Webinars      Login/Register      Cart

InfoGovANZ

Information Governance Think Tank

InfoGovANZ

APAC Privacy Law Update: Cross Border Transfers

by

With a range of new regulations, tools and projects underway, Information Governance ANZ were pleased to host a virtual forum with updates on the latest data privacy developments across the Asia Pacific region.
This interactive session was facilitated by Susan Bennett, Founder of InfoGovANZ and our special guests included:

  • NZ Privacy Commissioner – John Edwards
  • Senior Research Fellow, Asian Business Law Institute – Dr Clarisse Girot
  • Director, Simply Privacy – Daimhin Warner

Commissioner John Edwards on the new NZ Privacy Act

New Zealand’s Privacy Act 2020 comes into force on 1 December 2020 and introduces new limitations on cross-border transfers.

Commissioner Edwards spoke about the new legislation and provided a brief history of the Act since 1993. It applies across the economy (both public and private sector organisations), is based on the 1980 OECD data protection principles and is technology-neutral. He noted the Act has remained largely unamended during the intervening decades.

New Zealand received an ‘adequacy ruling’ by the European Commission recognising that it provided an adequate level of protection to personal data of European citizens.  In 2011 the Law Commission carried out a review and found the Act remained broadly fit for purpose, although some modernisation was recommended.

The new law comes into effect from 1 December. It includes some new obligations and policy initiatives, including mandatory breach notification. It sets quite a high threshold for harm criteria, to prevent “over reporting” which can undermine public confidence.

The Office of the Privacy Commissioner has released a reporting tool, Notify Us, to help organisations assess a breach situation and report appropriately. The tool was developed with a user-centred design approach, to enable assessment and reporting even if the user knows very little about the Privacy Act.

The Act includes a new principle, limiting general powers of disclosure for overseas data transfers. It is not considered a disclosure if data is simply stored or transmitted, for example in a software-as-a-service or hosted environment. Data must not be used or tracked by the IT service provider for their own purposes. As with GDPR, there is some extraterritoriality and the Act will still apply if the organisation is considered to be carrying on a business in New Zealand, even if the recipient is outside New Zealand.

To facilitate cross-border transfers of personal information, advice and model contractual clauses will be available from the OPC website, along with another tool to print out tailor made contracts.

The Commissioner can issue compliance notices, not fines – although there are criminal offences for impersonating an individual or destroying personal information that has been requested. He noted that updates to the Act are based on recommendations almost 10 years old, so there may be scope for further improvement, but the principles-based approach offers a reliable framework over time.

Daimhin Warner on how practitioners can prepare

Daimhin encouraged privacy practitioners to focus on preparing for cross border transfers, noting there are a few tricky issues to tackle for compliance. The old Act encouraged a ‘reactive’ approach, but the new Act required proactive due diligence.

For example, every entity in a group of companies is considered a separate organisation, so it’s important to manage the risk of disclosure in data that may be transferred within the group.

He noted it will not apply to a service provider or data processor in the majority of cases. Situations that will need more careful consideration may include health research organisations or law enforcement agencies, potentially sharing personally identifiable data with counterparts around the world. Principle 12 does not apply in ‘controller to controller’ transfers if required for public safety.

The Act requires consent to be expressly confirmed but this does not necessarily mean it is freely given. Where citizens are accessing a service provided by government they may have very little choice. Daimhin emphasised consent should always be a last resort.

At a macro level, it can be difficult to compare privacy protections in different jurisdictions and the legal landscape is constantly evolving. As such, regulators are reluctant to issue “white lists” of countries where data can be safely transferred.

Daimhin explained several key things for organisations to consider. He encouraged the use of model contractual clauses issued by the OPC.

He also recommended engaging a local privacy expert, based in the receiving country, to understand how a law is actually being implemented in practice.

Dr Clarisse Girot on the consequences of regulatory cooperation

Dr Girot discussed the interaction and interdependence of data protection laws and data transfer requirements across the region. She noted it is a very complex area of law with a lot of differences in requirements and coverage.

ABLI’s Data Privacy Project considers the convergence of regulations on cross-border data transfers in 14 Asian jurisdictions. It was selected from 850 applications showcased at the 3rd edition of the Paris Peace Forum in November 2020.

The project has produced a comparative table and analytical review of the differences and commonalities across these regulations. It aims to provide up to date information, accessible in English, to support data transfers within APAC and between APAC and other parts of the world.

Data protection laws increasingly include extra territoriality, which means companies may be subject to many laws at once. This is not just the case with GDPR but many existing and upcoming regulations in the APAC region.

