Overview of ESG Standards and Regulatory Developments IFRS1 and 2 – sustainability-related disclosures The creation of the International Sustainability Standards Board (ISSB) was announced at COP26, the 2021 UN Climate Change Conference in Glasgow, with the role of creating a global baseline for sustainability reporting. On 26 June […]
Australia’s ESG Regulation
After a lengthy consultation process from December 2022 to 17 February 2023 for the design and implementation of the Government’s commitment to standardised, internationally‑aligned requirements for disclosure of climate-related financial risks and opportunities Australia’s sustainability regulatory framework is now in place. The Treasury Laws Amendment (Financial Market Infrastructure and Other […]
Australia’s Cyber Security Bill 2024
On 9 October 2024, the Minister for Cyber Security and Leader of the House, the Honorable Tony Burke MP tabled the Cyber Security Bil 2024 aimed at enhancing national security and protecting businesses from cyber threats. In introducing the Bill, Minister Burke explained that the Bill addresses whole-of-economy cybersecurity issues and positions the government to respond to new and emerging threats, including the ability to counter ransomware and cyber extortion. The key measures proposed by the Bill include:
- Mandatory 72-hour reporting obligation for entities who receive a ransomware demand and make a payment in connection with that cyber security incident;
- ‘Limited use’ obligation restricting the information provided to the National Cyber Security Coordinator (NCSC) during a cyber incident, being provided to another Commonwealth body for investigation or enforcement not related to the Bill.
- Establishing a Cyber Incident Review Board (CIRB) to conduct no-fault post-incident reviews of significant cyber security incidents. The Board is modelled on similar bodies, including the U.S. Cyber Safety Review Board, and will also make recommendations for both government and organisations to enhance Australia’s cyber resilience.
- Enabling the government to establish mandatory security standards for smart devices. The aim is to bring Australia into line with international best practice and enhance consumer security, such as prohibiting universal default passwords on smart devices.
The Bill has been referred to the Parliamentary Joint Committee on Intelligence and Security for inquiry and report. Submissions were only open for two weeks, and public hearings took place on 31 October and 1 November. A number of the submissions have identified issues and made recommendations for amendments, including the Law Council of Australia, which has recommended that ‘the Bill should clarify that material identified as subject to legal professional privilege is not subject to reporting requirements. Further, there should be consistent and clear statutory safeguards that the disclosure of privileged information (whether required or voluntarily provided) does not amount to a subsequent waiver of privilege.’
Access the Cybersecurity Bill here
UNIDIR Cyber Policy Portal
The Cyber Policy Portal of the United Nations Institute for Disarmament Research (UNIDIR) serves as a comprehensive online reference tool, providing detailed profiles of all 193 UN Member States. It acts as a central hub for information on each country’s cybersecurity policy documents, responsible agencies and departments, legal frameworks, and cooperation efforts.
The Portal offers insights into the cybersecurity policy landscape through main categories and various subcategories within each profile. It also includes information on Intergovernmental Organisations, multi-stakeholder instruments, and other initiatives. It seeks to facilitate informed participation by relevant stakeholders in policy processes and to enhance trust, transparency, and cooperation in cyberspace. Each country profile on the Portal includes information on cyber policy landscape of the country divided in categories, such as Cybersecurity Policy, Structures, Legislative Frameworks, and Cooperation.
Access the Portal here Cyber Policy Portal
NAA Australian Government Information Check-up Report
The National Archives of Australia’s Check-Up Report 2024 reveals improvement in five of the six information maturity areas: ‘creating information assets’, ‘storing, preserving, creating information assets’, ‘governance and culture’, ‘describing information assets (metadata)’, and ‘use, reuse and interoperability’. Concerningly, ‘appraising and disposing’ showed a slight decline (3.27 compared with 3.9 (out of 5) in 2022).
The Check-Up on Information Governance reveals:
- 77% of agencies had an active IG committee or similar mechanism,
- 79% had a Chief Information Governance Officer or similar role in place.
- 55% had an IG framework, which was an increase from 50% year-on-year.
- 38% of agencies indicated that their IG frameworks, committees and roles covered all information assets.
