Mike focuses on assisting key stakeholders with understanding the obligations and outcomes of effective privacy and cyber security. This includes solving an organisation’s issues with respect to regulatory, industry, and company policy compliance and to protect what matters most in terms of availability, loss of value, regulatory sanctions, or brand and reputation impacts balanced with investment.

At IIS, Mike has led over 100 privacy and security governance, risk, and compliance client engagements across government, health care, education, retail, financial services, and technology sectors. He has also advised clients about the direct impact of cyber security on privacy and data protection and how to provide greater resilience to assure better organisational outcomes.

Mike also serves as ICG’s Global Cyber Practice Leader and IIS is an ICG Affiliate. Prior to joining IIS, he was the Founder and Managing Partner of Cyber Risk Advisors. Before then, he was Asia Pacific, Oceania and FSO Lead Partner EY Cyber Security; GM Technology Risk and Security for NAB Group; a Partner within Information Risk Management at KPMG in New York; and has held financial services industry roles at Salomon Brothers and Mastercard International. At EY, Mike was responsible for creating the largest, sustained “Big-4” cyber security practice, deploying Privacy and Data Protection solutions, and building the Melbourne Advanced Security Centre (ASC), specialised in attack and penetration testing.

Mike is a Non-Executive Director of au Domain Administration Limited (auDA), a not-for-profit organisation established by the Australian Internet community to administer a trusted .au for the benefit of all Australians, and champion an open, free, secure and global Internet. Mike is a Graduate of the Australian Institute of Company Directors (GAICD), Member Australian Information Security Association (MAISA), an AISA Board Member, ISACA Melbourne Chapter Board Member, Member of National Standing Committee on Digital Trade.

Mike’s professional credentials include being a Certified Information Systems Manager (CISM); Certified Data Privacy Solutions Engineer (CDPSE); and Certified Information Systems Auditor (CISA). He is also a member of the International Association of Privacy Professionals (IAPP) and is an ICG Accredited Professional. He has an MBA, Accounting and Finance and BS, Management Science, Computer Science, and Psychology.

Mike is the co-author of The New Governance of Data and Privacy: Moving from compliance to performance, Australian Institute of Company Directors, November 2018.

Malcolm was the founding President of the International Association of Privacy Professionals Australia New Zealand (iappANZ), an affiliate of the US based International Association of Privacy Professionals (IAPP). He was a Director of IAPP from 2007 to 2011.

Malcom is a member of the Independent Advisory Board to the Minister for Government Services. He is a a member of the Palantir Council of Advisors on Privacy and Civil Liberties (PCAP). In 2023-24, the Minister for Finance appointed him to a small Expert Panel on Digital ID advising her on the Digital ID Bill. During the COVID-19 epidemic, he advised on COVIDSafe apps for the governments of New South Wales and Victoria.

Through IIS, Malcolm has advised a wide range of industry sectors. He has also consulted to the Asia Pacific Economic Cooperation forum (APEC) on implementation of the APEC privacy framework, to the Organisation for Economic Cooperation and Development (OECD), as well to a number of projects funded by the EU Framework Programmes for Research and Technological Development.

For some 20 years, Malcolm was a Director of Bellberry Limited, a private not-for-profit company which provides health ethics advisory services. In that time, he also chaired PRAXIS Australia Ltd, a Bellberry subsidiary, a private not-for-profit company that promotes the conduct of ethical research involving human participants, for the first five years through its startup phase. For many years he was a member of the New South Wales Government Information and Privacy Advisory Committee and the Microsoft Trustworthy Computing Academic Advisory Board.

Between 1996 and 1999, Malcolm was Manager of Government Affairs for AMP Ltd. In the previous 20 years he was a senior executive in the Federal Department of Finance, was founder and trustee of a new industry superannuation scheme and worked in the Transport and Health portfolios.

Malcolm is a Fellow of the Australian Institute of Company Directors and is an IAPP Certified Information Privacy Professional. He was made a Member of the Order of Australia in 2016 for significant service to public administration, particularly to data protection, privacy, and identity management, and to the community. Malcolm received the IAPP 2012 Privacy Leadership Award in Washington DC in recognition of his global reputation and expertise in privacy. He received the inaugural Chancellor’s Medal for distinguished contribution to the Australian National University in 2004. Malcolm has degrees in Chemistry and Economics.