There are also challenges of scope. Even when the laws look very much the same, entire parts of an economy or society may not be covered. This has huge implications for regulatory cooperation and assessing adequacy or levels of data protection in a destination country.

Data localisation is another issue attracting attention in APAC. A growing number of countries require data to be maintained onshore not just for privacy reasons but also for national security or digital sovereignty.

Provisions are mushrooming across the region, many inspired by GDPR or OEDC privacy guidelines. A few of the countries issuing new or amended privacy legislation include China, India, Thailand, Malaysia, Indonesia, Sri Lanka and Pakistan. So there is a lot of uncertainty.

Additionally, a recent case between the Data Protection Commission (Ireland) and Facebook (often referred to as Schrems II), raised questions about EU-approved data transfer mechanisms including Safe Harbour, Privacy Shield and standard contractual clauses.

The findings have wider implications globally, including in the APAC region, and may act as the catalyst for regulatory alignment around the world. The interdependence of data protection frameworks is now very apparent. Policy makers are renegotiating and updating standard contractual clauses.

Dr Girot outlined some mechanisms that can be used to promote interoperability, such as contracts, binding corporate rules, certification, codes of conduct and other accountability measures.

Recent surveys show that information governance is regarded as a key enabler for managing data protection and safe data transfers. This includes knowing where your data is held (including copies), lifecycle management, storage and disposal.

If you would like to listen to the full discussion you can access a recording of the session here.

Sonya Sherman is a member of the Information Governance ANZ advisory board member and Principal at Zen Information.

Caryn Png

by

Tell us about yourself?

I grew up in Sarawak, Malaysia and I have worked in various Information Technology disciplines over the past 20 years. For the last 6 years I have been responsible for managing, leading and implementing information and records governance strategy, policies and initiatives for a power utility company in Malaysia.

I also recently obtained the Certified Information Professional (CIP) by AIIM as my career certification path. I am a proud mother of 2 children. I enjoy zumba and I am passionate about family, friends and healthy balanced lifestyle.

What led you into the world of Information Governance (IG)?

Working for an end-to-end energy service provider, the organization operates in a highly regulated industry. In such environment, it is critical for the organization to clearly identify and abide to the relevant regulations and codes of practices. I was tasked to lead the new IG section and to achieve the set objectives and that was how I started in the world of IG.

What pressures are organisations facing to ensure IG best practices?

I think information security is a major driving force for organization to implement Information Governance. Today’s organizations are faced with the overwhelming challenge of managing, finding, and leveraging their information. Before any organisation can find or leverage on any of it, organizations need to first make sure they are safeguarded. The needs have become more apparent as more and more disruptive technologies are invented and rolled out into the industries. One example that I can give is cybersecurity which organisations must tackle. Access to information has become so discrete and fluid that safeguarding the information has become that much harder.

Another pressure point is the need for compliance to regulatory requirements. Organizations would require Information Governance for this to happen. And the challenge of getting this right has become harder than ever. Nowadays, organizations are having difficulties in getting the required critical business information for decision making and organization is also at risk in losing critical business information. As information disorganization are common in many organizations, it increases the risk in breach of information confidentiality, integrity and availability. Non-compliant organizations risk incurring much more than just heavy fine. Loss of customers trust and a damaged reputation are just a few of the risks if information is not tended to properly. These thus put pressure on organizations to embark on IG best practices as quickly and accurately as possible.

What are the biggest developments you have seen in the IG?

Over the last 5 years, the biggest developments that I have seen in the IG is the employment of qualified information management professionals with appropriate skills and competencies. The numbers of certified information management professionals have grown in leaps and bounds all over the world. Moreover, there are various paths to Information Governance professional development nowadays. Formal certifications paths are globally available for IG professionals to demonstrate their knowledge and expertise in various information management-related disciplines.

Do you have any tips for someone starting out in IG?

I think individuals should get as much experience in all areas of Information Governance; strategy and policy, information and privacy, law and regulations, records management, and technology. One helpful advantage is to not think in silo, as governance cuts across domains of management and technology. All these experiences are part and parcels of the journey to implementing proper Information Governance. Never stop learning as Information Governance is a continually evolving program, changing as technology and business needs change.

With the rapidly evolving technologies and digital disruption, where do you see IG heading in the next few years?

As we enter a new decade, we are seeing more and more organizations adopting cutting edge technology and cloud-based workplace. We can work anytime, anywhere! This makes information increasingly tougher to control. Information growth will go on and the need for Information governance cannot be disregarded. I believe organisations will increase their spending on Information Governance products and services to be better equipped when it comes to managing their information.