- 22% of agencies had an overarching governance mechanism/s that ensures their management of information and data is integrated and aligned for business benefit
While three-quarters of agencies usually or always have active senior management support for information management and senior management representation on the information governance committee, agencies were also less likely to review how well information management practices and processes support business objectives and report to senior management on achievements and gaps (51%, similar to 50% in 2022).
Following the recommendation of the Australian National Audit Office (ANAO) report on the Management of Information Assets (Report No.44 of 2022-23), the relative position of agencies based on their overall information management maturity index score has been shown in a table, along with the relative position of agencies based on their overall Building Trust in the Public Record Policy implementation action index score, and a third table listing agencies that were out-of-scope for the 2023 Check-up survey and elected not to submit a response. The top-ranked agency was the Department of Industry, Science and Resources, with an overall information maturity index of 4.91.
Read the full NAA Check-up 2023 Whole of Government Comparative Report here
Evaluation of whole-of-government trial into Gen AI:
On 23 October 2024, Australia’s Digital Transformation Agency released a report into the Australian governments trial into generative AI. From 1 January 2024 to 30 June 2024, the DTA coordinated the Australian Government’s trials of a generative AI service. It made Microsoft 365 Copilot (formerly Copilot for Microsoft 365) available to over 7,600 staff across 60+ government agencies. The overarching findings are that ‘there are clear benefits to the adoption of generative AI but also challenges with adoption and concerns that need to be monitored.’ Most trial participants (77%) were satisfied having an integrated AI tool, with many more (86%) wishing to continue using it.
Improvements to efficiency and quality findings include:
- Participants estimated time savings of up to an hour when summarising information, preparing a first draft of a document and searching for information.
- Participants (69%) felt there was a marked improvement in the speed of wrapping up tasks, with nearly as many (61%) believing having such a tool enhanced the quality of work output.
- A majority of the efficiencies were seen in various business-as-usual and office management tasks.
Improvements required to improve adoption include:
- Key integration, data security and information management considerations agencies must consider prior to Copilot adoption, including scalability and performance of the GPT integration and understanding of the context of the large language model.
- Training in prompt engineering and use cases tailored to agency needs is required to build capability and confidence in Copilot.
- Clear communication and policies are required to address uncertainty regarding the security of Copilot, accountabilities and expectation of use.
- Adaptive planning is needed to reflect the rolling feature release cycle of Copilot alongside governance structures that reflect agencies’ risk appetite, and clear roles and responsibilities across government to provide advice on generative AI use. Given its infancy, agencies would need to consider the costs of implementing Copilot in its current version. More broadly this should be a consideration for other generative AI tools.
Broader concerns on AI that require active monitoring
- There are broader concerns on the potential impact of generative AI on APS jobs and skills, particularly on entry-level jobs and women.
- Large language model (LLM) outputs may be biased towards western norms and may not appropriately use cultural data and information.
- There are broader concerns regarding vendor lock-in and competition, as well as the use of generative AI on the APS’ environmental footprint.
Access the Report here
Beware the gap: Governance arrangements in the face of AI innovation
On 29 October 2024, the Australian Security and Investment Commission released its review into how 23 Australian Financial Service licensees in the banking, credit, insurance and financial advice sectors were using and planning to use AI, how they are identifying and mitigating associated consumer risks, and their governance arrangements. AISC Chair Joe Longo stated, ‘it is worrying that competitive pressures and business needs may incentivise industry to adopt more complex and consumer-facing AI faster than they update their frameworks to identify, mitigate and monitor the new risks and challenges this brings.’ Key findings of the review include:
- 57% of all use cases were under two years old or in development.
- 61% of licensees in the review planned to increase AI use in the next 12 months.
- 92% of generative AI use cases reported were less than a year old, or still to be deployed. Generative AI made up 22% of all use cases in development.
- Only 12 licensees had policies in place for AI that referenced fairness or related concepts such as inclusivity and accessibility.
- Only 10 licensees had policies that referenced disclosure of AI use to affected consumers.
Access the report here
AI Impact Navigator to Help Australian Companies Tackle AI Challenges
On 21 October 2024, Australia’s National AI Centre released the AI Impact Navigator, a new framework designed to assist organisations in assessing and measuring the impact and outcomes of using AI systems. The AI Impact Navigator is for senior executives, board directors and anyway leading AI implementation, use and impact.
