This appeared a few days ago:
7 steps to prepare your organisation for changes to Australia’s privacy legislation
Opinion
02 Apr 2024 5 mins
Michael Fagan, former chief transformation officer at Village Roadshow, examines the proposed changes to the Privacy Act and how CIOs in Australia can prepare for them.
Australian privacy legislation is about to undergo a major overhaul with more than 100 proposals under consideration, you can see the detail here. While the exact details of changes to the law remain unknown, there is much that organisations can do to prepare.
- Take inventory of what data you do hold
Do you know what information you currently hold? Where it is held? Why it was collected and what the future usage of that data will be? Have you clearly identified owners of that data? Hint, it’s not someone in your IT department (or shouldn’t be – this is usually a red flag for CEOs). What are some use cases that might need that data? If you don’t know where your data is then you will struggle to be compliant.
- Be open and transparent about what data you collect and how you use it
Australian Privacy Principle #1 (APP 1) requires organisations to have a clearly defined and contemporary policy describing how they manage personal information. Is yours readable? Have you run it through ChatGPT and determined the Flesch-Kincaid readability score? It should be readable by a 14-year-old, Year 8 student. The good news is that you can ask any of the large language models (LLMs) like ChatGPT to rewrite paragraphs or sections for improved comprehension or make it more concise.
- Delete old data
I lived in Hong Kong 2008-2013 and one of my most pleasurable weekends was a trip to see an incredible band at the MGM hotel in Macau. Twelve years later, in September 2023, some of my details were compromised in the MGM Resorts hack in the USA. Luckily it was just my name and a now-defunct email address – but it had been expired for at least 10 of those years. I cannot remember ever receiving a single piece of marketing from MGM, but they kept my old data on file – and may have been getting “return to sender” messages for years.
How much old data are you keeping? Deleting obsolete information provides several benefits. Firstly, it tests your ability to destroy data. This is not a trivial matter – backups, archives, deeply linked data present challenges. It also gives executives a clear picture of how much customer data you really have. I helped an organisation clean up their Customer Data Platform (CDP) last year and removed more than a million records, about 15% less than they thought they had.
Another benefit is that it saves money. Not on disk space which can nearly be considered free at this stage, but many CDPs and other SaaS applications have a charging model based on the amount of data (customer records) that you hold. That company I helped had a significant reduction in their CDP licensing cost post clean-up.
- Develop and manage a consent framework for new data, and de-identify where you can
Rely more on first-party data that you collect yourself. Inform customers when you collect that data, and what you will use it for. Inform them of this collection, prior to gathering it. If you have new uses for the data, seek further consent or de-identify the data.
For the latter, one such technique involves encryption of identifiers which allows different datasets to be linked together for analysis, but still obscure the original data. Another technique is homomorphic encryption, where a data owner encrypts a dataset, sends to the cloud (or another server) for processing, the server processes the data without decrypting, and sends the encrypted results back to the owner – who is the only party able to decrypt the results.
- Drive partner accountability
Who are you sharing data with, and what do they do with it? Are they always using your customers data in a way that is consistent with the promises you made? Review your contracts and agreements in your partner ecosystem and hold them accountable. “It is a condition of doing business with us that you have a mutually acceptable attitude to privacy (and modern slavery, and ethical sourcing, and ….).
- Ensure your breach notification plan exists, and is up to date
Have you conducted a boardroom wargame, simulating a data breach? Have you repeated it in the last 12 months?
- Educate your teams, and support people who raise issues
More here:
As mentioned above you can follow up here:
Why CIOs need to pay attention to the most significant overhaul of Australian privacy law in 40 years
Opinion
27 Mar 2024 4 mins
Michael Fagan, former chief transformation officer at Village Roadshow, examines the proposed changes to the Privacy Act and what CIOs in Australia need to be aware of.
I received 7 unsolicited CVs and resumes in the last 12 months, from well-educated and qualified people, seeking to join the organisation where I was working. Unbeknownst to the senders, they put me at risk of breaching one of the 13 Australian Privacy Principles (APP), despite me not really knowing these people, and never asking them for information. The jobseekers included a varying amount of personal information, including email address, phone numbers, home address, work and education history, and more. One applicant even included a photograph and, no lie, their weight. (Although I suppose if I only weighed 47kg I’d put it on my CV too). By giving me this personal information, they placed an obligation on me and my organisation to use it wisely, or risk penalties up to $1.8m.
In 2024, the government has committed to strengthening privacy law, including equipping the regulator with more powers and more options to enforce – meaning that those penalties could be even harsher. The Attorney General’s department spent three years reviewing the 1988 Privacy Act, and released a report in February 2023 outlining 116 proposals for change. The Australian Government published its response in September 2023 agreeing to 38 proposals, “agrees in principle” to 68 proposals (i.e. further consultation required to understand impact and alignment with other reviews like Digital ID, and the Australian Cyber Security Strategy before implementation), and notes the remaining 10. The report is available here, and the response here, and the government’s current round of consultation ends 28 March 2024.
Much more here:
It looks like the time to get ready is now – as these things always sneak up on you!
David.
Unless you are Services Australia - then nothing to see here
ReplyDelete