The future of Information Governance is unquestionably bright. I can see Information Governance gaining more traction within organisations as we enter a world where compliance and security are becoming a competitive edge.

Information Governance by its nature interdisciplinary. In my opinion, to be successful, organization will need to adopt a holistic approach. It takes effort and good collaboration from various teams namely IT, RIM, Audit, Legal and Business Operations in an organization to manage information appropriately and successfully. Any organization that recognizes this effort will undoubtedly be leading the future of information governance.

Why is it important to be a member of InfoGovANZ ?

InfoGovANZ is an interconnected space where members have access to experienced international information governance practitioners sharing and exchanging knowledge, experience and ideas about IG best practices. The networking and professional events are excellent which I find it useful for making new contacts and learning more about what’s happening in the information governance space. I feel very privileged to be a part of InfoGovANZ.

 

 

Exposure Draft of the Data Availability and Transparency Bill

by

 

The draft Data Availability and Transparency Bill aims to modernise and streamline the sharing of government data between agencies and with the private and research sectors. Under the legislation, data will be shared for three purposes: government services delivery, informing government policy and programs, and research and development.  The Consultation Paper contains a simplified summary of the legislative package.

Submissions made by a group of multidisciplinary practitioners and academics highlight privacy and governance concerns.  These include the override of Australia Privacy Principle (APP) 6 and the inherent conflict of National Data Commissioner whose mandate is to encourage data sharing with the enforcement of the regulation.  The submission recommends that governance and assurance be regulated the Australian Information and Privacy Commissioner.  You can read the submission here.

Ilana Lutman

by

Ilana brings more than 20 years of experience as an information professional in government, corporate, industry and nonprofit sectors to Information Governance ANZ's International Council.

 

Having worked in a variety of roles across the information management spectrum, she is dedicated to assisting organizations to be in control of their information assets and helping her clients gain access to the right information at the right time at the lowest cost to maximize workplace productivity. To this end, she utilizes her experience in records management, discovery, litigation support, legal operations, cloud risk evaluation, data privacy and building bridges across disciplines.

 

Tell us about yourself?

I grew up in suburban Sydney and I’ve moved countries twice, first to Israel and then to NJ, USA where I’ve been for twenty years. Subsequently, I’m skilled at starting over and adapting to different lifestyles, cultures, work environments, and making new friends. I love swimming and Pilates. I believe in doing for the greater good and have recently joined the Big Brother Big Sister mentoring program as a Big to my Little 16-year-old sister. Last but certainly not least, I am a mother to two millennials who keep me grounded to what really matters in my life.

 

What led you into the world of Information Governance (IG)?

I came to IG through what I call the “traditional” path. My affinity with contemporary history led me to start in the world of archives, after which I moved into records and information management. With my RIM background I was fortunate enough to land a corporate IG position which enabled me to expand into e-discovery and legal operations.  My journey has been a progression that reflects the maturity and expanding scope of the information management profession. Along the way I completed a Masters in Library and Information Science and became a certified records manger (CRM) and certified information privacy professional (CIPP/US).

 

Tell us about your current role in IG?

After having worked in government, non-profit and corporate, I decided that my next step was to share my craft and experience with a range of clients.  The best way to maximise this was to take the leap into the consulting world and in June 2019 I started at Deloitte in the Information Governance and eDiscovery practice. I love helping clients enhance their organizations’ RIM and IG programs, but the best part is going into a company with my team and leaving it in a better position, more efficient, with more functioning business processes than when we went in. In addition, I’m currently on the ARMA northeast region advisory committee and I facilitate a week on IG for online Records Management classes at several US universities.

 

What pressures are organisations facing to ensure IG best practices?

Writing this as we begin to emerge from COVID-19 stay-at-home orders, the new reality for IG’s future is unknown.  However, IG’s basic tenants of optimizing control, security and disposition of information while mitigating risk will need to continue to function as long as organizations exist.  Pressures to ensure best practices come in the form of external and internal drivers. External drivers include authorities such regulatory and legislative imperatives as well as sectorial and industry compliance and standards. In addition, a huge impetus for many companies is brand reputation, sustainability and loyalty.  No less important are internal drivers such as compliance with internal policies and procedures as well as company culture and mindset.

 

What are the biggest developments you have seen in the IG?

