November 2023 ASD Essential Eight Maturity Model changes

November 2023 ASD Essential Eight Maturity Model changes

By Sascha Hess

The Australian Signals Directorate (ASD) updated its Essential Eight Maturity Model this November. Since 2017 the model has been updated regularly, supporting the implementation of the Essential Eight.

The Essential Eight can be considered a prioritised minimum security control baseline, referred to as mitigation strategies in the guide. The model comprises three maturity levels which can be considered ‘threat profiles’. Insights for refining the model are derived from various cyber-related fields, such as security testing, cyber threat intelligence, and learnings from responding to incidents.

This year, notable changes include:

  • Introduction of “patches assessed as critical by vendors” as an additional prioritisation criterion. Patches for critical security vulnerabilities for internet-facing systems are now required to be applied within 48 hours, even in the absence of a known exploit. Tighter time frames are also established for patching applications processing untrusted content from the internet (e.g., browser, PDF reader).

  • Enhancements to the use of multi-factor authentication (MFA) universally, like expanding the use of phishing-resistant MFA.

  • In response to attacks against citizens that continue to only use passwords, online access to organisation’s sensitive data now requires multi-factor authentication from Maturity level One.

  • A significant tightening of privileged account management practices around validation for requesting accounts, periodic revalidation, accounts with internet access and break-glass accounts.

As adding is typically favoured over removing in standards, it is good to see that the review also resulted in removing or easing a couple of requirements (i.e., macro execution event logging and patching for less important devices).

For a comprehensive list of changes, please visit the dedicated page on cyber.gov.au. IlS has compiled a marked-up table of the Essential Eight Maturity model which highlights the November 2023 changes for easier reference.

The increased focus on timely patching, use of robust multi-factor authentication and tightening the use of administrative access accounts help organisations to better defend against threat actors’ common attacks. IIS recommends all organisations to review their practices now in light of these changes.

IIS can help you review and uplift your current security practices and capabilities. Please contact us if you require assistance.

Queensland passes privacy reforms: Snapshot of key changes

Queensland passes privacy reforms: Snapshot of key changes

By Susan Shanley and Jacky Zeng

Queensland government agencies will be subject to new Privacy Principles as state parliament passes privacy reform.

Key points up front

  • The Information Privacy and Other Legislation Amendment Act 2023 was passed on 29 November 2023.

  • The information privacy reforms include:

    • consolidation of the existing Information Privacy Principles (IPPs) and National Privacy Principles (NPPs) into a single set of privacy principles: Queensland Privacy Principles (QPPs),

    • introduction of a mandatory data breach notification (MDBN) scheme, and

    • enhanced powers for the Information Commissioner to respond to privacy breaches including an own-motion power to investigate an act or practice without receiving a complaint.

  • The amendments commence on a day to be fixed by proclamation.

  • It is currently expected the reforms to the Information Privacy Act 2009 (IP Act) including the new QPPs, will begin on 1 July 2025. This means all agencies, including local government, would transition to the new QPPs on 1 July 2025. The MDBN scheme will likewise commence for all agencies except local government at that time.

  • A phased commencement of the MDBN scheme includes an additional 12-month delay for local government only to 1 July 2026.

Queensland Privacy Principles

The reforms to the IP Act include adopting a single set of privacy principles based on the Australian Privacy Principles (APPs) in the Privacy Act 1988 (Cth) (Privacy Act) referred to as the QPPs, replacing the NPPs for health agencies and the IPPs for all other agencies.

The new Schedule 3 in the IP Act sets out the QPPs which generally align with the APPs in the Privacy Act. There are some adaptations for Queensland agencies. Furthermore, some APPs and specific APP provisions which are not relevant to the Queensland government context have not been adopted in the QPPs.

IIS has undertaken a detailed comparative analysis of the IPPs/NPPs and the new and/or changed requirements under the QPPs, including what steps agencies and contractors can take now to prepare for the changes when they commence.

A snapshot of IIS’s comparative analysis is provided by reference to five questions and answers on the QPPs:

Question 1:

If a bound contracted service provider has an existing contract with a Queensland agency, does the contractor need to comply with the new QPPs once they commence?

Answer 1:

No, the QPPs do not apply to existing contracts and will only apply to new contracts entered into after commencement, unless there is agreement to a variation. This means the IPPs or NPPs will continue to apply to existing contracts.

The QPPs do not extend to subcontractors. However, contracted service providers should take steps to ensure any subcontractors supporting them in relation to Queensland government contracts have sufficient ability to manage privacy obligations. 

While the QPPs will not apply to existing contracts, IIS strongly recommends all businesses contracted to, or intending to, provide services to Queensland government agencies start the process of familiarising themselves with the revised requirements under the QPPs. 

This is particularly important given small businesses are currently largely exempt from the operation of the Privacy Act and unlikely to be familiar with the APPs and, therefore, the QPPs – which are largely modelled on the APPs – may be a mystery to them. Small business (and other contractors) will need to update their existing privacy arrangements for any new contracts entered into after commencement. 

Unlike the Privacy Act, the QPPs of the IP Act will apply to all bound contracted service providers and there is no exemption for small business providers.

Question 2:

There doesn’t appear to be a QPP equivalent of APP 8 – cross-border disclosure of personal information. What requirements apply to agencies and bound contracted service providers disclosing personal information outside Australia?

Answer 2:

While the Privacy Act includes a privacy principle about cross-border disclosure of personal information (APP 8) there is no equivalent QPP.

Under the Privacy Act, APP 8 and section 16C generally require an APP entity to ensure that an overseas recipient will handle an individual’s personal information in accordance with the APPs and makes the APP entity accountable if the overseas recipient mishandles the information (see Chapter 8: APP 8 Cross-border disclosure of personal information).

Section 33 of the IP Act is retained as the preferred method for regulating overseas disclosures of personal information rather than adopting an equivalent QPP 8. The term ‘transfer’ has been replaced with ‘disclosure’ in section 33 of the IP Act.

This means agencies (and contracted services providers where relevant) will continue to comply with section 33 of the IP Act. 

