Safer Internet Day 2022

Safer Internet Day 2022

By David Zhu, Sarah Bakar, Sarah Brichet and Eugenia Caralt

IIS is proudly supporting the eSafety Commissioner to mark Safer Internet Day on 8 February 2022, an annual event to promote cyber safety and a healthier online environment. 

Australian Privacy regulators are leading the effort to improve online safety protections during a unique and uncertain time as remote learning and working have become commonplace. eSafety Commissioner Julie Inman Grant revealed that since the start of the COVID-19 pandemic, serious cyberbullying towards children was up by 30%, while adults experienced a nearly 40% rise in online harrassment. Because of the challenges presented by these circumstances, online safety risks are front of mind. 

Regulatory theme

This year, Safer Internet Day’s theme is “Play it Fair Onlinewhich comes as the Federal Government is seeking to reform online abuse laws after introducing the Social Media (Anti-Trolling) Bill late last year. To access useful eSafety resources, you can click on the following links: 

Workplace Safety Guidance

eSafety Toolkit for Schools

Safety by Design

IIS’s Safer Internet Day 2022 message: G.U.A.R.D. against online abuse 

As we look ahead to 2022 and beyond, IIS’s view is that strong privacy and security practices are paramount for organisations to prevent and respond to online abuse. It is also important for parents and educators to be aware of privacy controls and security settings in order to protect children on digital platforms, which often contain inappropriate or malicious content. 

This year, eSafety has published a set of privacy tips for educators, workplaces and the broader community. In this post, we have compiled these tips, along with our own commentary to help you G.U.A.R.D. against online abuse.

IIS’s top five tips for online safety

1) G is for: Get control of your location settings

Location settings are embedded into all types of technology and are important for geo-tracking services such as map apps. However, allowing the unrestricted use of these settings can allow others to track you with malicious intent. 

eSafety recommends users to safeguard their privacy by turning off location tracking features when not necessary and manually choosing when and with whom to share your location with. 

You can get more information on location settings here.  

2) U is for: Use conversation controls

Conversation controls can help manage who sees and interacts with you online. 

eSafety advises users to mute, block or unfollow cyber abusers, in order to minimise the harm caused. 

IIS also recommends the following Do’s and Don’ts to be fair and kind online:

·       Do treat others with the same respect that you would want others to treat you with.

·       Do consider others and be tolerant of different views and opinions.

·       Do speak up against online abuse when it is safe to do so.

·       Don’t share secrets or sensitive information. 

·       Don’t send insulting, mean or derogatory messages.

·       Don’t “diss” others or spread false rumours.

Check out The eSafety Guide for information on conversation controls for popular platforms such as Facebook, Instagram, Tiktok and most popular online games. 

3) A is for: Always update your security and privacy settings 

Cybercriminals, stalkers, and other malicious actors can exploit vulnerabilities in unsecured online accounts to access, steal and leak your personal information. 

To protect against this, eSafety recommends using unique and strong passwords for each online account, signing out of platforms when you’re not using them and turning on multi-factor authentication. Having strong security questions that only you can answer is also useful as an extra layer of protection.  

IIS further recommends updating and backing up your devices regularly, to minimise security vulnerabilities and keep your information secure. 

For guides on how to enhance your security and privacy settings, eSafety has a set of how-to-videos.

4) R is for: Raise your voice about online abuse

It’s important to report online abuse to the relevant online platforms and, depending on the level of harm, escalate it to the police and other authorities. This will help keep websites and social media platforms respectful and safe for users. 

For advice and support or to report online abuse, go to eSafety.gov.au.

5) D is for: Don’t forget to collect evidence

Collecting evidence of online abuse can help authorities track down offenders and ensure that your rights are protected. 

The eSafety commissioner recommends victims of online abuse to take a screenshot and save a URL of these incidents. However, evidence should only be collected when you feel it is absolutely safe to do so.

eSafety’s step-by-step guidance on collecting evidence can be accessed here.

Participating in Safer Internet Day 2022 

If you have been considering taking steps to raise online safety awareness and/or strengthen your organisation’s privacy practices, participating in Safer Internet Day 2022 is an excellent starting point.

Sign up here to support Safer Internet Day or contact IIS to help you and your organisation make online safety a priority. 

Security Legislation Amendment (Critical Infrastructure) Act 2021

By Mike Trovato

Security Legislation Amendment (Critical Infrastructure) Act 2021 (SLACI) - An Act to amend legislation relating to critical infrastructure, and for other purposes

As of December 2021, SLACI is now law. It was the first of two additions to the Security of Critical Infrastructure Act 2018 (SOCI Act) which initially only included four industry sectors. SLACI expanded the law to apply to 11 industry sectors, plus added notification requirements which do not align with, but are generally supportive of, the Notifiable Data Breaches (NDB) Scheme. 

The second bill will start the consultation process shortly and contains additional requirements which could require significant effort for a regulated entity to comply with. Most of the obligations for the first bill still need to be ‘switched-on’ by the Minister for Home Affairs, with assets already proposed by the Cyber and Infrastructure Security Centre (CISC).

