Defining data sovereignty
APP 8 is expected to be especially troubling, as it relates to cross-border movement of personal data and has ramifications for those organisations using international cloud or hosting services.
The managing partner at privacy consulting firm Information Integrity Solutions (and former Privacy Commissioner), Malcolm Crompton, says APP 8 effectively means an organisation remains accountable for the handling of personal information that is sent overseas, unless they have formed the ‘reasonable’ belief that the overseas jurisdiction is substantially similar to the Australia law, or there is a binding scheme in place.
“This business of remaining accountable is frightening a lot of people, and justifiably so,” Crompton says. “You can’t just wash your hands of your accountability simply by posting stuff offshore.”
The APPs also require organisations to revise the privacy notices they make available to the public, to demonstrate their compliances with the provisions of the new APPs.
They also face the requirement of being able to inform individuals as to where the information they hold came from, including if it was purchased from a third party. That means organisations must keep records of the provenance of the data they hold.
“That is a clear CIO function, because the CIO needs to have an answer to that question,” Crompton says.
Some organisations have been getting their act together well in advance. According to the Commonwealth Bank’s group executive and CIO, Michael Harte, the bank commenced its response to the new APPs in early 2013.
“This is progressing well, and we are on track to be ready for March 2014,” Harte tells CIO just before the end of 2014. “We have also introduced a Privacy Impact Assessment process which we use to identify privacy risks and recommend privacy enhancing business solutions at the outset of any new project that handles a customer’s personal information.
“This ‘privacy by design’ approach allows our teams to be more proactive in identifying and mitigating any privacy risks and identify privacy enhancing opportunities.”
Harte says the bank’ position is that competitive advantage comes from being recognised by customers as being a trusted parting regarding their privacy and security, such that they can feel they have a strong, trusted and valuable relationship with the bank.
“I think it is critical that all executives are active in understanding the importance of trust, privacy and security in this increasingly digital world,” Harte says. “With this new inter-connectedness of our society, new speed, new apps and new services on mobile and in social – data has grown incredibly.
Our customers’ digital footprints are all over a broader and deeper landscape so we need to understand their preferences.”
Other industries that hold large volumes of personal data have also been active in meeting the challenge of the new APPs.
Given that APP 7 relates specifically to the handing of data in a direct marketing context, compliance with the APPs has been a key area of focus for the Association for Data-driven Marketing & Advertising (ADMA) and its members.
ADMA chief executive officer, Jodie Sangster, says her organisation has been working closely with members to assist them in adapting to the APPs. While responsibility usually sits with their compliance teams, the bulk of what privacy legislation covers now is much broader.
“From an IT perspective it is all about the systems and the processes and making sure that data is used in a correct way and secure,” she says. “IT is absolutely intrinsically in the centre of privacy compliance, and any systems they are designing or developing need to be developed or designed with privacy in mind.”
ADMA supports the ‘privacy by design’ concept extolled by CBA, which encompasses planning for privacy across an entire organisation.
“That is saying that the whole organisations needs to be designed around making sure it is doing the right thing with personal information, which clearly involves the IT team,” Sangster says.
“The successful companies are going to be the ones that have brought in IT at an early stage and designed systems that can take privacy into account.”
Another group of organisations significantly impacted by the APPs are digital publishers and advertisers, many of whom use personal data and advanced analytics to maximise the profitability of their inventory.
According to the chief executive officer of the Interactive Advertising Bureau (IAB) Australia, Alice Manners, most IAB members are prepared.
“Consumers understand the need for an ad-funded Internet; they also want greater transparency and control over data and how it is used,” Manners says. “This provides a great opportunity for industry to proactively step in and fill the gap.”
She adds many have benefitted from a long heritage in handling privacy concerns. “A significant number of companies will manage substantial compliance through their existing privacy regime,” Manners says.
“So for our larger members this means their legal team has reviewed the entire data collection process across all business units.”
The IAB has also worked with the Australian Association of National Advertisers and the Media Federation of Australia to schedule workshops to facilitate learning and drive capability and compliance.
Next up: Disclosure clause
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.