CIO

New privacy laws: Have you done enough?

Some CIOs appear to have been bypassed in preparing for the changes, which are now in effect

On March 12 the Australian Government enacted a new set of laws that significantly enhance the privacy of Australian citizens, although it is likely that many won’t even notice.

But for any commercial organisation with revenue over $3 million, or healthcare providers of any size, the new Australian Privacy Principles (APPs) have a significant impact on the way they collect, store and utilise personal data.

For CIOs, that may have meant a lot of extra work in the lead up to March 12, and significantly, a lot of extra worries afterwards.

The new APPs replace the existing National Privacy Principles and are a response to a review by the Australian Law Reform Commission into the previous two decade old regime.

Australian Privacy Commissioner, Timothy Pilgrim, says one of the main issues was to reform the principles and make sure they were keeping up with rapid changes in technology, and to make them more flexible.

“The Australian Privacy Principles have been designed in such a way as to reflect the changes that have occurred over the last 25 years in terms of how personal information is being handled,” he says.

“But importantly, they have been written as principles, so they can remain technology neutral, and can apply to new technology as they come into place, as well as deal with older-style means of collecting information.”

The APPs include new obligations in relation to activities such as the collection of personal data, including receipt of unsolicited personal information, as well as new requirements for informing individuals as to how data is being used. Importantly, APP 8 sets outs specific requirements for what must happen when personal information is moved out of Australia.

Security is also a key consideration, with APP 11 setting out new requirements for the protection of personal information from misuse, loss, inference, unauthorised access and disclosure.

The Privacy Commissioner also gains the ability to approve privacy codes in relation to new technologies and their use for individual organisations or groups, and can develop his own codes to be imposed on technologies and the organisations that use them.

But while CIOs play an integral role as the custodians of customer data, it seems some have been bypassed in preparing for the APPs, or called on as a resource rather than as a strategic planner.

Information security specialist, David Simpson, says while awareness of the APPs in technologically mature industries such as banking and finance is high, the same cannot be said across all sectors. This is especially troubling in relation to APP 11, which he says should be a key priority for the involvement of CIOs.

“There is a big focus on that area, and the CIOs have been left out of the loop,” Simpson claims. “In the business units that made some of these choices on how information is stored, retained, archived, and deleted, I’m not sure many have the skills or knowledge at hand to make good choices.

“IT traditionally has all of the experience that could add value back into that decision making process. But more often than not they can be quite isolated from some of those front-line decisions. They feel they have been almost left outside of this privacy process in a quite a number of the organisations we deal with.”

Penalties for breaching the new APPs are significant, with Pilgrim holding the power to levy fines of up to $1.7 million for serious and repeated breaches. And there is no amnesty for organisations that haven’t caught up yet.

Just a month before the laws were enacted, Simpson claimed many IT teams were still facing a significant compliance task to be executed. “It is going to take people months, and a big chunk of it has got to involve IT,” he said.

Next up: Defining data sovereignty

Page Break

Defining data sovereignty

APP 8 is expected to be especially troubling, as it relates to cross-border movement of personal data and has ramifications for those organisations using international cloud or hosting services.

The managing partner at privacy consulting firm Information Integrity Solutions (and former Privacy Commissioner), Malcolm Crompton, says APP 8 effectively means an organisation remains accountable for the handling of personal information that is sent overseas, unless they have formed the ‘reasonable’ belief that the overseas jurisdiction is substantially similar to the Australia law, or there is a binding scheme in place.

“This business of remaining accountable is frightening a lot of people, and justifiably so,” Crompton says. “You can’t just wash your hands of your accountability simply by posting stuff offshore.”

The APPs also require organisations to revise the privacy notices they make available to the public, to demonstrate their compliances with the provisions of the new APPs.

They also face the requirement of being able to inform individuals as to where the information they hold came from, including if it was purchased from a third party. That means organisations must keep records of the provenance of the data they hold.

“That is a clear CIO function, because the CIO needs to have an answer to that question,” Crompton says.

Some organisations have been getting their act together well in advance. According to the Commonwealth Bank’s group executive and CIO, Michael Harte, the bank commenced its response to the new APPs in early 2013.

“This is progressing well, and we are on track to be ready for March 2014,” Harte tells CIO just before the end of 2014. “We have also introduced a Privacy Impact Assessment process which we use to identify privacy risks and recommend privacy enhancing business solutions at the outset of any new project that handles a customer’s personal information.

“This ‘privacy by design’ approach allows our teams to be more proactive in identifying and mitigating any privacy risks and identify privacy enhancing opportunities.”

