InfoGovANZ

Information Governance Think Tank

InfoGovANZ

Access to Information Day and Right to Know Week

by

Thursday, 28 September marks International Access to Information Day, which recognises citizen rights around the world to access government information. This right is encapsulated under Article 19 of the United Nations’ Declaration of Human Rights.

In recognition of this day, NSW celebrates Right to Know (RTK) Week, educating public sector agencies and citizens on the Government Information (Public Access) Act or GIPA Act and raising awareness about citizens’ rights to access government held information. RTK Week will take place from 25 September – 1 October 2023 and will celebrate the theme of: The importance of the online space for access to information.

Information Commissioner Elizabeth Tydd says that ‘Right to Know Week NSW 2023 aims to highlight how the online space empowers individuals to:

  • critically assess information
  • identify misinformation
  • ensure that government remains accountable and responsive to citizen views.’

Read Commissioner Tydd’s full statement here Right to Know Week NSW 2023

Wanting to access data collected by Australian Government Agencies?

by

Participation in the DATA Scheme continues to grow as shown in the Office of the National Data Commissioner’s (ONDC) Implementation Pipeline update below.

New guidance to develop a data inventory 
The ONDC has released a new guide to developing a data inventory.  There are now 56 organisations that have taken the step of onboarding to Dataplace.  Once on board, you can use Dataplace to make a request for data collected by Australian Government agencies and make a data sharing agreement. Dataplace is also the place to go if you want to apply for accreditation to participate in the DATA Scheme. If you want to see who is already accredited, check out our Register of Accredited Entities.

In upcoming events below, we have included the ONDC webinars where you can learn more about the DATA Scheme.

New guidance to help Scheme participants  – costs
Under the DATA Scheme, Australian Government agencies may charge fees for services performed when dealing with a data sharing request. The ONDC new guidance requires that any fees charged are on a cost recovery basis.

Complaints 
One of the functions of the National Data Commissioner is to handle complaints about the DATA Scheme.  To make a complaint, please go to the Contact us page or email information@datacommissioner.gov.au.  The new guidance provides information for Scheme participants and others about how the Commissioner will handle complaints.

Explaining decisions made by AI

by

The UK Information Commissioner’s Office and The Alan Turing Institute have released a guidance to provide practical advice to organisations to help explain the processes, services and decisions delivered or assisted by AI, to the individuals affected by them. The guidance consists of three parts. Depending on your level of expertise, and the make-up of your organisation, some parts may be more relevant than others.  Read the Guidance here.

Part 1: The basics of explaining AI 

Aimed at DPOs and compliance teams, part one defines the key concepts and outlines a number of different types of explanations. It will be relevant for all members of staff involved in the development of AI systems.

Part 2: Explaining AI in practice

Aimed at technical teams, part two helps you with the practicalities of explaining these decisions and providing explanations to individuals. This will primarily be helpful for the technical teams in your organisation, however your DPO and compliance team will also find it useful.

Part 3: What explaining AI means for your organisation

Aimed at senior management, part three goes into the various roles, policies, procedures and documentation that you can put in place to ensure your organisation is set up to provide meaningful explanations to affected individuals. This is primarily targeted at your organisation’s senior management team, however your DPO and compliance team will also find it useful.

What’s happening with data from your car?

by

Mozilla released a report last week that examined the terms of service for 25 car companies and the types of data being collected.  The report states, ‘they can collect information about how much money you make, your immigration status, race, genetic information, and sexual activity (it’s in there!).’  Concerningly, the report provides ‘Twenty two of the car brands (88% of the ones we looked at) mentioned creating inferences — assumptions about you based on other data. And nine of those companies (39%) said specifically that they might sell them to third parties.’

Included in the report is an extract from  Tesla’s Terms of Service, “if you no longer wish for us to collect vehicle data or any other data from your Tesla vehicle, please contact us to deactivate connectivity. Please note, certain advanced features such as over-the-air updates, remote services, and interactivity with mobile applications and in-car features such as location search, Internet radio, voice commands, and web browser functionality rely on such connectivity. If you choose to opt out of vehicle data collection (with the exception of in-car Data Sharing preferences), we will not be able to know or notify you of issues applicable to your vehicle in real time. This may result in your vehicle suffering from reduced functionality, serious damage, or inoperability.” [emphasis added]

Read the full report here *privacy not included Mozilla Foundation

Take part in an organisational resilience survey and global discussion 

by

Calling Senior Corporate, Legal, and Risk Management Professionals

Ansarada invites you to take a brief 6-minute survey that will serve as the cornerstone of a data-driven report. The report developed in collaboration with industry experts, will be a treasure trove of actionable insights and expert commentary, around Operational Resilience globally.