The first bill (SLACI):

  • Extends the definition of critical infrastructure from 4 to 11 sectors and extends the existing reporting requirements to those sectors.

  • Mandates timely cyber incident reporting for specified critical infrastructure.

  • Legislates government assistance measures (i.e., gather information, action requests, invention request) by providing powers to respond to security incidents which seriously prejudice Australia’s prosperity, national security, or defence.

The second bill will arguably have a bigger impact to regulated entities and looks to:

  • Introduce additional Positive Security Obligations and a Risk Management Program, which will be applied to entities responsible for critical infrastructure.

  • Introduce Enhanced Cyber Security Obligations, including vulnerability reporting and cyber incident response planning and exercises, for entities responsible for assets most critical to the nation (known as systems of national significance).

Critical Infrastructure owners and operators are required to report a cyber security incident if they are captured by the critical infrastructure asset definitions:

  • 12 hours if having a significant impact on the availability of the asset (up to 84 hours in writing); or,

  • 72 hours if having a relevant impact on the availability, integrity, reliability, or confidentiality of the asset.

These changes are likely to support better privacy though enhanced data protection and urgent notification, increasing the spotlight on assessment for CI and NDB purposes.

News and notables – November 2021

By Mike Trovato and Chong Shao

In our third newsletter in 2021, we pointed to two recent privacy and security stories of note:

  • The Critical Infrastructure Bill

  • IIS makes submission on DTA Digital Identity Legislation

The Critical Infrastructure Amendment Bill 2020 

The rapidity with which cyber threats are evolving and the stress on the systems created by the COVID-19 crisis have been driving further government response. Following Australia’s Cyber Security Strategy 2020, the Department of Home Affairs introduced the Security Legislation Amendment (Critical Infrastructure) Bill 2020 (Cth) (the Draft Bill) into Parliament.

The Draft Bill seeks to amend the Security of Critical Infrastructure Act 2018 which currently applies to operators of assets in only four critical infrastructure sectors: electricity, gas, water and ports. It proposes to extend the Act to 11 sectors, including communications, financial services, data storage and processing, defence industry, higher education and research, energy, food and grocery and transports.

The proposed amendments introduce wider powers to the Federal Government, with the ability to intervene and direct organisations to provide information or do specified acts when responding to cyber security. It also puts forward new obligations: ‘positive security obligation’ for critical infrastructure, including mandatory cyber incident reporting and a risk management program, and enhanced cyber security obligations for systems deemed to be of ‘national significance’.

The Draft Bill creates opportunities but also challenges for the concerned sectors, as it increases the complexity of the regulatory landscape applying to information security and creates additional reporting burden. It has also raised concerns across professional cyber security industry in relation to excessive Government powers.

IIS is supportive of the government’s efforts for improving cyber security resilience and hope that numerous submissions offered in November 2020 will be used to improve the legislation so that entities take a primary role in improving their resilience to attacks.

IIS makes submission on Exposure Draft of the DTA’s Trusted Digital Identity Bill

IIS participated in the Digital Transformation Agency’s call for submissions on the DTA Trusted Digital Identity Legislation. IIS Lead Privacy Advisor, Malcolm Crompton and IIS Managing Director Michael Trovato drafted an extensive paper addressing the Legislation’s intention to help expand the Australian Government’s Digital Identity system into a whole-of-economy Digital Identity solution by establishing robust governance, strengthening data and consumer protections, and enabling entities in other digital identity systems to apply for Trusted Digital Identity Framework (TDIF) accreditation.

IIS Lead Privacy Advisor, Malcolm Crompton and IIS Managing Director Michael Trovato submitted an extensive paper during the consultation process, with an emphasis on respecting and protecting individuals’ interests. IIS subsequently consulted with DTA and provided a submimssion for the Draft Exposure Bill. 

Key to IIS’ position on the design of the Legislation is to recognise that digital identities obtained and verified through TDIF are likely to dominate every aspect the lives of individuals as digital continues to increase its dominance of how lives, business and government are conducted. Indeed, the policy intent is that TDIF facilitates this evolution. 

Overall, IIS identified that more emphasis needs to be placed on the system being respectful of Users as individual people not just economic units and be symmetric in its treatment of the parties. 

We raised the following key points:

  • Ensuring that Users / advocates will have continuing and genuine influence as the system evolves.

  • Effective governance, compliance, enforcement, and remediation/redress for the individual User.

  • Protection from (or genuine oversight of) surveillance by law enforcement and national security agencies.

  • Ensuring that alternatives to using the TDIF system continue to be available for years to come, if not forever. There must be genuine alternatives to the use of digital identities (i.e., practical, available, not cumbersome or coerced); otherwise, any ‘consent’ is rendered meaningless and arguably invalid under law.  

Once again, you can read the full submission here.

Privacy and vaccine passports: Considering the IATA Travel Pass

Privacy and vaccine passports: Considering the IATA Travel Pass

By Sarah Bakar, Lisa Hooper and Chong Shao

As governments roll out vaccinations and the COVID-19 pandemic begins to ease in certain parts of the world, tentative plans to reopen international travel have begun. Central to these plans is the ongoing discussion of having a kind of digital document to prove that individuals are vaccinated – that is, a ‘vaccine passport.’