Harte says the bank’ position is that competitive advantage comes from being recognised by customers as being a trusted parting regarding their privacy and security, such that they can feel they have a strong, trusted and valuable relationship with the bank.

“I think it is critical that all executives are active in understanding the importance of trust, privacy and security in this increasingly digital world,” Harte says. “With this new inter-connectedness of our society, new speed, new apps and new services on mobile and in social – data has grown incredibly.

Our customers’ digital footprints are all over a broader and deeper landscape so we need to understand their preferences.”

Other industries that hold large volumes of personal data have also been active in meeting the challenge of the new APPs.

Given that APP 7 relates specifically to the handing of data in a direct marketing context, compliance with the APPs has been a key area of focus for the Association for Data-driven Marketing & Advertising (ADMA) and its members.

ADMA chief executive officer, Jodie Sangster, says her organisation has been working closely with members to assist them in adapting to the APPs. While responsibility usually sits with their compliance teams, the bulk of what privacy legislation covers now is much broader.

“From an IT perspective it is all about the systems and the processes and making sure that data is used in a correct way and secure,” she says. “IT is absolutely intrinsically in the centre of privacy compliance, and any systems they are designing or developing need to be developed or designed with privacy in mind.”

ADMA supports the ‘privacy by design’ concept extolled by CBA, which encompasses planning for privacy across an entire organisation.

“That is saying that the whole organisations needs to be designed around making sure it is doing the right thing with personal information, which clearly involves the IT team,” Sangster says.

“The successful companies are going to be the ones that have brought in IT at an early stage and designed systems that can take privacy into account.”

Another group of organisations significantly impacted by the APPs are digital publishers and advertisers, many of whom use personal data and advanced analytics to maximise the profitability of their inventory.

According to the chief executive officer of the Interactive Advertising Bureau (IAB) Australia, Alice Manners, most IAB members are prepared.

“Consumers understand the need for an ad-funded Internet; they also want greater transparency and control over data and how it is used,” Manners says. “This provides a great opportunity for industry to proactively step in and fill the gap.”

She adds many have benefitted from a long heritage in handling privacy concerns. “A significant number of companies will manage substantial compliance through their existing privacy regime,” Manners says.

“So for our larger members this means their legal team has reviewed the entire data collection process across all business units.”

The IAB has also worked with the Australian Association of National Advertisers and the Media Federation of Australia to schedule workshops to facilitate learning and drive capability and compliance.

Next up: Disclosure clause

Page Break

Disclosure clause

While the APPs place significant new requirements on organisations, they have been designed to still enable organisations to conduct many of the data collection and analysis activities they have always undertaken, but with a new emphasis on disclosure and opting out. For this reason, Crompton says the APPs need not spell the death of the use of predictive analytics.

“The new APPs are no more of a hindrance to consumer-focused big data projects than the current NPPs, so it is not as if anything is going backwards,” Crompton says.

This is particularly critical to major banks and retailers, who have become significant users of analytics technology to determine customer behaviours and preferences.

“Today the decision for businesses and their CIOs is how to best to use this data to enhance customer relationship value,” Harte says.

“As a bank, our customers’ trust is absolutely critical to our commercial success. What we know from our own, and from industry research, is that our customers do trust us. They want us to help them secure their financial wellbeing.”

While Harte is confident regarding CBA’s compliance with the APPs, many other organisations may be less entitled to do so. Pilgrim has already identified behavioural targeting – a favourite tool of online advertisers which uses consumer behaviour to make assumptions about their interests – as an area for further investigation.

“That’s an issue that I think is going to be growing, particularly in the online environment,” Pilgrim says. “There are issues around how people’s personal information is being collected and used in that type of situation, and that may be an area down the track where a code might be useful.”

While much of the details around the APPs have yet to be tested in the real world, the need to ensure an organisation is compliant still remains.

Crompton says a successful approach to compliance means ensuring that the organisation has a culture of accountability. When it comes to complying with the new APPs, the best starting point is to run a privacy ‘health check’ to determine exactly where the organisation already lies in terms of compliance.

“You can delegate responsibility, but you can’t delegate accountability,” Crompton says. “The CIO has as much responsibility as anyone else to ensure that at least a health check has been conducted through the organisation on privacy.”

There is also a wealth material available online from the website of the Office of the Australian Information Privacy Commissioner.

“There is a lot of guidance material there, and there is no excuse for not being familiar with that,” Crompton says. “And that will provide a lot of the specificity.”

According to Simpson, organisations that find the transition the easiest are those that already have a robust information framework in place.

“With a formal well-defined framework about information management and information security, you are well on the way to providing some assurance to the rest of the stakeholders and the execs that you’ve got a handle on this,” he says.