InfoGovANZ

Information Governance Think Tank

Privacy

Privacy Act Review Report

by

The long awaited report reviewing Australia’s Privacy Act 1988 has been released by the Australian Government, proposing significant changes including individual rights modelled on the GDPR, such as the right to request erasure, and notification of databreaches to Office of the Australian Information Commissioner within 72 hours.

Attorney-General Dreyfus’ statement releasing the report says, ‘the Privacy Act has not kept pace with the changes in the digital world. The large-scale data breaches of 2022 were distressing for millions of Australians, with sensitive personal information being exposed to the risk of identity fraud and scams.’

In relation to security, destruction and notifiable databreaches the report states, ‘recent large-scale data breaches have highlighted the vast amount of personal information that is collected and retained by entities, and the need for entities to put in place stronger protections to prevent unauthorised access to Australians’ information. The best way to protect personal information is for entities to minimise the amount of personal information they collect and retain. The Act already requires entities to only collect what is reasonably necessary and to destroy personal information when it is no longer required. This requirement would be reinforced through enhanced OAIC guidelines for entities on the reasonable steps they should take to destroy or de-identify personal information so that they can be in a better position to meet their obligations. In addition, this Report proposes that entities should determine, and periodically review, the period of time for which they retain personal information. There should be a further review of legal provisions outside of the Privacy Act that require certain forms of personal information to be retained. This further work should determine if those requirements appropriately balance the intended policy objectives with the privacy and cyber security risks of entities holding significant volumes of personal information. The Report also proposes enhancements to the Notifiable Data Breach scheme (NDB scheme) so that, when a data breach occurs, quick action can be taken to minimise harm to affected individuals. Proposed new data breach reporting obligations, including notifying the Information Commissioner (IC) within 72 hours of becoming aware of a data breach, would assist with this objective. The Report also proposes further work to better facilitate reporting processes for entities with multiple reporting obligations.’

The Government is now seeking feedback on the 116 proposals in this report before deciding what further steps to take.

Submissions on the report are due on 31 March 2023.

Read the report here – https://bit.ly/3YAZ9b7

Balancing Organisational Accountability and Privacy Self-management in APAC

by

The Asian Business Law Institute and Future of Privacy Forum has published a report providing a detailed comparison of the requirements for processing personal data in 14 jurisdictions in APAC including Australia, China, India, Indonesia, Hong Kong SAR, Japan, Macau SAR, Malaysia, New Zealand, the Philippines, Singapore, South Korea, Thailand, and Vietnam.

Individual reports for these 14 jurisdictions can be accessed here: ABLI-FPF Convergence Series – Balancing Organizational Accountability and Privacy Self-management in Asia-Pacific.

LawFest 22: Re-connecting & challenging your thinking

by

On 28 September, 365 legal professionals from across Aotearoa and abroad gathered in person in Auckland for the premier legal innovation and technology event on the New Zealand calendar.

LawFest is the only opportunity in New Zealand for the legal and technology community to come together to network, collaborate and learn about how to innovate and adapt to change – and to do so in-person ! After the disruption we have collectively faced over the past couple of years, there was even greater appreciation of the value of face-to-face connection!

The event was once again a must for anyone interested in driving efficiency in their organisation.

 

The key highlights

The one-day event was a great opportunity to hear from leaders and change makers in the innovation space. The programme provided something for everyone, from those new to technology, to those currently at the forefront of legal innovation.

Over 25 amazing speakers, delivered practical insights of how to innovate and leverage technology to help you deliver legal services for today and the future. From Developing an Innovative Mindset, Client Centred Innovation, NewLaw, Digital Transformation, Wellbeing, Māori Transformational Leadership, Privacy, Trust & Technology, AI, eDiscovery, Responding to Data Breaches, Attracting new Clients through to Legal Design, LawFest had something for everyone.

Frances Valintine CNZM, founder at Tech Futures Lab was the opening keynote as she inspired and challenged thinking with her expertise in creating a mindset that is adaptable and embraces change. Frances delivered practical tips to help you with your innovation initiatives and prepare you for now and the future. She reinforced the importance to be inspired and empowered to take risks, step off the conveyor belt, think originally, and lead with possibility – to create greater value for your clients.

The day was wrapped up by a fantastic final keynote by Mark A. Cohen – one of the world’s leading legal industry thought leaders. Mark examined the key elements of New Law and how legal professionals can prepare for it and be ready to embrace it, whilst challenging the thinking of all in attendance.