Participants will gain exclusive first access to the report’s findings and will have the opportunity to share your insights and commentary if you wish to contribute further.  Participation in this survey is anonymous. You can take the survey here: https://lnkd.in/gZiqcfun

US and Australian government issue joint Cyberseucrity Advisory on preventing Web Application Access Control Abuse 

by

The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC), U.S. Cybersecurity and Infrastructure Security Agency (CISA), and U.S. National Security Agency (NSA) have recently released a joint Cybersecurity Advisory to warn vendors, designers, and developers of web applications and organizations using web applications about insecure direct object reference (IDOR) vulnerabilities. IDOR vulnerabilities are access control vulnerabilities enabling malicious actors to modify or delete data or access sensitive data by issuing requests to a website or a web application programming interface (API) specifying the user identifier of other, valid users. These requests succeed where there is a failure to perform adequate authentication and authorization checks. These vulnerabilities are frequently exploited by malicious actors in data breach incidents because they are common, hard to prevent outside the development process, and can be abused at scale. IDOR vulnerabilities have resulted in the compromise of the personal, financial, and health information of millions of users […]
Member only content (join now or login)

Australian Community Attitudes to Privacy Survey 2023

by

The Australian Community Attitudes to Privacy Survey 2023 released by the Office of the Australian Information Commissioner (OAIC) on 8 August, shows a significant increase in the number of Australians who feel data breaches are the biggest privacy risk they face today.  Australian Information Commissioner and Privacy Commissioner Angelene Falk said, ‘Australians see data breaches as the biggest privacy risk today, which is not surprising with almost half of those surveyed saying they were affected by a data breach in the prior year.’  Furthermore, the Commissioner stated, ‘there is a strong desire for organisations to do more to advance privacy rights, including minimising the amount of information they collect, taking extra steps to protect it and deleting it when no longer required.’ Among the key themes of the survey are: Australians care about their privacy. Nine in 10 Australians have a clear understanding of why they should protect their personal information, and […]
Member only content (join now or login)

Zoom clarifies that it won’t use data without consent for AI training

by

In the past few weeks, there have been media reports pointing out that Zoom’s updated Terms of Service introduced in March, would enable Zoom to use data collected for AI training purposes.  Last week, the CEO of Zoom this has led Zoom to announce that it will not use data for AI training without explicit consent for users. However, it highlights how vigilant organisations need to be in monitoring third-party providers’ changes to third-party technology providers and implementing changes to policies and processes if appropriate. Zoom has recently introduced two generative AI features — Zoom IQ Meeting Summary and Zoom IQ Team Chat Compose – which offer automated meeting summaries and AI-powered chat composition.  The Zoom account owners and administrators who control whether to enable these AI features for their accounts. Chief Product Officer Smita Hashim explained, ‘We’ve updated our terms of service (in section 10) to further confirm that Zoom does not use any […]
Member only content (join now or login)

The Good Shepherd Model for Cybersecurity, Privacy and Regulatory Compliance

by

WHITE PAPER   Four principles for protecting private data to improve compliance with privacy regulations Executive Summary Regulators Sharpen their Focus on Protecting Private Data "Assume You Are Compromised" - Now What? The Good Shepherd Model Case Study: Investigating a Datacenter Breach the Hard Way Security and Privacy are Strategic References   EXECUTIVE SUMMARY Organizations that store customers’ private information have a duty of care to protect that data. Credit card numbers and other personal details fetch a high price on the black market and unfortunately, organizations do a very poor job of keeping them out of the hands of cybercriminals. Regulators in many countries are now levying considerable penalties against organizations that fail to protect people’s private data. Under the European Union’s General Data Protection Regulation (GDPR), for example, organizations face fines of up to €20m or 4% of annual turnover for exposures of European citizens’ private data. They […]
Member only content (join now or login)