There are many different versions that have been or are being developed by various organisations such as governments, airlines and industry groups, non-profits and technology companies. Vaccine passports are not only being developed to facilitate international travel. They have also been proposed to be used for domestic purposes, such as entry into restaurants and events. 

In the realm of international travel, several passes have been introduced: CommonPass, AOKPass and the IATA Travel Pass. To date, the IATA Travel Pass has received the most uptake from airlines. These include Singapore Airlines, Qatar Airways, and Emirates Airlines to name a few. 

The Travel Pass was developed by the International Air Transport Association (IATA). It is a mobile app that allows travellers to store and manage their verified certifications for Covid-19 tests and vaccines.

Nick Careen, Senior Vice President, Airport Passenger Cargo and Security at IATA said‘It’s about trying to digitize a process that happens now and make it into something that allows for more harmony and ease, making it easier for people to travel between countries without having to pull out different papers for different countries and different documents at different checkpoints.’

How the Travel Pass app will work

Travel Pass will ask users to create a profile, enter their flight details, and direct the users about their requirements for travel such as suggesting verified testing facilities. Travel Pass will integrate with testing facilities so that the results can be sent directly to the app. Moreover, when governments start to issue digital vaccine certificates, the individual can opt to upload this certificate onto the app as well. Once the appropriate data has been uploaded, the user will receive a confirmation or ‘okay to travel’ notification which is relied upon by airlines.

In the app’s current state, a physical passport will still be used to confirm a person’s identity in conjunction with the app; COVID-19 results and vaccination status will not be ‘linked’ to a person’s physical passport. IATA’s plan is that Travel Pass will eventually be able to store an individual’s passport details on the app and thus be able to link COVID-19 results and vaccination status in one place. 

Travel Pass and privacy

While Travel Pass is still in the early stages of being released to the wider public, we note that its cautious approach to data handling is in line with public sentiment. For example, the Australian Community Attitudes to Privacy Survey 2020 found that 9 in 10 Australians want more control over their data.

From what has been published by IATA, Travel Pass appears to be mostly sound from a privacy and security perspective. Based on the current Travel Pass privacy policy, we note the following privacy positives:

  • Use of Travel Pass is voluntary 

  • IATA conducted a Data Protection Impact Assessment (DPIA) of the Travel Pass (although we note that this has not been published) 

  • IATA built Travel Pass from the beginning with privacy by design principles 

  • The app gives control to the user in terms of what information is entered (such as using the digital passport facility and/or uploading their vaccination certificates) and who it is shared with (no information is shared with an airline or government without their authorisation)

  • All Travel App data is stored locally on the device – this includes verified COVID-19 test results and vaccinations certificate (however, the IATA server will temporarily process data in order to facilitate an action such as receiving test results from a testing facility or sharing data with a partner)

  • Deletion of the app means the deletion of all data 

  • If an individual chooses to share data with a partner, the data is encrypted and sent directly to them from the mobile device. 

There are some remaining issues where more clarity and transparency would be welcome, for example:

  • What is the procedure involved in an airline verifying an individual’s ‘Okay to travel’ status? Do airline staff sight the status or are individuals required to share their test results/vaccination status? 

  • What will be the mechanism for oversight and assurance that what is described in the privacy policy is the reality? 

  • Can we be sure about the assurances that IATA will immediately delete the processed data from its servers? What happens in case of technical issues? Is the data retrievable? 

As more and more airlines participate and adopt Travel Pass, we hope and expect more information to be made available on how Travel Pass handles user data and the benefits of having such tool. 

Top five picks for making privacy a priority (PAW 2021)

Top five picks for making privacy a priority (PAW 2021)

By Lisa Hooper and Chong Shao

The 2021 Privacy Awareness Week (PAW) is scheduled for 3-9 May. The OAIC’s PAW theme is Make Privacy a Priority. Its recent survey of Australian attitudes towards key privacy issues revealed that most Australians have a clear understanding of why they should protect their personal information (85% agree) but half say they don’t know how (49% agree).

This year, the OAIC has published their privacy tips for the home and the workplace. In this post, we have compiled our own top picks that align with OAIC’s message for workplaces, along with our own commentary.

IIS top five picks

1. Making privacy a priority starts from the top

  • OAIC message: A strong leadership commitment to a culture of privacy is reflected in good privacy governance 

  • IIS view: Privacy needs to be front-of-mind for boards 

Good privacy governance enables innovative and trustworthy uses of personal information. This in turn promotes both performance (e.g., improve productivity, offer new digitally enabled products and services) as well as compliance (e.g., meet local and global privacy requirements, reduce and respond to privacy risks).

IIS believes that privacy should be a key consideration for boards and they should provide clear direction for the executive team to implement a privacy management framework that sets out the organisation’s privacy governance.