There is a note at QPP 8 which states ‘there is no equivalent QPP for APP 8.’

Question 3:

There is no detail provided under QPP 7, QPP 8 and QPP 9. What does this mean? How does an agency comply with these QPPs?

Answer 3:

The QPPs generally align with the APPs in the Privacy Act, with some adaptations for Queensland agencies. Some APPs that apply to organisations, specific Commonwealth agencies and Commonwealth functions have not been adopted.

APPs 7, 8 and 9 have not been adopted in the QPPs as they are not relevant to the handling of information by Queensland public sector agencies. APP 7 regulates direct marketing, APP 8 regulates cross-border disclosure of personal information (see previous question and answer) and APP 9 regulates the adoption, use or disclosure of government related identifiers (for example, Medicare numbers and driver licence numbers).

This doesn’t mean that there are no requirements for Queensland agencies in those areas above. For example, the disclosure requirements in QPP 6 are applicable for the use of personal information in direct marketing, and as noted, section 33 of the IP Act provides provisions for cross-border disclosures.

Where an APP (or a provision of an APP) has not been adopted in the QPPs, the QPPs include a note referring to the relevant APP or provision. For example:

The Editors note to QPP 7 – direct marketing states:

The Privacy Act 1988 (Cwlth), schedule 1 includes a privacy principle prohibiting direct marketing by certain private sector entities (see APP 7).

There is no equivalent QPP for APP 7.

Note—QPP 6 is relevant to the use or disclosure of personal information for the purpose of direct marketing.

Question 4:

What is a QPP code and how is this different to the QPPs? Do agencies bound by a QPP have to comply with it?

Answer 4:

A QPP code is a written code of practice about information privacy, approved by regulation, which states how one or more of the QPPs are to be applied or complied with by agencies that are bound by it. 

A QPP code may also impose additional requirements to those imposed by a QPP, to the extent that they are not inconsistent with a QPP. 

The purpose of the QPP code is to provide individuals with transparency about how their information will be handled. 

Once the amendments commence, agencies bound by a QPP code will be required to comply with the code and must not do an act or engage in a practice that contravenes a QPP code.

An example of a Code can be found under the Privacy Act. An APP Code is in force which sets out specific requirements and key practical steps Australian Government agencies must take as part of complying with APP 1.2. This includes requirements such as:

  • having a privacy management plan,

  • appointing a Privacy Officer, or Privacy Officers, and ensuring that particular Privacy Officer functions are undertaken,

  • appointing a senior official as a Privacy Champion to provide cultural leadership and promote the value of personal information and ensure Privacy Champion functions are undertaken, and

  • undertaking a written PIA for all ‘high privacy risk’ projects or initiatives involving new or changed ways of handling personal information.

Question 5:

Do the QPPs impose requirements on agencies to have a privacy policy?

Answer 5:

Yes, QPP 1.3 requires an agency to have a clearly expressed and up-to-date privacy policy about the management of personal information by the agency.

Other requirements placed on agencies under QPP 1 regarding privacy policies include:

  • ensuring the privacy policy contains the required information, and

  • taking reasonable steps to make its privacy policy available to the public free of charge and in an appropriate form. For example, an agency may do this by publishing its privacy policy on the agency’s website. 

IIS strongly recommends all agencies have a clearly expressed and up-to-date privacy policy in the interest of best privacy practice and openness and transparency about the handling of personal information.

Need assistance?

The above snapshot represents only a small sample of the changes Queensland agencies (and the businesses that support them) will need to make to ensure they are compliant with the QPPs once they commence.

It is important to be ready for the coming changes! As a leading Australian privacy consultancy, and a trusted service provider to the Queensland government, IIS can help. We can assist with your readiness assessment and we offer comprehensive privacy training, governance support, MDBN scheme preparedness and many other services to support your agency in addressing these important reforms.

Please contact IIS to find out more.

Digital ID Bill introduced to the Senate

Digital ID Bill introduced to the Senate

By Natasha Roberts

On 30 November 2023, the Minister for Finance and the Attorney General announced that the Digital ID Bill had been introduced into the Senate, a historic step to strengthen and expand Australia’s Digital ID System and do more to protect Australians’ privacy and security settings in the digital age.

The Government released an Exposure Draft of a Digital ID Bill in September 2023, aimed at formalising in legislation a digital ID system that has been under development in Australia for many years. IIS Partners made a submission on the 2023 Exposure Draft and a submission to an earlier 2021 Exposure Draft identifying ways in which its protections could be strengthened.

It is gratifying to see suggestions presented in our submission taken up in the Bill as introduced – or at least this is our understanding from an admittedly quick review of the Bill.

Voluntariness

In particular, it is pleasing to see a strengthening of provisions protecting the voluntariness of digital IDs. Guaranteeing that participation in digital ID systems will be voluntary and non-compulsory is one of the strongest protections available to individuals to avoid overreach by government or other entities and worsening of the power imbalance over individuals.

To that end, our submission raised concern over an exception in the Exposure Draft that would override the voluntary use requirement where ‘a law of the Commonwealth, a State or a Territory requires verification of the individual’s identity solely by means of a digital ID.’ Such a provision, we pointed out, would allow future encroachment on voluntary use. We are pleased to see the removal of that exception from the Bill.

Law enforcement and national security exceptions

Another major area of concern for us was the permissiveness of law enforcement and national security exceptions in the Exposure Draft. IIS has been on the record in a July 2021 submission and again in a October 2021 submission regarding our concern about such exceptions which we find to be too broad, establishing too low a bar for disclosure to these agencies, and too weak a framework for oversight.

With this Bill, we see some narrowing of law enforcement and national security exceptions. For example, one of the main clauses enabling disclosure for law enforcement purposes (clause 54) now formally excludes biometric information – disclosure of biometric information for law enforcement purposes is regulated under a separate provision and requires the higher bar of a warrant before disclosure.