Census Topic Consultation

by

The Australian Bureau of Statistics (ABS) has published a shortlist of topics being considered for the 2026 Census and launched the next phase of public consultation. The publication 2026 Census topic review: Phase one directions provides outcomes from the consultation undertaken earlier this year, including the topics being considered for inclusion, change or removal from the 2026 Census. It also outlines where more information is needed to inform our recommendation to the Government on the topics in the 2026 Census. This consultation is seeking feedback on topics that are being considered for change or removal from the 2026 Census. Submissions can be made through the ABS Consultation Hub until 8 September 2023. Learn more at https://www.abs.gov.au/census/2026-census-topic-review/overview-2026-census-topic-review
Member only content (join now or login)

Third-Party Risk and Cybersecurity: Navigating Evolving Threats and Data Governance

by

High-profile data breaches in the last few years have not only resulted in increased regulatory attention but have also served to highlight the evolving set of cyber threats faced by organisations. Of particular note, there have been numerous incidents where cybercriminals have managed to obtain organisational data not through a direct attack on the organisation but rather by breaching a third-party IT supplier to the organisation. The sophistication of cybercriminal attacks is increasing both in terms of the attack methodology and the strategic intent behind the selection of their targets. When the first wave of ransomware attacks was launched in the early 2000s, these were largely indiscriminate, impacting whichever personal, business, or government system that the malware could gain access to. Following this initial wave, we have observed increased fine-tuning of malware attacks over time. From a code perspective, some examples of this evolution have included built-in checks in the […]
Member only content (join now or login)

Report of the Royal Commission into the Robodebt Scheme

by

The Royal Commission into the Robodebt Scheme has concluded. Commissioner Catherine Holmes AC SC presented the Report of the Royal Commission into the Robodebt Scheme to the Governor-General, His Excellency, General the Honourable David Hurley AC DSC (Retd) on 7 July 2023. It was tabled on 7 July 2023. Read the report here
Member only content (join now or login)

Interim guidance for agencies on government use of generative AI platforms

by

The Digital Transformation Agency (DTA) and the Department of Industry, Science and Resources (DISR) have released interim guidance on government use of publicly available generative AI platforms. The interim guidance is recommended for government agencies to use as the basis for providing generative AI guidance to their staff. You can access the Guidance here – Interim guidance for agencies on government use of generative AI platforms | aga (digital.gov.au) DTA and DISR also recommend agencies: implement an enrolment mechanism to register and approve staff user accounts to access generative AI platforms. This should include appropriate approval processes through Chief Information Security Officers (CISO) and/or Chief Information Officers (CIO). establish an avenue for staff to report any exceptions made to adhering to the guidance through your CISO/CIO. This should be reported periodically to the DTA by emailing digitalpolicy@dta.gov.au. seek to move to commercial arrangement for generative AI solutions as soon as it is possible to […]
Member only content (join now or login)

EU-U.S. Data Privacy Framework

by

This week the European Commission has adopted its adequacy decision for the EU-U.S. Data Privacy Framework. The decision concludes that the United States ensures an adequate level of protection – comparable to that of the European Union – for personal data transferred from the EU to US companies under the new framework. On the basis of the new adequacy decision, personal data can flow safely from the EU to US companies participating in the Framework, without having to put in place additional data protection safeguards. The EU-U.S. Data Privacy Framework introduces new binding safeguards to address all the concerns raised by the European Court of Justice, including limiting access to EU data by US intelligence services to what is necessary and proportionate, and establishing a Data Protection Review Court (DPRC), to which EU individuals will have access. The new framework introduces significant improvements compared to the mechanism that existed under the […]
Member only content (join now or login)

Ethics in the Age of Disruptive Technologies: An Operational Roadmap

by

Ethics in the Age of Disruptive Technologies: An Operational Roadmap (ITEC Handbook) by José Roger Flahaux, Brian Patrick Green, and Ann Skeet, offers organisations a strategic plan to enhance ethical management practices, empowering them to navigate the complex landscape of disruptive technologies such as AI, machine learning, encryption, tracking, and others while upholding strong ethical standards. The Institute for Technology, Ethics and Culture (ITEC), housed at the Markkula Center for Applied Ethics at the Santa Clara University, is a collaboration between the Center and the Vatican’s Dicastery for Culture and Education. The Institute convenes leaders from business, civil society, academia, government, and all faith and belief traditions, to promote deeper thought on technology’s impact on humanity. Download the ITEC Handbook via the link here 
Member only content (join now or login)