It is important for organisations in this rapidly changing environment to adopt a forward-looking posture. Organisations should actively monitor the latest privacy developments – including in technology, law and policy – and consider how they may be impacted. Privacy performance and developments should also be reported back up to the board level. 

This is discussed extensively in the book The New Governance of Data and Privacy: Moving beyond compliance to performance, co-authored by Mike Trovato (Managing Director) and Malcolm Crompton AM (Lead Privacy Advisor) and published by the Australian Institute of Company Directors (AICD).

2. Reduce the risks of data breaches caused by human error and prepare a data breach response plan 

  • OAIC message:

    • Reduce the risks of a human error data breach by educating staff and putting controls in place

    • Ensure that your organisation is prepared and equipped for a data breach 

  • IIS view:

    • Educate, prepare, rehearse and assess

    • Your data breach response plan needs to be up to date and fit for purpose. This needs to include the role of third-party providers that would play a key role in the response.

Over the past year, data breaches have continued to increase around the world. Many cyber-attacks are occurring in the context of wider disruptions caused by COVID-19. As large portions of the professional workforce transitioned to working remotely, there was a significant reliance on the use of personal devices and home networks to conduct work tasks, thereby increasing the security vulnerability for organisations.

It is vital for staff to continue to be educated on proper data handling and receive privacy training for their respective roles. How an organisation handles a data breach can significantly impact their reputation; ensuring that staff are well equipped to report a breach is an important factor when implementing action plans for handling a breach. 

IIS believes that now more than ever, organisations must ensure that staff are adequately trained, controls are regularly assessed and that data breach response plans are up to date and fit for purpose. Like other safety drills, the plan should be rehearsed periodically so that the organisation can respond efficiently and effectively if/when the real thing happens. It is better to be proactive than reactive. Is your organisation data breach ready?

3. Build in privacy by design (PbD)

  • OAIC message: Adopt a PbD approach to minimise, manage or eliminate privacy risks 

  • IIS view: Embedding PbD from the very start helps organisations with both privacy compliance and performance

IIS has been a strong advocate for PbD. We believe that implementing PbD strategically helps organisations to achieve their objectives while maintaining a high level of privacy protection. This saves the time and costs of “bolting on” measures down the track. Furthermore, PbD helps organisations  to focus on user-centric practices that are key to building trust with customers and reducing privacy risk over the long run.  

PbD should be prioritised in contexts where the value of the data and the associated privacy risks are high, for example: linking and matching big datasets, mobile location analytics, biometrics, and customer loyalty programs.

4. Put secure systems in place

  • OAIC message: Having strong and secure systems in place helps to protect personal information from misuse, loss or unauthorised access or disclosure

  • IIS view: Ensuring secure systems and appropriate controls are in place is one of the top priorities for preventing privacy breaches.

Cyber security and privacy should not be “set and forget”. Rather, organisations must regularly monitor the operation and effectiveness of their ICT security measures to ensure that they remain responsive to changing threats and vulnerabilities and other issues that may impact the security of personal information. This means cyber security is not just an IT issue, but a business and risk issue.

Having policy and procedure documents in place are necessary but not sufficient. Overall, organisations should focus on the basics: know your data assets, manage identity and least privileged access, protect endpoints, train staff and prepare for incidents.

5. Undertake a PIA

  • OAIC message: A PIA is an essential tool for protecting privacy, identifying solutions and building trust 

  • IIS view: A PIA an essential component of the organisation’s risk management process 

A privacy impact assessment (PIA) is an assessment of new or changing technologies (e.g., adopting a new CRM system), products (e.g., introducing a location-based customer service) and/or operational processes (e.g., revising the data governance policy) that might have an impact on the privacy of individuals.

When the organisation proposes to introduce a new project that involves (or could involve) the handling of personal information, it could lead to both anticipated benefits as well as unanticipated consequences. Conducting a PIA prior to and during the project – as part of the project’s overall risk management processes – can ensure that privacy risks are considered and that the potential impacts are mitigated. 

In IIS’s experience, a PIA is more than a compliance check. Conducting a PIA can provide organisations with a wider view on privacy throughout the business, which in turn can help organisations improve their privacy practices beyond the single project under review.

Participating in PAW 2021

IIS will once again be proudly supporting PAW this year. We have previously partnered with our clients during PAW to deliver presentations and participate in live Q&A sessions. If you have been considering taking steps to raise privacy awareness and/or strengthen your organisation’s privacy practices, participating in PAW is an excellent starting point.

Sign up today with the OAIC or contact IIS to help you and your organisation make privacy a priority.

Contact tracing data and function creep: A case study in Singapore

Contact tracing data and function creep: A case study in Singapore

By Sarah Bakar, Lisa Hooper and Chong Shao

In March 2020, upon the World Health Organisation’s declaration of the COVID-19 pandemic, Singapore became one of the very first countries to launch a contact tracing app to manage the spread of COVID-19. By October 2020, it became mandatory for citizens to either download the app onto their smart phone or carry an electronic token.