We also see that certain exceptions within clause 54 appear to have been narrowed. In the Exposure Draft personal information could be disclosed for law enforcement purposes where the accredited entity was satisfied that the enforcement body reasonably suspected that a person had committed an offence or breached a law imposing a penalty or sanction. In the Bill this has been narrowed to allow disclosure where the accredited entity is satisfied that the enforcement body has started proceedings against a person for an offence or in relation to a breach of a law imposing a penalty or sanction. The penalty for breaching clause 54 has also been increased from 300 penalty units in the Exposure Draft to 1500 penalty units in the Bill as introduced.

IIS remains of the view that the Minister’s stated goal of ‘inclusivity’ is likely to be threatened by an overly permissive approach to law enforcement access to information handled and generated by digital ID systems. Law enforcement or national security access has the potential to negatively impact trust in the system which in turn will negatively impact inclusion, especially for individuals who already have a low trust in government or generally on the margins of society.

Looking ahead

In our view, these changes are in the right direction and we will continue to advocate for strict limits on law enforcement and national security access to digital ID system information. IIS continues to be very engaged in this space with Malcolm Crompton, Founder and Partner at IIS, appointed to the Ministerial Digital ID Expert Panel to provide independent advice on Australia’s digital ID program.

The Digital ID Bill was introduced to the Senate where it was referred to the Senate Economics Legislation Committee. The Committee is due to report on the Bill by the end of February 2024. Noting that much of the Committee review period is over December and January when people are busy or away, IIS urges anybody with a point of view on the Digital ID Bill to prioritise making a submission.

Privacy Act review: A closer look at children's privacy

Privacy Act review: A closer look at children's privacy

By Natasha Roberts

In this post, we take a closer look at proposals related to children’s privacy contained in the recent Privacy Act Review Report (the Review) – proposals to which the Government has agreed or agreed in principle.

What was the problem the Review was trying to address?

There is growing recognition that children and young people may be vulnerable in relation to privacy, particularly online. The Review noted that in the digital age kids are increasingly ‘datafied’ and that personal information about children can be used to build profiles and identify moments that children may be particularly vulnerable or receptive to online targeting and marketing (including in relation to harmful products and messaging). As the Report observed, this may affect children and young people’s autonomy and capacity to freely develop their identity.

How did the review propose to address this problem?

The Review took a multifaceted approach to addressing children’s privacy including the following…

Define ‘child’ and restrict marketing, targeting and trading in personal information

Currently the Privacy Act does not define ‘child’ and there are no specific provisions applying to children’s privacy (though organisations are expected to consider an individual’s capacity to consent which may include considerations of age or maturity). The Report proposed reforming the Privacy Act to define a child as an individual under 18 years of age.

In formally defining the meaning of child, the Privacy Act would then provide for certain specific provisions that apply only to children. These include proposals to prohibit the ‘trading’ of personal information of children and restrictions on ‘direct marketing’ and ‘targeting’ of children, other than marketing or targeting that is in the best interests of the child (for example, targeted marketing for essential child support, counselling and community services).

Codify ‘capacity’ in relation to consent

The Privacy Act contains several exceptions that allow certain information handling with the consent of the individual. However, deciding when children have ‘capacity’ to consent can be difficult, in recognition of varying levels of maturity at different ages. Up until now, the Privacy Act has not specified a particular age at which children may consent on their own behalf and guidelines issued by the Information Commissioner have stated that an organisation must decide on a case-by-case basis if an individual under the age of 18 has the capacity to consent. Where that is not practical, the Information Commissioner advises that an organisation may assume an individual over the age of 15 has capacity, unless there is something to suggest otherwise.

The Review recommended retaining this ‘middle path’ between individualisation and practicality, noting that over-reliance on parental consent was impractical and undesirable. The Review did however propose that the Privacy Act codify the principle that valid consent must be given with capacity. While this would result in a change to the Act, it should not result in a major change of approach for organisations given that it formalises what is already contained in the Information Commissioner’s guidelines and what should already be occurring in practice.

Build consideration of ‘best interests of the child’ into fair and reasonable test

Elsewhere we have discussed the proposal for the introduction of a fair and reasonable test to the Privacy Act. The Review further proposes that any such test require organisations to have regard to the best interests of the child as part of considering whether a collection, use or disclosure is fair and reasonable in the circumstances. In our view, this is the most far-reaching of the children’s privacy reforms as it puts the best interests of the child at the heart of decisions about information handling.

Introduce a Children’s Online Privacy Code

Other jurisdictions (notably the UK) have promulgated codes to regulate the privacy of young people online. The Review considered models adopted in those other jurisdictions and came to the view that Australia should introduce a Children’s Online Privacy Code that applies to online services that are ‘likely to be accessed by children’ and which aligns with the UK Age Appropriate Design Code, to the extent possible. According to the Review, a code could address:

  • Whether specific requirements are needed for assessing capacity

  • Whether certain collections, uses and disclosures of children’s personal information should be limited

  • Which default privacy settings should be in place

  • Whether entities should be required to ‘establish age with a level of certainty that is appropriate to the risks’ or apply the standards in the Children’s Code to all users instead

  • How privacy information (including collection notices and privacy policies) and tools that enable children to exercise privacy rights (including erasure requests) should be designed to improve accessibility for children, and

  • If parental controls are provided, how to balance the protection of the child with a child’s right to autonomy and privacy from their parents in certain circumstances.

The Review also proposed amending the Privacy Act to require that collection notices and privacy policies be clear and understandable, in particular for any information addressed specifically to a child. In the context of online services, these requirements are to be specified in the Children’s Online Privacy Code. Specifically, the Code could provide guidance on the format, timing and readability of collection notices and privacy policies.

What are the key takeaways for my organisation?

Privacy law reform is still ongoing, therefore this in an area on which to maintain a watching brief. That said, there is nothing to stop you from reviewing the bullets listed above and assessing your personal information handling activities against those standards. We suggest:

  • Identifying whether you handle children’s personal information and in what circumstances (for example, in person, online etc) to determine how you may be affected by reforms

  • Maintaining a watching brief on privacy law reform to see how proposals related to children’s privacy are implemented in practice

  • Engaging in consultation – the Government has committed to further consultation on children’s privacy and there are likely to be opportunities to comment on bill exposure drafts and the draft code, as its developed

  • Reviewing the UK’s Age Appropriate Design Code to gain insight on the possible scope and approach of the proposed Children’s Online Privacy Code, noting that the Review specifically called for the proposed code to align with the UK’s Age Appropriate Design Code to the extent possible, and

  • Considering whether your organisation’s handling of children’s personal information meets the ‘best interests of the child’ test, which is likely to form part of the proposed ‘fair and reasonable test.’ This may require consideration of whether, throughout the handling of a child’s personal information, a child’s physical, psychological and emotional wellbeing is protected.