The tool helps users to implement Guardrail 10 the Voluntary AI Safety Standard to their operations while measuring their AI impact effectively. Using a continuous improvement cycle known as Plan, Act, Adapt, the Navigator provides a way for company leaders to communicate and discuss what’s working, what they’ve learned, and what their AI impact is.
The AI Navigator focuses on understanding and addressing AI systems’ social, environmental and economic impacts. Building on appropriate guardrails from the Voluntary AI Safety Standard helps companies publicly report on their work and impact and provides tools and templates. The Navigator has 4 dimensions to help companies measure AI impact:
- social licence and corporate transparency
- workforce and productivity
- effective AI and community impact
- customer experience and consumer rights.
Access and explore AI Impact Navigator here.
AI and ESG: An Introductory Guide for ESG Practitioners
On 21 October 2024, Australia’s National AI Centre published an introductory guide to AI for ESG practitioners, highlighting how AI can help address urgent challenges in health, climate change, sustainability, accessibility, and inclusion. AI and ESG is a practical guide for ESG practitioners on how to better understand the implications and opportunities of AI, and how to incorporate the use of AI into their work. It includes:
- Responsible AI Use: Encourages practitioners to understand the implications of AI within ESG frameworks.
- Assessment Tools: Provides methods for evaluating AI initiatives in the ESG sector.
- Ideas: Enhancing ESG solutions with AI
- Strategic Implementation: Outlines steps for adopting AI solutions responsibly in ESG contexts.
Download the Guide here.
Measuring Carbon in Data Projects
The Digital Decarbonisation Project led by academics, Professor Thomas Jackson and Professor Ian Hodkinson from Loughborough University, has designed a tool called the ‘Data Carbon Ladder.’ The Data Carbon Ladder is aimed at helping organisations make data-driven decisions, which enhance their bottom line and also align with their sustainability goals. […]
OAIC Guides on AI and Privacy
The Office of the Australian Information Commissioner (OAIC) has published two new guides to assist organisations in navigating the intersection of AI and privacy:
- Guidance on privacy and the use of commercially available AI products: This guide assists organisations in complying with privacy obligations using commercially available AI products and helps them to select an appropriate product. It also addresses the use of AI products that are freely available, such as publicly accessible AI chatbots.
- Guidance on privacy and developing and training generative AI models:: This guide is for developers of generative AI models or systems that use personal information. While it focuses on generative AI, developers of any kind of AI model that involves personal information will find it helpful.
In the media release accompanying the Guides, Australian Privacy Commissioner Carly Kind stated, ‘Our new guides should remove any doubt about how Australia’s existing privacy law applies to AI, make compliance easier, and help businesses follow privacy best practices. AI products should not be used simply because they are available. The community and the OAIC expect organisations seeking to use AI to take a cautious approach, assess risks and make sure privacy is a key consideration. The OAIC reserves the right to take action where it is not.’
OAIC Data Breach Report: Key Themes
From January to June 2024, OAIC received 527 data breach notifications, the highest number since July to December 2020. The top five sectors that notified of data breaches in this period, were Health Service Providers, the Australian government, Finance, Education, and Retail.
In a media release accompanying the Notifiable Data Breaches Report on 16 September 2024, Australian Privacy Commissioner Carly Kind said, ‘the high number of data breaches is evidence of the significant threats to Australian’s privacy.’ The reporting period included the MedicSecure data breach notification affecting nearly 13 million Australians.
So far this year, the Information Commissioner has filed civil penalty proceedings in the Federal Court against Medibank arising from its October 2022 data breach. The OAIC has also issued an intention and a direction to notify of an eligible data breach about incidents in previous reporting periods and opened an investigation into the HWL Ebsworth Lawyers 2023 data breach.
OAIC’s Data Breach Report identifies the following key themes and recommendations:
- Mitigating cyber threats – organisations need to have appropriate and proactive measures in place to mitigate cyber threats and protect the personal information they hold.