Malcolm is a co-author of The New Governance of Data and Privacy: Moving from compliance to performance, Australian Institute of Company Directors, November 2018.

Eugenia has been leading privacy and security engagements across the education, health, critical infrastructure and government sectors. Recent client engagements include:

• An independent review of an organisation in response to an enforceable undertaking from the Office of the Australian Information Commissioner
• Supporting a long-term data breach response and recovery as part of a multi-disciplinary team for the NSW Government for a major cyber incident, and PIA to support Service NSW’s application for a Public Interest Direction under s 41 of the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act)
• Directing and completing over 20 PIAs and cyber security risk assignments in Commonwealth, NSW and Victorian governments, and in the education, health, not for profit, ICT, retail and financial services sectors
• Assisting clients with strategic privacy and security advice and thought leadership.

Prior to joining IIS, Eugenia worked in France, Spain and the UK on complex IT and telecommunications projects. Eugenia worked for EY IT Risk and Security Advisory for more than 10 years and then joined Colt Technology Services in Europe where she was the Group Head of Business Continuity. Returning to Australia in 2017, she worked in the NBN Co’s Risk & Resilience team.

Eugenia has a law degree from the University of Barcelona, a Master in Law from ISDE Business School and a Post Master in Technology Law from ESADE Business School. She has recently lectured at the IE Law School in Madrid as part of their annual EU GDPR Course.

Eugenia joined the Barcelona Bar Association in 1999.

She is a ISACA Certified Information Systems Auditor (CISA) and a Data Privacy Solutions Engineer (CDPSE) and a Qualified Associate Fellow of the Business Continuity Institute (AFBCI). She is a member of ISACA and BCI Melbourne Chapters, the Australian Information Security Association (MAISA), and the International Association of Privacy Professionals (IAPP).

In addition to English, Eugenia speaks Spanish and French.

Chong has led key privacy and security engagements across multiple industry sectors and for both domestic and global organisations. He has extensive depth and breadth to his privacy experience, including:

• Recent privacy impact assessments (PIAs) on the data sharing scheme proposed under the Australian Data Availability and Transparency Bill (DATB) and on a digital identity solution for a major global financial services company
• Conducting over 40 PIAs and Privacy Health Check (PHCs) for a diverse range of public and private organisations, including in government, retail, financial services, education, health, technology, law enforcement, energy, and transport sectors
• Helping organisations with tailored privacy and security audits and risk assessments, including in response to Office of the Information Commissioner (OAIC) enforceable undertakings, audit office findings, and legislative requirements
• Formulating privacy, governance and strategic advice and research for identity management, data sharing and linkage, de-identification of personal information, open data, privacy law reform and data ethics, including for one of the largest global digital platforms
• Drafting privacy notices, policies and internal governance frameworks
• Developing privacy tools, templates and programs specifically tailored for clients
• Conducting privacy and security audits on the handling of the first-of-its-kind NSW cross-agency Human Services Data Set, in accordance with the requirements set out in a Public Interest Direction and Health Public Interest Direction.

Chong has written on diverse topics such as the privacy legal landscape, Privacy by Design, trust, accountability and cross-border data flows, including for Microsoft, the National Centre for APEC, iappANZ and the Institute of Electrical and Electronics Engineers. His most recent work, co-authored with Malcolm Crompton and Michael Trovato, is The New Governance of Data and Privacy: Moving from compliance to performance, Australian Institute of Company Directors, November 2018.

Chong is a certified OneTrust Privacy Management Professional and GRC Solutions Expert. He is a member of the Australian Information Security Association (MAISA), the ISACA Sydney Chapter, and the International Association of Privacy Professionals (IAPP).

Chong is a graduate of Sydney Law School (Hons 1) and contributed to the Sydney Law Review as a student editor. He also holds an Honours Degree in Psychology and a Master of Teaching from the University of Sydney.