Privacy Act review: A closer look at the fair and reasonable test

Privacy Act review: A closer look at the fair and reasonable test

By Natasha Roberts

In this post, we take a closer look at the ‘fair and reasonable test’ – a proposal in the recent review of the Privacy Act 1988 (Cth) (Privacy Act) which the Government ‘accepted in principle’. In our view, the introduction of a fair and reasonable test to the Privacy Act is welcome and has the potential to rebalance the Privacy Act away from personal responsibility (‘Well, you consented so it’s on you if your privacy was impacted’) and towards organisational responsibility (‘We, the organisation, agree to handle this personal information fairly and reasonably’).

What was the problem the Review was trying to address?

Notice and consent have become less effective over time

Notice and consent are often held up as critical elements of privacy law. They are there to ensure transparency and individual choice when it comes to the handling of personal information. Under Australian Privacy Principle (APP) 5, individuals must be told certain information when their personal information is collected including the purpose of collection (notice) and must, in most cases, under APP 6 be asked for permission before the information is used or disclosed for secondary or unrelated purposes (consent).

There’s no doubt that notice and consent will continue to play an important role in the Privacy Act. Indeed, privacy laws the world over include notice and consent as baseline principles. The problem is that over time, notice and consent have become less effective to about the same degree that personal information handling has become more complex and privacy-invasive.

Information handling has become more invasive over time

When the Privacy Act was first introduced in 1988, we lived in a largely paper-based world in which data handling was constrained by practical limitations like the inability to make use of large amounts of hardcopy information and the expense of storing it. There was no information economy in the sense we understand today. And there was no incentive for organisations to collect excess amounts of personal information or to repurpose the information for other (profit-raising) activities. It is possibly for this reason that the Privacy Act contains virtually no restriction on the ‘primary purposes’ for which organisations may use and disclose personal information.

You can see how today – in an environment that rewards data innovation, accumulation and reuse – personal information handling may expand into increasingly privacy-invasive areas – areas that were unanticipated in 1988 or indeed even in 2012 when the APPs were introduced to replace earlier principles.

This creates two pain points for privacy law

The first pain point is that the legislation has inadequate brakes available for unethical or privacy-invasive data handling activities. It simply did not need those brakes before. If an organisation collects personal information for the primary purpose of profiling children and selling such information to other businesses, for example, APP 6 would seem to permit this. Submissions to the Privacy Act review also pointed out that organisations have significant discretion in determining whether a collection is ‘reasonably necessary’ for their functions and activities under APP 3.

The second pain point is that data handling has become much more complex in recent decades and this has significant implications for the operation of informed consent. How can an individual be adequately informed if you need a degree in data science to fully grasp what is going to happen to your information? In other comparable settings, we do not expect individuals to have subject-matter expertise. We do not, for example, demand that airline passengers read lengthy statements about aeronautics and safety testing and then ‘consent’ to fly on a certain type of aircraft. Of course, passengers should not have to bear risk or responsibility for aircraft safety. Nor should they have the ‘choice’ to fly on risky, poorly-maintained aircraft. We are at a point now where the same principles should apply to data handling.

You might think that the difficulty of obtaining informed consent in these circumstances would cause a natural shift away from reliance on consent for data processing. Well, you would be wrong. As data processing has become more complex, consent notices have become prevalent, along with being longer and more technical.

Thankfully the Privacy Act Review Report recognised this, noting that ‘where digital innovation is exponentially increasing the amount of personal information and sources from which it is collected, it is not reasonable that individuals should bear primary responsibility for ensuring that they do not experience harm as a result of an entity’s information-handling practices.’ It also noted that ‘the diversity, change and novelty in digital information-handling practices may mean that individuals do not appreciate the scale, or even the existence, of privacy risks.’

How did the Review propose to address this problem?

Enter the fair and reasonable test

To address these obvious shortcomings in the current regulatory approach, the Review Report proposed that the Privacy Act be amended to introduce a requirement that the collection, use and disclosure of personal information be fair and reasonable in the circumstances. In applying this ‘fair and reasonable test,’ the Review Report proposed that certain matters be taken into account, including:

  • Whether an individual would reasonably expect the personal information to be collected, used or disclosed in the circumstances

  • The kind, sensitivity and amount of personal information being collected, used or disclosed

  • Whether the collection, use or disclosure is reasonably necessary for the functions and activities of the organisation or is reasonably necessary or directly related for the functions and activities of the agency

  • The risk of unjustified adverse impact or harm

  • Whether the impact on privacy is proportionate to the benefit

  • If the personal information relates to a child, whether the collection, use or disclosure of the personal information is in the best interests of the child, and

  • The objects of the Act.

Perhaps, most importantly, the Review Report specifically proposed that the fair and reasonable test apply irrespective of whether consent has been obtained. Our hope is that, in the future, it will be harder for individuals to ‘consent away’ their rights to fair and reasonable information handling.

What are the key takeaways for my organisation?

Privacy law reform is still ongoing, therefore this in an area on which to maintain a watching brief. That said, there is nothing to stop you from reviewing the bullets listed above and assessing your personal information handling activities against those standards. We suggest:

  • Maintaining a watching brief on privacy law reform to see how the fair and reasonable test is implemented in practice.

  • Engaging in consultation processes associated with Privacy Act reform – the Government has committed to further consultation on the fair and reasonable test and there is likely to be opportunities to comment on bill exposure drafts.

  • Taking the time to review the fair and reasonable factors listed above to see how they apply to your information handling practices – aside from anything else, they offer a baseline for fair and reasonable collection, use and disclosure of personal information.

  • Considering the fair and reasonable factors listed above in any privacy impact assessment or product development process.