- Addressing the human factor – individuals are a significant threat to the strength of an entity’s privacy practices. Organisations need to mitigate the potential for individuals to intentionally or inadvertently contribute to the occurrence of data breaches.
- Extended supply chain risks – organisations that outsource the handling of personal information can reduce the impact of a data breach in the supply chain by implementing a robust supplier risk management framework.
- Misconfiguration of cloud-based data holdings – organisations need to be aware there is a shared responsibility for the security of data in the cloud.
- Relevance of a threat actor’s motivation in assessing a data breach – entities should not rely on assumptions. They should weigh in favour of notifying the OAIC and affected individuals when a breach occurs.
- Data breaches in the Australian Government – of all sectors, the Australian Government reported the most data breaches involving social engineering or impersonation. Organisations need to have access control measures in place to ensure only authorised persons access their systems.
Access the OAIC ‘s Data Breach Report here and the OAIC’s Guide to Securing Personal Information here.
IPC Data Breach Report: Key Themes
The first NSW Mandatory Notification of Data Breach Scheme Trends Report for November 2023 to June 2024 was released on 1 October. According to the Report, 79% of all notifications made were caused by human error, followed by criminal or malicious attack. Acting Privacy Commissioner Sonia Minutillo said, ‘The high frequency of […]
Privacy Bill tabled in Parliament
On 12 September 2024, the Attorney-General, the Hon Mark Dreyfus KC tabled the long-awaited Privacy and Other Legislation Amendment Bill 2024 (the Bill). This would enact the first tranche of reforms to the Privacy Act 1988 (Cth) (Privacy Act) and implement 23 of the 25 proposals the Government agreed to in its September […]
Australia’s new AI Safety Standard
On 5 September 2024, Australia’s Department of Industry, Science and Resources published a voluntary AI Safety Standard to provide practical guidance to help organisations develop and deploy AI systems in Australia safely and reliably. The publication sets out 10 voluntary AI guardrails and how to use them. Definitions, links to […]
Mandatory Guardrails for High-Risk AI
Along with the AI Safety Standard, the Australian Government released on 5 September 2024, a new proposals paper with options for mandating guardrails for the development and deployment of AI in high-risk settings in Australia. The proposal paper includes: Proposed principles for defining high-risk AI. 10 proposed mandatory guardrails. Regulatory options […]
Europe’s AI Treaty signed by UK and US
On 5 September 2024, the Council of Europe Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law (CETS No.225) (‘the treaty’) was signed by the UK, US, the EU, Andorra, Georgia, Iceland, Israel, Norway, the Republic of Moldova and San Marino. The treaty aims to ensure that […]
The Information Governance Primer
In today’s digital and AI environment, the growing number and complexity of challenges associated with data and information are outpacing traditional governance and management practices. The Information Governance Primer address these challenges by providing a guide to developing a holistic enterprise-wide system to mitigate risks and maximise opportunities.
The Information Governance Primer assists professionals in developing a well-executed IG framework and program, with appropriate leadership, to deliver effective data and information security and control by reducing the costs of holding information and maximising the value of information held by the organisation.
The Information Governance Primer articulates persuasively the rationale for implementing good information governance and aims to equip IG practitioners with the knowledge required to build and improve information governance across a range of organisation types, including government, corporations, and not-for-profits.
The Information Governance Primer provides a general overview of information governance, covering a range of important factors, including the key drivers of IG, the benefits of successful IG implementation, an outline of IG models and frameworks, and the role of IG leadership in establishing robust information governance.
The Information Governance Primer is free for InfoGovANZ members and is available here.
Policy for the Responsible Use of AI in Australian Government Agencies
The Policy for the responsible use of AI in Government Agencies comes into force on 1 September 2024. Departments and agencies must meet the mandatory requirements for accountable official(s) by 30 November 2024 and transparency statements by 28 February 2025. The policy aims to create a coordinated approach to government use of AI and has been designed […]
Australian Cybersecurity Resources
The Australian Signals Directorate (ASD) has developed prioritised mitigation strategies to help organisations mitigate cyber security incidents caused by various cyber threats. These can be used by any organisation and can be accessed here – Strategies to Mitigate Cyber Security Incidents. This is supported by the Strategies to Mitigate Cyber Security […]