Timeline of events

  • March 2020

    Launch of TraceTogether – the digital system for contact tracing

  • April 2020

    Launch of SafeEntry – national digital check-in system 

  • October 2020

    Launch of BluePass – a specifically-designed contact tracing device for migrant workers

  • January 2021

    The country’s widely-used COVID-19 contact tracing application TraceTogether made international headlines after Minister of State Desmond Tan revealed during a parliamentary session that data collected through the TraceTogether app fell under the purview of the country’s Criminal Procedure Code and as such the data can be used for criminal inquiries. The Minister’s comment means that police can use data from the TraceTogether, SafeEntry and BluePass systems in criminal investigations unrelated to COVID-19 contact tracing efforts. Soon after this statement, it was revealed by another minister that such data had in fact already been used in a murder investigation.

    These revelations caused a public backlash.

  • February 2021

    In its attempt to rectify the situation, the government passed a law to restrict the use of the data: the COVID-19 (Temporary Measures) (Amendment) Bill. 

COVID-19 (Temporary Measures) (Amendment) Bill

The law allows for the personal data collected by a digital contact tracing system to be used for investigation into “serious offences”. Digital contact tracing systems include the three main ones noted above. 

The bill defines serious offences to include unlawful use or possession of explosives, firearms or dangerous weapons; any offence relating to terrorism; any offence relating to causing death or concealment of death; a drug offence that is punishable by death; kidnapping, abduction or hostage-taking; and any offence involving serious sexual assault such as rape.

As of January 2021, it is estimated that 4.2 million people or 78% of residents have downloaded the app. This is a significant number, illustrating how the public was eager to cooperate with the government in tackling COVID-19 but more importantly just how vast the amount of data available is. However, the revelation that contact tracing data had already been being used by enforcement authorities caused a public outcry with people calling out the government and some even deleting the app altogether. It is important to call out that this revelation came 10 months after the launch of the app, and after users were continuously assured that the data will only be used for contact tracing.

Function creep and its consequences

The pandemic triggered an emergency situation throughout the globe, creating urgency for governments to manage and respond effectively. As such, contact tracing apps emerged quickly, including in Singapore. However, the data generated by such apps has become a tempting honeypot for law enforcement.

On the one hand, the enactment of the Bill shows that the Singaporean government is explicitly limiting the (secondary) use of contact tracing data. On the other hand, as it comes 10 months after the launch of TraceTogether, the Bill can also be viewed as a way for the government to attempt to regain the public’s trust and fix its reputation after it was obvious that the public felt betrayed and cheated.

This is yet another lesson in how mishandling of data will no longer go unchecked by the public, even for a population who tends to be deferential to their government in the case of Singapore.

Privacy should not be undermined for the sake of other worthy but unrelated goals. There are consequences not only for the individuals involved, but also the broader public health goals of the government. Given that the effectiveness of contact tracing apps depends on the number of people who use them, public trust and confidence that their privacy will be respected is a key ingredient to controlling the pandemic.

Needless to say, this function creep will not be the only one of its kind as valuable data continues to be collected for contact tracing across the world. In light of this, we strongly advocate for the inclusion of Privacy By Design in the development of such apps, to ensure that privacy is not left as an afterthought.

This can include explicit purpose limitations on the use of data, as well as built-in data retention limits to prevent a honeypot situation. New South Wales’ COVID Safe Check-In tool is a good example of this – individuals’ details can only be used for contact tracing purposes, and if no such action is taken, their details are permanently deleted by Service NSW after 28 days.

IIS Newsletter #6 2020 - Year in Review and Seasons Greetings

IIS Newsletter #6 2020 - Year in Review and Seasons Greetings

2020, the year that was…

As 2020 draws to a close, we are taking this moment to step back and reflect on the year. IIS has made a few logistical changes in 2020. This year we moved our Sydney office from Chippendale to The Vines co-working space in Waterloo. We expanded and diversified our team across Brisbane, Hong Kong, Malaysia, Melbourne and Perth. We also fully embraced working from home (WFH) and flexibly, which have always been a part of our culture.

In April this year when lockdowns began, we published a guide on how we do WFH including a page on privacy and security. As WFH is becoming a standard in how we work, we recommend a review of the aforementioned guide.

Our shared achievements

Despite the challenges of COVID-19, 2020 has been a busy time for our clients.

Notably, we completed a Privacy Impact Assessment for the Australian Bureau of Statistics (ABS) about the use of integrated administrative data in the next Census, which the ABS has published. We were asked to identify privacy issues and risks associated with the Census admin data project – including matters of compliance with law and policy, as well as broader considerations such as stakeholder expectations and social licence.

The Office of the National Data Commissioner (ONDC) and Department of the Prime Minister & Cabinet (PM&C) engaged us to conduct a PIA on a draft of the landmark Data Availability and Transparency Bill (DATB), formerly known as the ‘Data Sharing and Release Bill’. The 13 recommendations and PM&C’s responses are published in our PIA here.