Queensland’s proposed privacy and information reforms: What you need to know

Queensland’s proposed privacy and information reforms: What you need to know

By Jacky Zeng

The Information Privacy and Other Legislation Amendment Bill 2023 (the Bill) was introduced into Queensland Parliament on 12 October 2023.

The Bill has been referred to the Education, Employment and Training Committee for consideration.  IIS Partners will be submitting our thoughts on the Bill, with written submissions closing on 3 November 2023.

Key points up front

  • A proposed Bill amending Queensland’s privacy legislative framework in the Information Privacy Act 2009 (Qld) (IP Act) has been introduced into the Queensland Parliament.

  • The Bill would implement long awaited reforms to strengthen Queensland’s privacy legislative framework and require Queensland agencies to comply with additional privacy obligations.

  • Key amendments include introduction of a mandatory notification of data breaches scheme, a consolidated set of Queensland privacy principles (QPPs) and a revised definition of personal information to align with the definition in the Privacy Act 1988 (Cth) (Privacy Act).

Context of privacy law reform in Queensland

The Bill is the culmination of a long review process and recommendations for legislative changes from several reports and reviews. Recommendations for legislative reform can be first traced back to the Report on the Review of the Right to Information Act 2009 and Information Privacy Act 2009 (October 2017).

The Bill additionally addresses a number of recommendations from the Crime and Corruption Commission’s Operation Impala: Report on misuse of confidential information in the Queensland public sector (February 2020) which highlighted the serious impacts on individuals of public officers within government having unauthorised levels of access to systems and information (including personal information). Both the Operation Impala Report and the later Coaldrake Report into culture and accountability of the Queensland Government (June 2022) recommended that mandatory notification of data breaches be introduced as a requirement for Queensland government agencies.

The Queensland Government consulted the public on proposed reforms to Queensland’s Information Privacy and Right to Information frameworks, through release of the consultation paper Proposed changes to Queensland’s Information privacy and right to information framework in June 2022.

IIS notes that the timing of the Bill coincides with significant legislative reforms in privacy at the Commonwealth level. In September 2023, the Australian Government released the Government response to the Privacy Act Review. For a detailed discussion on this topic, see IIS’s first reaction and the interview given to SBS News by IIS Partner Nicole Stephensen.

Some key features of the Bill

Mandatory notification of data breaches

The Bill introduces a scheme that would make it mandatory to notify the Office of the Information Commissioner of Queensland (OIC) and affected individuals of ‘eligible’ data breaches (i.e., unauthorised access, disclosure or loss of personal information). The scheme would apply to Queensland agencies (i.e., those to which the IP Act applies) and largely mirrors the scheme in the Privacy Act.

QPPs

The Bill introduces a new unified set of QPPs which align closely with the Australian Privacy Principles (APPs) in the Privacy Act. This consolidates the IP Act’s existing two-pronged approach, where National Privacy Principles (NPPs) apply to Queensland Health agencies and the Information Privacy Principles (IPPs) apply to all other Queensland agencies, including local government, statutory bodies and public universities.

Definition of personal information

The Bill provides a revised definition of ‘personal information’ which is presently defined as ‘information or an opinion about an identifiable individual, or an individual who is reasonably identifiable from the information or opinion: (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not’. The intention of the revision is to ensure alignment with the same definition in the Privacy Act.

IIS notes that the definition for ‘personal information’ in the Privacy Act has not yet been settled, which may – depending on outcomes of the Commonwealth privacy law reform process – necessitate an additional review and revision of the Queensland definition to ensure ongoing alignment.

Enhancing the powers of the Queensland OIC

The Bill provides for enhanced powers and functions for the OIC including:

  • A power to conduct own motion investigation of an act, failure to act or practice of an agency which may be in breach of the privacy principles or other obligations under the IP Act, and

  • Additional powers in relation to mandatory notification of data breaches, including a power of entry to an agency’s place of business (once notice procedures have been complied with) to observe its data handling practices and the power to direct an agency to give a statement and make recommendations, including a description of the data breach and steps an affected individual should take in response to the data breach.

Under the proposed changes Queensland agencies will be required to publish their data breach policy on their website and keep a register of eligible data breaches of the agency.

What’s next?

It is important for Queensland agencies to stay up to date with these proposed legislative reforms and ensure they follow them once adopted by the Queensland Government.

Some measures Queensland agencies can take now in preparation for these reforms:

  • Conduct a privacy maturity assessment and/or review specific information and privacy practices: Agencies should conduct a thorough review of their ability to comply with (current and) proposed privacy regulation in Queensland. Some relevant areas of information and privacy practice are: data collection, storage and sharing.

  • Implement privacy by design (PbD): PbD is a best practice approach that involves building privacy protections and safeguards into products and services from the outset, with a focus on prevention (rather than remediation). Agencies should consider implementing this approach to support compliance with the new regulations.

  • Establish and publish a data breach policy: The Bill will require agencies to prepare and publish a data breach policy on an accessible agency website. A data breach policy is a document that outlines how an agency will respond to a data breach, including a suspected eligible data breach. It may outline the responsibilities and procedures in place for the agency to investigate, assess, and notify the OIC and individuals (where required). Agencies should implement and regularly test their data breach policy to ensure they are able to meet proposed breach notification requirements, and effectively respond to data breach events.

  • Train employees on privacy best practices: Employees play a critical role in an agency’s privacy outcomes. Agencies should provide regular training to employees on privacy rules and best practices to ensure they are aware of their responsibilities and how to handle personal information.

  • Consult a privacy professional: Organisations can partner with a privacy professional to provide the above services leveraging years of expertise and relevant public sector experience. This is particularly helpful when privacy resources in the agency are stretched. Contact IIS to discuss how we can help you stay on top of these Queensland privacy reforms.