Natasha led the privacy impact assessment (PIA) work on the administrative data use by the Australian Bureau of Statistics and the data sharing scheme proposed under the Data Availability and Transparency Bill.

In addition to conducting numerous PIAs at IIS, Natasha has also led research on projects examining emerging privacy issues and regulatory responses. This has included options for international privacy regulatory harmonisation for a global digital platform, as well as research on the international regulation of digital platforms for the Office of the Australian Information Commissioner.

Prior to her time at IIS, Natasha worked for a decade at the federal privacy regulator during which time she engaged on a wide range of privacy issues, particularly in relation to new technologies, data analytics, de-identification, electronic health records and APEC privacy enforcement cooperation.

She was a member of the secretariat supporting the Government 2.0 Taskforce. During a secondment to the New Zealand Office of the Privacy Commissioner, Natasha drafted a major research paper and guide on privacy and CCTV. In 2008 she was awarded an Australia Day Achievement Medallion for her work supporting the Australian Privacy Commissioner.

Along with an in-depth knowledge of privacy regulation, Natasha has expertise in information law and policy more generally including freedom of information law and trends in open government.

Natasha holds a Bachelor of Arts (Hons 1) from the University of Sydney. She has also completed training courses on Fundamentals of internal audit; Administrative power and the law; Machinery of Government; and Policy Formulation.

Natasha is a member of the Australian Information Security Association (MAISA) and the International Association of Privacy Professionals (IAPP).

Alexander has led privacy and security engagements for a wide range of public and private clients from various industry sectors. Alexander has experience conducting privacy impact assessments (PIAs), privacy and cyber security health checks, privacy by design advice, researching on privacy and security trends and laws globally, and providing written strategic and practical advice.

Recent privacy engagements that Alexander has been involved in include conducting PIAs for various NSW and Victorian government departments and agencies on digitisation initiatives, and Privacy Health Checks for ASX-listed companies including a large health insurance provider and a hospitality group.

Recent security engagements that Alexander has been involved in include conducting a comprehensive assessment against cybersecurity industry standards for a project within a Victorian Government agency and conducting a privacy and security audit on the implementation of a NSW Government agency’s data handling practices in accordance with the requirements set out in a Public Interest Direction and Health Public Interest Direction.

Prior to joining IIS, Alexander worked at international law firm Herbert Smith Freehills. As a lawyer in the Private Equity practice group, he advised clients on a variety of transactions including capital raisings, mergers and acquisitions. Alexander also has extensive international business experience having worked at a multinational IT service provider in Paris, a private equity firm in New York and a top-tier tax consultancy in Berlin. Complementing his understanding of global corporates, Alexander has spent time working within international political organisations including the Human Rights division of the United Nations and SME division of the OECD.

Alexander holds a Bachelor of Commerce and a Juris Doctor degree from the University of Sydney. Alexander was admitted as a solicitor to the New South Wales Supreme Court in 2016. He is a Member of the Australian Information Security Association (MAISA), ISACA Sydney Chapter, and the International Association of Privacy Professionals (IAPP). He is also an ICG Accredited Professional.

In addition to English, Alexander speaks German.

Prior to joining IIS, Jacky worked as a research assistant and Project Officer for Professor Kimberlee Weatherall, who is a Chief Investigator with the ARC Centre of Excellence for Automated Decision-Making and Society, and Fellow at the Gradient Institute. Jacky contributed to research in the interaction between commercial/private law doctrines and potentially harmful practices of surveillance capitalism and data misuse. Through this, Jacky worked on consultation responses to various proposed changes to the privacy landscape such as the Australian Government Digital Identity System and the Trusted Digital Identity Framework.

Jacky also worked as a consultant in the Risk and Regulations team of PwC Australia, where he was involved in engagements with high profile financial institutions providing assurance for corporate risk management processes in line with APRA Prudential Standard CPS 220 Risk Management. Further, he advised C-Suite executives of insurers and superannuation trustees on the implementation of new financial laws and regulations such as the Financial Accountability Regime. Jacky also worked closely with several banks to develop and streamline their breach reporting processes, optimising for efficiency and accuracy.