IIS proudly supported Commonwealth, NSW, and Victorian Privacy Awareness Weeks in 2020. The OAIC’s theme was Reboot Your Privacy, focusing on the current challenges that Australian entities are facing to adapt to the new demands of remote working and online interactions. Among IIS activities, Lead Privacy Advisor, Malcolm Crompton spoke at the Australian Computer Society’s NSW Privacy Summit seminar, available here. The seminar asked: Why is there so much debate about the trustworthiness of government uses of data? This session explored the ways in which existing law and its implementation are not meeting the needs of citizens or the needs of government seeking to retain citizen trust.

IIS also authored National Security or Privacy? in CyberAustralia magazine, as part of the Risk & Cyber Week virtual conference by the Risk Management Institute of Australasia (RMIA) and the Australia Information Security Association (AISA). The article puts forth the “4A framework,” as a way to examine how we can have stronger protections for stronger national security powers.

Looking ahead

The past 12 months have been met with brand new challenges and the importance of data protection has never been greater in this time of change and uncertainty.

In particular, we have provided increased support in terms of agile Privacy by Design work, privacy compliance and performance audits, and data breach response. We envisage this will continue as organisations expand their digital efforts in a landscape of hybrid work environments, higher customer expectations and changing legal regimes (Privacy Act review, new data sharing regime, Consumer Data Right, to name a few!).

The growing shift in attitude towards privacy and security was highlighted in a recent OAIC survey which showed that privacy is a major concern for 70% of Australians, and almost 9 in 10 want more choice and control over their personal information.

Thank you to all our clients for the trust that you have placed in IIS this year and your enthusiastic efforts to promote better privacy and security. We look forward to the challenges and projects that 2021 may bring and working with you again.

Have a safe and happy Christmas and New Years!

New Zealand reforms its privacy law

New Zealand reforms its privacy law

By Sarah Bakar and Natasha Roberts

In June 2020, New Zealand’s Parliament passed a bill reforming the nation’s privacy law. The new Privacy Act 2020 replaces the 27-year-old Privacy Act 1993. The Privacy Commissioner John Edwards has stated: “The new Privacy Act provides a modernised framework to better protect New Zealanders’ privacy rights in today’s environment.” 

The Act introduces significant changes to the privacy law. According to the New Zealand Privacy Commissioner’s website the key changes include: 

1. Mandatory notification of harmful privacy breaches.
If organisations or businesses have a privacy breach that poses a risk of serious harm, they are required to notify the Privacy Commissioner and affected parties. This change brings New Zealand in line with international best practice.

2. Introduction of compliance orders.
The Commissioner may issue compliance notices to require compliance with the Privacy Act. Failure to follow a compliance notice could result in a fine of up to $10,000.

3. Binding access determinations. 
If an organisation or business refuses to make personal information available upon request, the Commissioner will have the power to demand release.

4. Controls on the disclosure of information overseas. 
Before disclosing New Zealanders’ personal information overseas, New Zealand organisations or businesses will need to ensure those overseas entities have similar levels of privacy protection to those in New Zealand.

5. New criminal offences. 
It will be an offence to mislead an organisation or business in a way that affects someone’s personal information or to destroy personal information if a request has been made for it.  The maximum fine for these offences is $10,000.

More significantly, in line with its aim to better protect New Zealander’s privacy rights, the new Act has greater extraterritorial reach as it will also apply to entities that carry on business in New Zealand regardless of whether or not they have a legal or physical presence in New Zealand (Section 3A (1)(b)). The Act states that an overseas agency may be treated as carrying on business in New Zealand without necessarily being: 

  • a commercial operation; or 

  • having a place of business in New Zealand; or

  • receiving any monetary payment for the supply of goods and services; or 

  • intending to make a profit from its business in New Zealand. 

This will have implications for Australian businesses that collect or hold the personal information of New Zealanders as part of their business operations. They will be obliged to comply with this law regardless of where they or their servers are based. The Act will come into effect on 1 December 2020.

As such, IIS suggests that businesses check their coverage under the reformed legislation and start preparing to ensure compliance. 

COVIDSafe - A turning point for privacy?

COVIDSafe - A turning point for privacy?

By Malcolm Crompton and Chong Shao

The Australian Government’s COVIDSafe app has been met by both widespread scrutiny and widespread adoption. Is the app safe? Is the public’s response revealing the true Australian character? Are the privacy fears overblown? The picture is fascinating when you step back and look at what this app says about privacy in Australia both now and going forward.

Making the grade

Let’s address the most important thing upfront: the app appears to be mostly sound from a privacy and security perspective. Contrary to the FUD (fear, uncertainty and doubt) swirling around – no, the app does not collect any location information; no, it does not “track and monitor” you at all times (contrary to existing apps in other countries). Here is a good explainer on how the app actually works. 

The Australian Government commissioned a Privacy Impact Assessment from a law firm which it has published. From our perspective, the key privacy protections are:

  • The layers of opt-in consent and control built into the app, from registration to uploading information to the National COVIDSafe Data Store

  • Access to the information in the Data Store will be strictly limited to health officials in the States and Territories, and the purpose will be strictly limited to COVID-19 contract tracing and notification – these restrictions will be backed by federal legislation

  • All data held in the Data Store will be deleted at the end of the pandemic – this is very important because retaining information is a necessary feature of the centralised model (as opposed to the decentralised model proposed by the Apple-Google partnership), which could lead to potential misuse or compromise of the information.