First reaction to the Government's response to the Privacy Act review

First reaction to the Government's response to the Privacy Act review

By Natasha Roberts

Two weeks ago, the Government released the Response to the Privacy Act Review Report. And for many of us, who participated in multiple rounds of consultation, who engaged with critical law reform questions, who offered solutions to challenges created by the digital age, who hoped the Government was ready to take an ambitious leap forward…

First, there was a feeling of disappointment…

…as we came to terms with the fact that the Government had agreed to only 38 of a possible 116 proposals, and ‘agreed-in-principle’ to a further 68. No ambitious leap. More of a reluctant step forward in which the privacy law ‘can’ was kicked down the information superhighway. What ‘agreed-in-principle’ will mean in practice remains unclear. Naturally, many of us are concerned about the potential for serious watering down or backing down. Only time will tell.

…next, we took stock of the missed opportunities…

Perhaps unsurprisingly, the Government decided against taking up proposals to narrow the political exemption. We will leave it to others to point out the double standard inherent in this decision.

But, we in the privacy and security community are a pragmatic bunch and must invest our energies in…

The parts the Government got right

While the ‘agree-in-principle’ (rather than the straight ‘agree’) response to many proposals introduces uncertainty, there is, at least, an opening to work with Government to push those proposals forward. The following reforms have the potential to make a real difference to the privacy rights and protections of everyday Australians:

Updating the definition of personal information to close gaps in protection, particularly online. We particularly commend the Government’s recognition of the privacy impact of individuation. In its response, the Government made clear that it ‘considers that an individual may be reasonably identifiable where they are able to be distinguished from all others, even if their identity is not known’ (p 5). A change to the scope and coverage of the Privacy Act along these lines could mean a significant uplift in privacy protection.

Introducing a ‘fair and reasonable’ test. Currently the Privacy Act offers little direction on the uses an organisation may make of personal information, except that the information must be necessary to a defined use and should not be used for other purposes (except in certain prescribed circumstances). This gives considerable latitude to organisations and leaves open the possibility that information is used for activities that do not meet community expectations.

Which is why the Government’s agreement-in-principle to a ‘fair and reasonable’ test – which would apply irrespective of whether consent has been obtained – is so welcome. The Privacy Act is in serious need of rebalancing. Privacy responsibilities – which are currently borne too heavily by individuals (under the at times deceptive doublespeak of ‘choice’ and ‘consent’) – should be transferred to organisations. Our hope is that, in the future, it will be harder for individuals to ‘consent away’ their rights to fair and reasonable information handling.

Strengthening children’s privacy. The Government has agreed-in-principle to a suite of proposals aimed at protecting children, particularly online. This includes restrictions on targeting of children online and prohibition of trading in children’s personal information. It also includes the development of a Children’s Online Privacy Code to ensure the best interests of the child are upheld in the design of online services, and to provide further guidance on how entities are expected to meet requirements regarding targeting, direct marketing and trading. We applaud this.

Aligning privacy and security. The law reform environment in Australia, broadly, has an information security flavour right now (or at least, one that is cognisant of the deep impacts of advanced persistent threats and cyber-crime and the impact of data breach on individuals), which highlights necessity of digital and data initiatives operating in an environment that is safe-for-work. The set of proposals (21.1-21.8) in the ‘Security, retention and destruction’ chapter are clearly reflective of this.

It is great to see that there will be clarity around securing personal information – with what ‘reasonable steps to secure personal information’ in APP 11 actually means in practice to be embedded in legislation. The Government has also agreed-in-principle to organisations being required to meet baseline privacy outcomes that are aligned with the forthcoming Australia’s Cyber Security Strategy. Given the common goals of the Government’s privacy and information security mandates, we look forward to seeing further developments here.

A final word on the law reform process

Regulating information privacy is notoriously difficult and multifaceted. The challenge is compounded by a rapidly evolving digital environment. The Privacy Act Review could have sat languishing in a backroom of the Attorney-General’s department, un-responded to and un-actioned. Instead, the Government has responded to the review and published its response. For this we are grateful. Yes, there have been some areas of disappointment in the Government response but overall, we’re encouraged to see the Government moving forward, despite the challenges.

Be assured that we will be watching closely to see how the next stage plays out.

Please contact us if you have any questions about the Privacy Act reform process and how it may affect your organisation. You can also subscribe to receive regular updates from us about key developments in the privacy and security space.

Getting back to privacy basics (PAW 2023)

Getting back to privacy basics (PAW 2023)

By Simon Liu and Chong Shao

For Privacy Awareness Week (PAW) 2023, IIS joined the OAIC and other organisations in promoting the importance of establishing a privacy foundation, as part of 2023’s theme ‘Privacy: Back to basics’.

This year’s theme puts the spotlight back on having a strong privacy foundation in light of recent high-profile data breaches in Australia and abroad. The OAIC has published its set of ‘Privacy 101’ tips for individuals, businesses, and government agencies.

IIS Partners Malcolm Crompton and Nicole Stephensen were invited to speak in various PAW events in Australia including IAPP Sydney KnowledgeNet and Office of the Information Commissioner Queensland, covering topics ranging from protecting your personal information in different settings, to a discussion about OAIC’s recommendations to the Attorney-General’s Department regarding the Privacy Act Review in 2022.

IIS mini bites: Getting back to privacy basics

At IIS, we strongly encourage organisations to proactively strengthen their privacy and security practices.

In this post, we summarise some key ‘Privacy 101’ basics that organisations can implement to be trustworthy, and therefore to be trusted by the customers and community that they serve.

1) Know your obligations

Understand the privacy laws and regulations that apply to you, and be aware of potential changes on the horizon (like the Privacy Act Review). Consider privacy as an integral part of your business. In other words, don’t just ‘tick the boxes’. Instead, build a privacy-aware culture and practice as part of your regular routine.

2) Have a privacy plan

Ensure that you have a Privacy Management Plan (PMP) in place to help build each component of the privacy foundation and introduce accountability for doing them. The OAIC has provided a PMP template to assess your current and future privacy practices here.

3) Appoint key privacy roles

Assign a senior staff member with overall responsibility for privacy, as well as staff member responsible for managing day-to-day privacy activities such as handling privacy enquiries and providing privacy advice. Ensure that the organisation’s leadership encourage a culture of privacy that values personal information and trust.