Happy 5th Birthday GDPR

by

On the 5th anniversary of commencement of the GDPR, Věra Jourová, Vice-President for Values and Transparency, and Didier Reynders, Commissioner for Justice, issued a statement highlighting that the GDPR was a decisive step in shaping the digital transition in the EU, setting global standards for the safe regulation of data flows and creating the foundation for a human-centric approach to the use of technology.  They point out that the GDPR is the foundation of the EU’s arsenal of digital laws that shape the EU data economy, such as the Data Act and Data Governance Act.  Since enforcement of the GDPR commenced on 25 May 2018, over €2.5 billion in fines have been imposed by national data protection authorities for breaches of the GDPR. Read the statement here  5th anniversary of the General Data Protection Regulation (europa.eu) On the “This Week in Digital Trust” podcast, you can listen to Melanie Marks, elevenM privacy […]
Member only content (join now or login)

Safe and Responsible AI Discussion Paper

by

The Government’s Safe and Responsible AI in Australia Discussion Paper was released by Science and Industry Minister, Ed Husic MP released last week.  The Discussion Paper canvasses existing regulatory and governance responses in Australia and overseas, identifies potential gaps and proposes several options to strengthen the framework governing the safe and responsible use of AI.  The paper builds on the recent Rapid Research Report on Generative AI delivered by the government’s National Science and Technology Council. Also released is the National Science and Technology Council’s paper Rapid Response Report: Generative AI assesses potential risks and opportunities in relation to AI, providing a scientific basis for discussions about the way forward. Access the Safe and Responsible AI in Australia Discussion Paper here Access the Rapid Research Report on Generative AI here You can have your say on the discussion paper by answering some or all of the 20 questions on the Government’s online survey and upload a separate submission if needed – access the link here Make […]
Member only content (join now or login)

Regulating AI in the UK (part 2)

by

Last month we brought you the UK Government’s White Paper released on 29 March 2023, to implement a pro-innovation approach to AI regulation and the EU’s AI Act with Tom Whittaker’s flowchart to assist in navigating the proposed EU AI. Tom Whittaker of Burgess Salmon (UK) has developed a further flowchart to assist in navigating the proposed UK approach to AI regulation.  It identifies the key decisions to be considered and references the relevant sections of the White Paper. As Tom points out, organisations may find they need to navigate multiple regulatory regimes and jurisdictions. How they comply with each of those regulations (and other relevant laws) may look very different. For example, you can see the different approaches being taken by looking at the one-page visual on anticipated AI regulations in the UK, EU and US, see the horizon scanning access here; and the glossary of existing and anticipated AI definitions […]
Member only content (join now or login)

The State of AI Governance in Australia

by

The Human Technology Institute has just released a report into the The State of AI Governance in Australia providing a timely overview of how organisations are approaching the governance of AI in Australia today. Its findings are based on surveys, structured interviews, and workshops engaging more than 300 Australian company directors and executives, as well as expert legal analysis and extensive desk research. The report reveals that corporate leaders are largely unaware of how existing laws govern the use of AI systems in Australia. The report finds that both company directors and senior executives see huge opportunities for AI systems to improve productivity, process efficiencies, and customer service. But investment in AI systems and technical skills has not been matched by investment in AI system management and governance. Furthermore, corporate leaders report that they lack the awareness, skills, knowledge and frameworks to use AI systems effectively and responsibly.  The report suggests four […]
Member only content (join now or login)

NSW Information Commissioner releases the findings from research into the informal release pathway to celebrate Open Government Week 2023

by

In celebration of Open Government Week 2023, the NSW Information Commissioner published the results from research into the informal release pathway and a compliance audit into the informal release practices of NSW public sector agencies. The compliance audit made several key findings: Overwhelmingly, 83% of informal requests recorded by agencies resulted in information being released. 53% of agencies did not have a documented policy/procedure policy for dealing with informal access requests that was available to staff making decisions on informal applications 58% of agencies did not provide a written outcome to the applicant who requested information 58% of agencies do not have a fixed timeframe for responding to informal access requests. 47% of the agencies indicated that they monitor trends in informal access requests to identify what could be released proactively. Interestingly, the research also found that in general agencies are aware of and using the legislation to release information […]
Member only content (join now or login)