There are some remaining issues where more clarification would be welcome:

  • What will be the arrangements that govern how State and Territory officers use the gathered information? What will be the mechanisms for oversight, enforcement and responding to failure in those jurisdictions?

  • The government has stated that it will introduce regulations to prevent police and other government agencies from accessing the information collected by the app. This is a good move to increase trustworthiness, but will it extend to national security agencies (as it should)? Will it extend to State and Territory police forces?

  • Why the delay in the promised release of the source code and will the source code of the inevitable updates also be released? Has it been sufficiently security tested? 

  • Can we be sure about the assurances that Amazon Web Services will abide by Australian law rather than US laws should the US demand (secret) access to the data?

  • Why hasn’t there been wider consultation with interested parties beyond the chosen federal agencies? Will there be such consultations from now on?

The big missing piece

While the app’s privacy protections are commendable, as always, the proof of the pudding is in the eating. A recent post by the UK Information Commissioner, summarising the discussions of more than 250 participants from the privacy domain on the use of technology to combat the pandemic, highlighted the importance of governance and accountability processes.

This is where we think the government’s current implementation is lacking. For example: how will we know that only the right people are accessing the information and using it for the right reasons? How will we know that the information will be deleted once the pandemic is over? How secure is the system – in the exchange of Bluetooth signals, the information in transit to and from the Data Store, and information at rest in the Data Store?

The PIA recommends additional independent assurance and testing from security experts, and to make this publicly available. This should extend to all aspects of data handling by participants in the ecosystem including Commonwealth, State and Territory agencies as well as private sector participants such as Amazon.

To maximise privacy and trust, the government should not only make the right promises, but also (i) explain how it will keep them and (ii) demonstrate, via expert and independent validation, that they are indeed being kept.

The creation and the creator

We have observed an interesting dichotomy in the responses to the COVIDSafe app. There is widespread recognition, even from usually sceptical voices, that the app is not especially problematic from a privacy perspective. At the same time, there is a general sense of concern about a new method of data collection by the Australian Government. The problem is not with the creation, but with the creator.

It would be an understatement to say that the government has a chequered past with respect to privacy and data handling (see here for a recent history lesson). This has resulted in a trust deficit where anything it proposes is subject to negative publicity. So far, adoption rates indicate that many Australians are willing to try the app notwithstanding the government’s track record. 

Is this because of the objectively strong privacy measures implemented and promoted by the government? And/or is this because of the extraordinary circumstances we are in, with Australians doing their part to help combat the pandemic and hasten the reopening of our society? It may be too soon to tell, although it is fair to hypothesise that both are playing a role.

Our hope is that this augurs well for future government initiatives, that the Australian Government will take lessons from the positive response to the app – achieved through a combination of taking privacy seriously (including legislatively) and appealing to public solidarity. This represents a break from its past behaviour and could serve as the new and better precedent going forward.

Privacy Awareness Week 2020: A message from IIS

By Mike Trovato and Eugenia Caralt

IIS is a proud supporter of 2020 Privacy Awareness Week (PAW), 4-10 May, an annual event to raise awareness of privacy issues and the importance of protecting personal information. 

Australian privacy regulators are leading the effort to increase privacy awareness in the midst of a unique and uncertain time as we face the COVID-19 pandemic. Because of the challenges presented by the pandemic, compliance and risk to personal information in government, industry, education, and non-profits are front of mind. 

Regulatory themes

This year the Office of the Australian Information Commissioner’s (OAIC) theme is “Reboot Your Privacy”. As Information and Privacy Commissioner Angelene Falk indicates, this year’s theme is in line with the current challenges that Australian entities are facing to adapt to the new demands of remote working and online interactions. To access the Commonwealth and state-based PAW information, events and resources, click on the links below: 

Office of Australian Information Commissioner – Reboot Your Privacy

Office of the Victorian Information Commissioner – Privacy – Protect Yours and Respect Others’ 

Office of the Information Commissioner Queensland – Be Smart About Privacy

Information and Privacy Commission New South Wales – Prevent, Detect, Protect

IIS and partner events

In addition to being a PAW partner, IIS is supporting efforts to raise privacy awareness through the following activities:

Privacy Masterclass – Data and Privacy with Malcolm Crompton and Lyria Bennett Moses as part of the Australian Computer Society’s NSW Privacy Summit

When: Wednesday, April 29, 4:00 PM AEST

Theme: Why is there so much debate about the trustworthiness of government uses of data? 

This session will explore the ways in which existing law and its implementation are not meeting the needs of citizens or the needs of government seeking to retain citizen trust. 

To pre-register to the free webinar click here (Link will be posted 2 hours before the event commencing). 

OneTrust webinar – Privacy in a Pandemic with the Privacy Commissioners from Australia and New Zealand and IDCare’s Managing Director 

When: Wednesday, May 6, 2:00 PM AEST

Theme: As the world rapidly changes to address the COVID-19 pandemic, what’s at stake for privacy? 