4) Assess privacy risks

Proactively undertake Privacy Impact Assessments (PIAs) that involve new or changed information handling practices, to assess the impact on privacy of individuals and steps to mitigate any risks. For high-profile or complex initiatives, consider engaging an independent expert to conduct the PIA.

5) Only collect or keep what you need

Minimise privacy risks by reviewing your products, services, and internal systems and processes to ensure that you only collect the personal information your organisation needs. Ensure that information that is no longer needed is destroyed or de-identified, to reduce the risk of data breach and possible impacts on customer trust and business objectives.

6) Secure personal information

Implement secure systems and processes to protect personal information from misuse, loss, and unauthorised access and disclosure. Start with the Essential Eight mitigation strategies. Recognise that the human element is often the ‘weak link’ – ensure that staff are aware of, and trained on, good security practices.

7) Simplify your privacy policy

Write your privacy policy in plain language and include a summary. Make it specific to your organisation and its information handling practices. Include information about how individuals and organisations can contact you about privacy matters.

8) Train your staff

Clearly outline how staff are expected to handle personal information in their direct duties. Provide tailored advice and training where their role requires it. Inform staff of the appropriate channel to report improper handling of personal information as well as data incidents and breaches.

9) Prepare for data breaches

Have a clear and practical data breach response plan that covers each stage of the data breach response. Regularly review and test out your plan to ensure staff and relevant team members know what actions to take.

10) Review your practices

Review and update your privacy policies and procedures regularly. Continually improve your privacy practices and anticipate future challenges, including keeping up-to-date with technological, market and regulatory changes.

Participating in Privacy Awareness Week 2023

IIS is proud to support PAW once again, as well as to help organisations with establishing privacy foundations. If you would like further information or assistance with raising privacy awareness and/or strengthening your organisation’s privacy and security practices, please reach out to us.

Privacy by Design - Beyond the buzz (Part 1)

Privacy by Design - Beyond the buzz (Part 1)

In this multi-part series, IIS Partner Nicole Stephensen explores Privacy by Design (PbD) – what it is, what it isn’t, why it’s important, how to implement it, and how to avoid turning it into insubstantial buzz.

Part 1 - It’s called ‘PbD’… not ‘PbD lite’

Privacy recap

Here we are – moving at lightning speed through the so-called ‘Fourth Industrial Revolution – where we have ‘gone digital’, interact and transact online, engage with internet enabled technologies and rely on government, industry, service providers, platforms and apps to securely manage and store our personal (and other) information. Privacy is widely relevant. It relates as much to our approach, as individuals, to the sharing of our personal information as it does to the treatment of that same information by the organisations we place our confidence in.

There is a highly normative value to privacy, and this digital age makes it difficult to define. When we provide training on privacy to our clients, the topic requires unpacking at the outset – considering everything from one’s ‘personal bubble’, to the crevices of physical and mental health, to the multitude of ways we communicate, to the information about ourselves we consider sacrosanct. What privacy means to the people in the room (and what they expect from organisations in terms of privacy protection) is slightly different for everyone, depending on their age and experiences, circumstances, access to (and comfort with) technology and other factors. This presents a challenging starting point for organisations.

Legislators have given us some guardrails here by setting out that privacy, as a duty owed to the community, is about (in the simplest of summaries) the collection, management and protection of personal information in accordance with the law – for example, the Australian Privacy Principles and other rules set out in the Privacy Act 1988, or whatever state, territory or other jurisdiction’s privacy law applies in the circumstance. Implicit in these guardrails, although a point often missed, is remaining aware of and responsive to community expectations.

Privacy by Design

Using guardrails effectively can be difficult if privacy isn’t part of organisational mindset. Enter Privacy by Design (PbD). PbD is a best practice approach to personal information management coined by former Ontario Privacy Commissioner Dr Ann Cavoukian in the 1990’s. It ‘[advances] the view that the future of privacy cannot be assured solely by compliance with regulatory frameworks; rather, privacy assurance must ideally become an organization’s default mode of operation. The original seven (7) PbD principles are shown at Figure 1:

PbD seeks to ensure that privacy is an organisation’s first thought, not an afterthought; that it is incorporated from the outset in proposed projects, initiatives or technologies as opposed to being retrofitted (if that’s even possible) at a later time. It extends to what Dr Cavoukian referred to as a ‘”[t]rilogy” of encompassing applications’, impacting privacy design (or engineering) from a project perspective and privacy culture from an organisational perspective.

Importantly, PbD requires commitment to all of the principles, as opposed to cherry-picking those that appear to serve the organisation (remembering that PbD isn’t about the organisation; it is, foremost, about the people entrusting the organisation with their personal information). For Australian organisations, a PbD ethos and attention to PbD principles in project design and decision-making offers a compliance edge in respect of meeting their APP 1.2 obligations.

Our colleague R Jason Cronk wrote the IAPP textbook Strategic Privacy by Design in an effort to address challenges governments, organisations, project teams and developers face when seeking to take a PbD approach – that is, PbD offers principles that are lacking in specificity (they tell us what when we’d really like to know how). While perhaps unintentional as a take-away, the most striking aspect of Cronk’s book is the patient attention to all of the PbD principles while presenting his approach to designing for privacy, as opposed to simply highlighting those most useful or expedient.

PbD is not easy, and there is no one way to do it best, but taking all the principles together is the intent of the exercise. In Dr Cavoukian’s introduction to PbD, she states that ‘[t]he objectives of Privacy by Design… may be met by practicing the following 7 Foundational Principles [emphasis added]’. Playing on the oft-used cooking analogy (that PbD ‘bakes privacy in’), it’s unlikely that a complex layer cake will materialise without using all the key ingredients.

The trouble with ‘PbD lite’

A selective approach to PbD – ‘PbD lite’ – is becoming increasingly mainstream. We have recently seen acknowledgement, on the basis of ‘shopfront’ reviews of organisations and their services, that meeting the benchmark set by one PbD principle is award-worthy. It is vital to recognise and champion hard work happening in the privacy space, and it is useful to analyse where organisations are achieving greatest successes in respect of PbD; however, meeting the requirements of one principle does not necessarily signal the big-picture, holistic, inclusive, privacy mindset-meets-action concept of PbD.

