to data security, require the maintenance of data quality, create rights for staff and customers to ask to access (and possibly correct or delete) the personal information you hold about them, set limitations on how data may be used or disclosed, and mandate appropriate data disposal.
Johnston points out that privacy risks can therefore arise from multiple directions. A privacy breach might involve a malicious intruder cyber attack, but could also include:
- the wrong de-identification methods being used to treat data before sharing it or conducting data analytics;
- CRM systems that expose customer data beyond a strictly ‘need to know’ basis;
- the introduction of algorithmic decision-making without first testing if the data is fit for purpose; or
- the development of new databases, apps, IoT devices or AI/ML systems that haven’t been properly assessed for privacy compliance.
“IT professionals need to think beyond data security and engage with discussions about what personal information should be collected or held in the first place, as well as how it should be used and who can access what,” Johnston said.
Responding to a data breach, including the new mandatory notification requirements, also requires cooperation between IT/IS and the Privacy Officer, as well as drawing in Legal, Risk, HR, Comms/Media and others. Organisations of all types need to be prepared for a rapid response, by having a Data Breach Response Plan in place.
Find out more at www.salingerprivacy.com.au.
Information Technology Professionals Association (ITPA) is a not-for-profit organisation focused on continual professional development for its 18,700 members. To learn more about becoming an ITPA member, and the range of training opportunities, mentoring programs, events and online forums available, go to www.itpa.org.au.
As news breaks of 15 million Victorian commuters having their travelling records poorly...
Join privacy experts and your IT peers to learn best-practice methodologies to help you comply...
Up to 50,000 devices owned by Australian organisations are at risk following the discovery of a...