Panel discussion of issues and practical advice for maintaining privacy during the pandemic.

To pre-register to the free webinar click here.

 

IIS’ PAW 2020 message

The OAIC’s theme is Reboot your Privacy using Ctrl+Alt+Del. What does Ctrl+Alt+Del practically look like?

1) Ctrl – OAIC message: Check and update your privacy and security controls; IIS view: Undertake privacy and security health checks – Know where you stand and take action!

At IIS,  we are often asked by potential and current clients seeking to improve privacy practice: “Where should we start?” or “What should we do?” We find that this question is best answered by more questions! For example:

  • When did you last review your entity’s privacy and security practices?

  • Does your management and board of directors have a clear view of where the entity standards in terms of personal information as an asset? Is the current culture and practice appropriate to the entity’s strategy, risk appetite and privacy stance?

  • Are your management and board of directors aware of the risks and do you have their support (including financially) to address them? 

As you are all aware, the Privacy Act requires entities to take reasonable steps to protect their personal information, considering, among other things, the nature of the entity, the amount and sensitivity of the information it holds. If your entity’s privacy management and governance are insufficient taking into account the above, both your entity and your customers are at risk.

A ‘privacy and security health check’ will assist entities to assess the extent to which their current practices, procedures and systems are compliant with the law, vulnerable to privacy and security risks, and/or meet privacy and security best practice. The assessment will provide a point-in-time assessment to assist entities in deciding where they want to be. 

Entities that do not understand their position and have not taken appropriate actions could be deemed as deficient by regulators and will likely be subject to enforceable undertakings after the inevitable breach. 

2) Alt – OAIC message: Consider the alternative when giving or asking for personal information; IIS view: Implement Privacy by Design!

What can you do with less? How can you cut unnecessary collection of personal information, or even creatively achieve the same goal without any personal information? These practices are best implemented by embedding Privacy by design (PbD) from the very start. 

Applying PbD strategically helps entities internalise user-centric practices that are key to building trust with customers and reducing risk to the entity over the long run. Furthermore, it heads off the often costly and time-consuming process of ‘bolting on’ privacy fixes at the end of a project, or finding a project has to be shelved altogether due to privacy concerns.

PbD should be actively adopted in contexts where the value of the data and the associated privacy risks are high, for example: big data, especially involving information; mobile location analytics; biometrics, including facial recognition; and customer loyalty programs.

IIS believes that now more than ever entities cannot hit the PAUSE button on thinking and doing privacy. Rather, they should adapt to this current moment, such as by using short-form Privacy Impact Assessments, as Australian privacy regulators have recently indicated.

3) Delete – OAIC message: Delete any data from old devices and securely destroy or deidentify personal information if it’s no longer needed for a legal purpose; IIS view: develop data retention policies, enforce it and prove it!

Data is a liability because of the risk of a privacy or security breach and the resulting toxic effects. Security and privacy are related but distinct. An entity can have the world’s best security practices for its personal information but still should not have collected it in the first place or should not have used it for an unexpected purpose. To highlight this point, consider the tech giants like Google and Facebook. Presumably they have industry-leading security practices, but this has not stopped them from getting into privacy mishaps over the years. 

To minimise both privacy and security failures, entities should have a retention policy in place for all types of data, including personal information. They should be familiar with their legal requirements and transparent about their data handling practices. When data is no longer needed, they should act to ensure that the appropriate steps are carried out (such as deletion or deidentification) – this includes thinking about their supply chain and external service providers. 

More and more we are seeing the policy and best practice landscape shift towards favouring stronger assurance. Entities that are able to prove what they say (including data deletion) will be in a much stronger position with respect to building trust and credibility with individuals, clients and regulators.

Summing up: The importance of governance and directors’ key role in driving privacy and security

Privacy awareness should lead to not only better compliance but also contribute to valued business and strategic goals. Reflecting on this year’s OAIC’s theme, IIS’s view is that given the growing importance of personal information as a mission critical asset, we encourage entities seeking to leverage awareness into better practice to start with a privacy and security health check.

As we look ahead to 2020 and beyond, the governance of personal information will be a growing area of interest for regulators (not just in privacy, but specific sectors as well). A board that is not asking relevant questions of management, or is unable to assure itself of how personal information is being handled and protected, is demonstrating a failure of governance that could compromise the entity’s mission and potentially open it up to external scrutiny and consequences.

It has been just over a year since the launch of “The New Governance of Data and Privacy: Moving beyond compliance to performance”, co-authored by Mike Trovato (Managing Director) and Malcolm Crompton AM (Lead Privacy Advisor) and published by the Australian Institute of Company Directors (AICD).
The book discusses why privacy governance is a top line strategic and compliance issue for boards and sets out a framework for boards to lead and direct privacy governance in their entity. The main themes of the book have also been adapted into the Data and privacy governance director tool jointly published by the AICD and the Australian Information Security Association (AISA), available here.