PwC NewLaw Directors, Marlo Osborne-Smith and Eric Chin provided powerful frameworks, strategies and solutions to help shape and accelerate the digital transformation journey of legal teams.

 

InfoGovANZ founder & Executive Director Susan Bennett, moderated a session on Privacy, Trust & Technology: Innovation with Accountability, joined by Sarah Auva’a, Lead Digital Trust Partner, Spark and Emma Maconick, Head of Data and Technology, EY Law. This wide-ranging discussion answered critical questions including what is privacy-by-design and security-by-design, why trust and ethics matter, how good governance can help mitigate risk and how to make the business case for investment in privacy and governance projects – as well as the highly topical Optus data breach.

One of the fantastic additions this year was the highly popular breakout streams for those from law firms, in-house and exciting Tech Talks. Sara Rayment of Inkling Legal, led fantastic legal design sessions to both the law firm and in-house streams, providing ideas they could take back and implement.

Bringing everything together superbly was the MC, Helen Mackay of Juno Legal.

 

LawFest is the only event in New Zealand providing the opportunity to meet and see leading legal technology in the large exhibition hall, together with live legal tech demonstrations. This year LawFest featured the largest Expo of tech providers ever assembled at a New Zealand legal event. From start-ups, through to global household names – if you provide legal tech in New Zealand (or simply want to start) you were at LawFest.

The great content was complimented by fantastic networking opportunities, as the legal community were able to re-connect and network in-person – something we have all missed the value of over the past few years.

With LawFest 22 behind us, the focus now shifts to LawFest 23 on 1 June, where we will look to explore further how to adapt and thrive in an ever-changing legal market.

 

Author:

Andrew King, Founder and Strategic Advisor – E-Discovery Consulting

OAIC guidance on retention and deletion of PI

by

In July, OAIC published guidance on the retention and deletion of personal information (PI) collected during the COVID-19 pandemic. Organisations should take stock of the personal information they hold and assess whether it is necessary to continue to collect and retain PI.

Australian Privacy Principles 11.1 and 11.2 require that reasonable steps be taken to protect personal information and personal information be destroyed or de-identified once it is no longer needed.

If information is stored electronically, such as in cloud-based storage, servers, USBs or with a third-party provider, you should ensure that the digital records are permanently destroyed, including in any back-up system or offsite storage.

It is also important to consider whether employees require any training to ensure that personal information is securely destroyed.

In November, OAIC published the COVIDSafe privacy report in accordance with s 94ZB of the Privacy Act, which examined compliance and risk throughout the ‘information lifecycle’ of COVID app data collected during the pandemic. Read the COVIDSafe Report May–November 2022 here.

IAPP Global Summit 2022 Report

by

Celebrating the joy of reconnecting was the theme of the opening address by Trevor Hughes, President and CEO of IAPP.  This year’s Global Privacy Summit had over 4,000 attendees and took place over four jam-packed days in Washington DC. The Opening General Session got off to a flying start with three very different and thought-provoking key notes. Bestselling author Malcolm Gladwell highlighted the lessons to be learned from his recent book “The Bomber Mafia”. Warning against asking the wrong questions and solving the wrong problems, he noted that technology takes time to evolve and that “visionaries need help” with practical application.  Gladwell urged the audience to be humble about what technology can do and patient before deploying well-intended technological innovations with uncharted moral consequences. Professor Amy Gajda, author of “Seek and Hide”, discussed the pivotal 1928 Supreme Court case of Olmstead v. United States, in which Justice Louis Brandeis dissented […]
Member only content (join now)

OAIC’s updated guidance on vaccination status and protecting privacy

by

OAIC has updated its guidance on COVID-19: Vaccinations and privacy rights as an employee and Vaccinations: Understanding your privacy obligations to your staff. Key points include: Vaccination status information can only be collected without consent in circumstances where the collection is required or authorised by law (including a state or territory public health order or direction). Only the minimum amount of personal information reasonably necessary to maintain a safe workplace should be collected, used or disclosed. Vaccination status information should only be used or disclosed on a ‘need-to-know’ basis. You must inform employees about how their vaccination status information will be handled. Ensure you take reasonable steps to keep employee vaccination status and related health information secure.
Member only content (join now)