Rather, it can create an impression for the community and competitors that an organisation has got privacy ‘in the bag’ and can be trusted over others. The Australian Broadcasting Corporation (ABC), for example, recently received an award for ‘visibility and transparency’… however, a well-executed privacy policy (assuming that’s the award-winning part) cannot, in isolation, suggest that PbD is what the ABC does well (and certainly not in the wake of the ABC iView privacy debacle).

We have also seen PbD used to promote surveillance solutions for schools, where targeted website links and brochure-style comms focus on how privacy has been ‘designed in’ to the solution. While principles of end-to-end security and transparency may be touted by these vendors (e.g., ‘secure monitoring and communication with schools’ and ‘our PbD link tells you more’), this is not PbD at work nor is it PbD as a market differentiator. It’s a seamy consequence of ‘PbD lite’ – using privacy to sell platforms or services that, by their nature and design, violate privacy through covert monitoring of student activities in online environments.

A recent Human Rights Watch investigation highlighted that many EdTech platforms and services (those with and without an obvious or upfront surveillance component) have no compunctions about sharing personal information of children with their AdTech partners – making privacy, whether or not there is any hint of it ‘by design’, illusory indeed.

From ‘lite’ to right

Where ‘PbD lite’ may represent undercooked privacy practice at best and a drippy glaze for questionable privacy practice at worst – PbD of the intended variety offers something more solid. It speaks to the organisational ethos that comes with being privacy-minded and to the work (especially the constant attention and uplift) that comes with ensuring information practice is consistent with community expectations.

PbD requires diligence, patience and an enduring belief that privacy matters. Even if there are shortcomings or there is ‘work to do’ (and there almost always will be), organisations that subscribe to PbD have all the ingredients for success on hand to help elevate privacy from their to-do (compliance) list to being ‘just what we do here’.

>> Part 2, Bootstrapping PbD when the C-suite doesn’t care, will explore strategies for bringing PbD into your organisation (aka: winning hearts and minds).

If you want to be trusted, you have to be trustworthy (PAW 2022)

If you want to be trusted, you have to be trustworthy (PAW 2022)

By Sarah Bakar, Sarah Brichet and Chong Shao

2022 Privacy Awareness Week (PAW) is scheduled for 2-8 May. The OAIC’s PAW theme is Privacy: The Foundation of Trust. Its most recent survey of Australian attitudes towards key privacy issues revealed that Australians want more protection – 70% see the protection of personal information as a major concern.

This year’s PAW theme emphasises the importance of protecting privacy and building trust by putting in place the key foundations. The OAIC has published its set of privacy tips for individualsbusinesses and government agencies

IIS and building trust

At IIS, building trust has been a hallmark of our work. We consistently advocate that if an organisation wants to be trusted, it has to be trustworthy.

Trust was crucial in the advice we provided on the COVID Safe Check-In solutions for certain states, where it was important to establish and communicate the right privacy stance about the collection, use and storage of contact information, as well as location and potentially health information. We emphasised that failure to do so would result in the community not trusting the service and jeopardise the uptake of the solution.

Trust was also essential in our work with the Australian Bureau of Statistics (ABS). We helped develop the privacy strategy for its 2021 Census and encouraged ABS to demonstrate its trustworthiness by showing that their privacy undertakings were actually being delivered.

In this post, we provide our take on some key privacy foundations that organisations can implement to be trustworthy, and therefore to be trusted by the Australian community. 

1) Be honest - do not mislead

An early step for any organisation is to make a good promise about how it will handle the personal information it collects. This is usually presented in an organisation’s public-facing privacy documents, such as privacy policies, notices and consent forms.

The key is to not mislead consumers. Some questions for consideration:

  • If I cannot be honest about how I handle personal information or I need to obscure the truth then should I pursue this project/solution/process?

  • What does the community expect of us and do our promises meet these expectations?   

Being honest about how personal information is handled and communicating this in the right way helps to make an organisation trustworthy. 

2) Be clear, explicit and finite

The promises an organisation makes should be set out in its public-facing privacy communications and be clear, explicit and finite. As personal information is collected, used and disclosed in ever-greater ways, there is also a greater responsibility for organisations to get its privacy communication right.

Privacy legislation across Australia requires organisations to provide (i) contextual, just-in-time privacy collection notices, and (ii) a privacy policy that more comprehensively explains how an organisation handles personal information.

We believe privacy documents that are best at promoting trustworthiness will be clear, explicit and finite:

  • Clear – use simple, plain English to communicate to readers and active voice not passive voice if at all possible; avoid complex language and lengthy blocks of text 

  • Explicit – tell people exactly what you will do and how you will do it; avoid vague and general statements

  • Finite – make your promises bounded, ideally going as far as setting out what you will not do; avoid using open-ended phrases like “including” and “such as”

Developing privacy notices and policies is the baseline. For organisations pursuing best practice, they should creatively explore how they can communicate their privacy stance in different settings and audio-visual formats, as well as consider how to make privacy an enduring part of their brand.

3) Provide proof of performance

An under-appreciated but important step to building trust is to provide proof of performance. Once the organisation has made a promise, trust is strengthened when individuals can see that it is living up to the promise.

An organisation can demonstrate its privacy bona fides by conducting privacy impact assessments (PIAs) on its internal initiatives and privacy health checks on its wider organisational practice. Privacy bona fides will be reinforced by committing to remediation and improvement steps.

For organisations pursuing best practice, we think proof of performance involves:

  • Committing to a regular program of privacy assurance for BAU projects and for the organisation as a whole

  • Engaging external, independent experts to conduct assurance, especially where the stakes are high

  • Publishing the results of, and responses to, assurance activities

To sum up: we believe an organisation can increase its trustworthiness by providing evidence that it is following through and doing what it says it will do.

Participating in Privacy Awareness Week 2022

IIS is once again proudly supporting PAW this year. If you have been considering taking steps to raise privacy awareness and/or strengthen your organisation’s privacy practices, participating in PAW is an excellent starting point. Please reach out if you would like further information or assistance with your PAW initiatives.