Furthermore, Jacky has experience as a paralegal in the insurance law sector where he acquired extensive experience in legal research and gained proficiency with interpreting legislation and government guidance updates.

Jacky holds a Bachelor of Science and Laws from the University of Sydney. He is a member of the Australian Information Security Association (MAISA) and the International Association of Privacy Professionals (IAPP).

In addition to English, Jacky speaks Chinese (Mandarin).

Sarah has assisted public and private clients on a wide range of privacy engagements, including conducting privacy impact assessments (PIAs), privacy program management and culture building projects, Privacy and Cyber Security Health Checks and providing written strategic and practical advice.

Selected projects that Sarah has assisted in include:

• Online Education Services – Privacy Officer as a Service services including assistance in building a Privacy Management Framework and Privacy Management Plan, and raising privacy awareness
• Ambulance Victoria – assessment of Ambulance Victoria’s current information privacy practices in key divisions through an information gathering and analysis tool developed by IIS
• Victorian Department of Transport and Planning – conducting PIAs on various projects, including the Distracted Driver Camera Project, the Digital Driver Licence project, and the Fines Reform project
• Office of the Australian Information Commissioner (OAIC) – assistance with Privacy assessment of General Practice (GP) clinics’ compliance with the APPs and Rule 42 of the My Health Records Rule 2016; and Credit Reporting Code independent review
• Mastercard – Privacy Impact Assessment (PIA) on ID Network, assistance with TDIF accreditation
• Askable – Privacy Officer as a Service services including general advisory, international privacy legislation review and assistance with vendor onboarding.

Prior to joining IIS, Sarah was an Economic Intelligence Intern doing risk analysis for one of France's industrial nuclear energy companies, Framatome. Working within the Protection department, she provided the other business units of the company with due diligence reports, market studies and strategic advice on reputational risks and corruption. She also conducted an information protection audit on one of the company’s industrial sites.

Sarah also has diplomatic experience working at the French Consulate in Melbourne, where she assisted the Honorary Consul.

Sarah has a Master’s degree in European Security and International Stability from Sciences Po Strasbourg. She is a member of the Australian Information Security Association (MAISA) and the International Association of Privacy Professionals (IAPP).

In addition to English, Sarah speaks French.

He has assisted in projects including:

• Project-managing the development of the OAIC’s first major position and issues paper on Australian Government Information Policy, published on the opening of the new Office
• Australian Bureau of Statistics – Designing a tailored privacy management plan for the ABS and conducting privacy impact assessments with respect to the use of census data for sampling purposes
• A Large Hospitality, Resort, and Entertainment company – Reviewing Membership Programs and mapping out data flows with respect to its Sales’ Systems, and followed up with designing training programs
• A Global Strategy Consultancy – Researching and providing advice in the transferring of personal information or health related data to a different database
• Cancer Institute NSW – Conducting a PIA with respect to the releasing of a new platform which allows GP to get automatic updates from Medicare
• Austroads – Assisting with a PIA to evaluate the privacy impacts that may be associated with each state and territory road transport agency using the Face Matching Services provided by the National Facial Biometric Matching Capability
• Australian Institute of Company Directors (AICD) – Contributing to the The New Governance of Data and Privacy, a book co-authored by Malcolm Crompton, Michael Trovato, and Chong Shao.

Joshua holds a Hong Kong Lawyer License and is based in Hong Kong.

Before joining IIS, Joshua worked for the Privacy Commissioner for Personal Data, Hong Kong and was posted to the Policy and Research Division. He was directly supervised by the Privacy Commissioner of Hong Kong and was tasked with research projects relating to the European Union General Data Protection Regulation (GDPR), and emerging technologies such as electronic mobile payments, video analytics and location tracking, etc.

Joshua is a recent graduate from the Chinese University of Hong Kong, holding a Juris Doctorate degree with a scholarship and a Bachelor of Social Science (First Class Honours) in Sociology. He is a member of the International Association of Privacy Professionals (IAPP).

In addition to English, Joshua speaks fluent Chinese, Spanish and Cantonese.