New Zealand’s Privacy Commissioner releases a paper on biometric regulation

by

New Zealand’s Office of the Privacy Commissioner (OPC) has released a position paper setting out how the Privacy Act regulates biometrics.  The increasing role of biometric technologies in the lives of New Zealanders has led to calls for greater regulation of biometrics. In a statement releasing the paper, the OPC said, ‘[it] believes that the privacy principles and the regulatory tools in the Privacy Act are currently sufficient to regulate the use of biometrics from a privacy perspective.’  The paper is intended to inform decision-making about biometrics by all agencies covered by the Privacy Act, in both the public and private sectors. This position paper will be reviewed six months after publication, in consultation with key stakeholders, to assess its impact and whether any further steps are required. Read the OPC’s summary of key issues or the full position paper.
Member only content (join now)

Digital Identity Legislation

by

The Australian Government has released an exposure draft of the Digital Identity legislation (the Trusted Digital Identity Bill) to support the expansion of the Australian Government Digital Identity System (the System). The proposed legislation aims to enshrine in law, privacy and consumer safeguards in the System as it expands to include more services and sectors. The legislation also establishes permanent governance arrangements to be guided by principles of independence, transparency and accountability. Feedback is being sought on the draft legislation and the accompanying documents to make sure the System meets the expectations of Australians and Australian businesses. Available on the Digital Identity website: Guide to the Digital Identity legislation Trusted Digital Identity Bill 2021 exposure draft Trusted Digital Identity Framework (TDIF) accreditation rules Trusted Digital Identity rules Regulation Impact Statement (RIS)
Member only content (join now)

OVIC Guidance on Collaboration Tools

by

The rise of flexible working arrangements means that collaboration tools, such as videoconferencing and instant messaging tools, as well as cloud-based document creation and sharing services, are increasingly essential to facilitate collaboration. The Office of the Victorian Information Commissioner has provided guidance to assist organisations to consider their privacy obligations when implementing and using collaboration tools, plus information security and record-keeping considerations. Read the Guidance here.
Member only content (join now)

National COVID-19 Privacy Principles

by

The Office of the Australian Information Commissioner and State and Territory privacy commissioners have produced universal privacy principles to support a nationally consistent approach to solutions and initiatives designed to address the ongoing risks related to the COVID-19 pandemic. These high-level principles provide a framework to guide a best practice approach to the handling of personal information during the pandemic by government and business. Read the Principles here.
Member only content (join now)

Protection of Personal Information in Universities

by

The protection of information by universities has come under focus in recent years as a number of Australian universities have been subject to cybersecurity attacks. These attacks highlight the risks of data breaches and the potential impact on students, staff, and research participants. This led to the Office of the Victorian Information Commissioner (OVIC) examining the policies and procedures that Victorian universities have implemented to protect the personal information that they hold from loss and misuse. The Victorian Information Commissioner released its report on  the Examination of Victorian universities’ privacy and security policies report on 29 June 2021 (report).   The findings included that not all universities have clear policies and procedures to guide staff to destroy personal information when it is no longer needed, and some do not have written guidance about sharing personal information with third parties to support staff to consider information security risks. The Victorian Information Commissioner, […]
Member only content (join now)

Protection of personal data in universities Examination Report

by

Victoria’s Information Commissioner recently released a report following an examination of the privacy policies and procedures in eight Victorian universities. The report found that many universities don’t have clear policies to guide staff to destroy personal information when it is no longer needed. While Universities are prioritising ICT and cybersecurity risks, in general, they have less of a focus on managing risks to personal information related to physical and personnel security. The report includes recommendations for universities to strengthen the protection of personal information by developing policies and procedures to identify and document the personal information they hold, where it is held, and for sharing information with third parties and contracted service providers. InfoGovANZ is hosting a session with Sven Bluemmel – Victorian Information Commissioner to highlight the key findings of the report and discuss the recommendations, book your ticket here. Read more about the report here.
Member only content (join now)

OAIC guidelines on the collection of staff vaccination status

by

With the COVID-19 vaccine national rollout underway, the Office of the Australian Information Commissioner has released a new COVID-19 Vaccinations privacy guidance for employers to understand their obligations when collecting, using, storing and disclosing employee health information related to the vaccine. It complements the COVID-19 Guidance for employers which provides more general information about the privacy obligations of Australian Government agencies and organisations covered by the Privacy Act 1988.
Member only content (join now)