One of the biggest developments I’ve seen in IG is the intellectual thought maturity around IG itself. The last six years have seen a burgeoning in IG models starting with the EDRM, and continuing on with the Compliance, Governance and Oversight Council IG Process Maturity Model, ARMA IG Implementation Model (IGIM), Association of Corporate Counsel Legal Operations Maturity Toolkit, Corporate Legal Operations Consortium and InfoGovANZ. These models are readily available, and each has a different slant that provides a lens through which to view, drive and implement IG frameworks.

Undoubtedly, digitization programmes have had a huge impact on IG as well as data migration initiatives. Finally, the who, what, where, why of records and information and the need for routine deletion is the core of a sound IG program. Most organizations realise that it is important to know data owners, descriptions of data sources, timeframe of the data, location and the purpose of collecting the data and when and how data is dispositioned. It’s our job as IG professionals to get organizations to act on what they know is the right and necessary road to take.

 

Do you have any tips for someone starting out in IG?

IG practitioners come from varied backgrounds – the arts, health sciences, finance, law and IT. A basic function of IG is to build bridges between multi-disciplines such as RIM, privacy, security, RIM and IT (systems and architecture). Anyone starting out today should be competent in several areas and know enough to be able to navigate across disciplines. In addition to hard skills, IG personnel need to bring their soft people skills to the table. So many IG projects depend on integrating teams, negotiating resources and coordinating across boundaries. In addition, IG professionals have to make themselves available for new initiatives and put themselves “out there”. Continual education and self-reinvention are needed to keep moving forward.

 

With the rapidly evolving technologies and digital disruption, where do you see IG heading in the next few years?

The future for IG is positive as long as practitioners consistently align with organizational goals, prioritise information needs and mitigate potential risks caused by inadequate controls. Areas in which IG can partner with business units to be innovative and forward thinking are squeezing the wisdom out of data or monetizing data analytics, using AI for classifying large data sets (think unstructured data on file shares and file sharing sites) and mediating in the tug of war between retaining big data and implementing data anonymization versus the desire to defensibly delete at all costs.

 

Why it is important to be a member of InfoGovANZ?

While I love it in the US and am grateful for the career opportunities and wonderful colleagues, as Peter Allen sings “I still call Australia home”. I was thrilled to first meet Susan Bennett two years ago at Legal Week NY and I immediately signed up to InfoGovANZ. We reconnected this past February 2020 again at Legal Week and took a deep dive into how we could work together and channel our energies to inform, educate and share knowledge. Since then, I’ve got used to attending webinars at 10pm ET so I can meet, connect with and present to information professionals across the globe.

Principles of Explainable AI

by

AI
The US National Institute of Technology and Standards (NIST) has released a draft paper of 4 principles of explainable AI, which is one of several properties that characterise trust in AI systems. Other properties may include resiliency, reliability, bias and accountability. Usually, these terms are defined as a part or set of principles or pillars. This draft paper sets out there are 4 principles encompassing the core concepts of explainable AI as follows:

 

  • Explanation: Systems deliver accompanying evidence or reason(s) for all outputs.
  • Meaningful: Systems provide explanations that are understandable to individual users.
  • Explanation Accuracy: The explanation correctly reflects the system’s process for generating the output.
  • Knowledge Limits: The system only operates under conditions for which it was designed or when the system reaches a sufficient confidence in its output.

AI Transparency in Digital Government

by

In celebration of International Access to Information Day and Right to Know Week in NSW 2020, we held an event on AI Transparency in Digital Government with NSW Information Commissioner Elizabeth Tydd, Victorian Information Commissioner Sven Bluemmel and Dr Jat Singh, Senior Research Fellow at the University of Cambridge. The discussion focused on the duty government agencies have to disclose algorithms used in providing services and making decisions about services and benefits to citizens.

The Commissioners highlighted that robust procurement processes are essential where technology using algorithms are being procured by agencies. Commissioner Bluemmel said the bar needs to be set really high where the algorithmic decision-making involves people and their liberties and livelihood. Transparency is necessary to understand how the decisions are made in order to assert our rights. Dr Singh pointed out that transparency needs to be meaningful so that it allows us to be able to interrogate, scrutinize and challenge, and it requires organisations to give careful consideration to what is needed to enable adequate transparency of algorithms. Commissioner Tydd stated that agencies should be maintaining an inventory of the algorithms used in government-decision making and that it should be included on agency websites. The final point was that the cost to citizens of exercising the right to access information in relation to decision-making using algorithms should be minimal - that is, the cost should be lower if the information is held in digital form and not increase because a data scientist or lawyer is required to be involved with the access request.

You can access the webinar recording here. All the resources mentioned in the webinar can be accessed through the following links:

You can learn more about Right to Know Week and access more resources by visiting the RTK webpage.