OPC’s new interactive online tools

by

The Office of the Privacy Commissioner has created two new interactive online tools to help organisations and businesses understand what they need to do if they are sending New Zealanders’ personal information overseas to comply with the new principle 12. The Principle 12 Decision Tree – is designed to help organisations, especially SMEs, easily work out if principle 12 applies to information they are disclosing overseas and whether they have to comply with it. You can try the Principle 12 Decision Tree here. If principle 12 does apply to the disclosure of information, the best and most practical way to comply with it might be to have an agreement with your foreign person or entity that provides for comparable safeguards to New Zealand’s Privacy Act.  Businesses and organisations now use the Model Contract Clause Builder to generate an agreement.  You can try the Model Contract Clauses Agreement Builder here.
Member only content (join now)

APAC Privacy Law Update: Cross Border Transfers

by

With a range of new regulations, tools and projects underway, Information Governance ANZ were pleased to host a virtual forum with updates on the latest data privacy developments across the Asia Pacific region. This interactive session was facilitated by Susan Bennett, Founder of InfoGovANZ and our special guests included: NZ Privacy Commissioner – John Edwards Senior Research Fellow, Asian Business Law Institute – Dr Clarisse Girot Director, Simply Privacy – Daimhin Warner Commissioner John Edwards on the new NZ Privacy Act New Zealand’s Privacy Act 2020 comes into force on 1 December 2020 and introduces new limitations on cross-border transfers. Commissioner Edwards spoke about the new legislation and provided a brief history of the Act since 1993. It applies across the economy (both public and private sector organisations), is based on the 1980 OECD data protection principles and is technology-neutral. He noted the Act has remained largely unamended during the […]
Member only content (join now)

OAIC Data Breach report: January – June 2020

by

The Office of the Australian Information Commissioner (OAIC) has released its Notifiable Data Breaches (NDB) Report for January to June 2020. Malicious or criminal attacks remain the leading cause of data breaches involving personal information in Australia.    Commissioner Angelene Falk said,  'this trend has significant implications for how organisations respond to suspected data breaches — particularly when systems may be inaccessible due to these attacks. It highlights the need for organisations to have a clear understanding of how and where personal information is stored on their network, and to consider additional measures such as network segmentation, robust access controls and encryption.' In other findings: Health service providers continued to be the top reporting sector (115 notifications), followed by the finance and education sectors, and the insurance industry making the top 5 sectors for the first time. The number of notifications resulting from social engineering or impersonation has increased by 47%. Actions taken by […]
Member only content (join now)

Protecting Privacy by Minimizing Data

by

Posted with permission from Active Navigation, originally published on June 1. Ten years ago, there was no such thing as too much data. Notions about data being the “new oil” prompted organizations to horde every byte they could, hoping that they might be able to harness it down the road. Combined with the notion that “storage is cheap,” this belief has led many companies to exponentially increased their risk rather than their opportunity. New data privacy regulations in Europe and the United States impose a significant burden of care on organizations regarding their data collection processes. In fact, data minimization is a fundamental principle within the European Union’s General Data Protection Regulation (GDPR). Whether governed by the GDPR or state privacy regulations like the California Consumer Privacy Act (CCPA), businesses must now limit the personal data they collect and dispose of it once it is no longer needed for a […]
Member only content (join now)

P3 Project Privacy Podcast from Active Navigation

by

Looking for a new podcast about data privacy?  Active Navigation has exactly what you need – the P3: Project Privacy Podcast aims to help you understand the evolving data privacy landscape. Episodes include:  The ROI of Proper Data Management; Records Management in Highly Regulated Industries; High Stakes Records Management; The NIST Privacy Framework; Open Data During Times of Crisis.  You can listen to the podcast anytime on the Active Navigation website.
Member only content (join now)

Information Security Risk Management Practitioner Guide – OVIC

by

The Office of the Victorian Information Commissioner (OVIC) issues security guides to support the Victorian Protective Data Security Standards (VPDSS). This document provides organisations with guidance on security risk management fundamentals to enable them to undertake a Security Risk Profile Assessment (SRPA) as required under s89 of the Privacy and Data Protection Act 2014(PDP Act) and is designed to support practitioners and information security leads.
Member only content (join now)

OAIC Privacy Assessment tool

by

OAIC launched a new Privacy Impact Assessment Tool (DOCX), which helps you conduct a PIA, report its findings and respond to recommendations. Accompanying the Guide to undertaking privacy impact assessments, entities are encouraged to take a flexible approach and adapt this tool to suit the size, complexity and risk level of their project.
Member only content (join now)