Webinars      Login/Register      Cart

InfoGovANZ

Information Governance Think Tank

Privacy

APAC Privacy Law Update: Cross Border Transfers

by

With a range of new regulations, tools and projects underway, Information Governance ANZ were pleased to host a virtual forum with updates on the latest data privacy developments across the Asia Pacific region.
This interactive session was facilitated by Susan Bennett, Founder of InfoGovANZ and our special guests included:

  • NZ Privacy Commissioner – John Edwards
  • Senior Research Fellow, Asian Business Law Institute – Dr Clarisse Girot
  • Director, Simply Privacy – Daimhin Warner

Commissioner John Edwards on the new NZ Privacy Act

New Zealand’s Privacy Act 2020 comes into force on 1 December 2020 and introduces new limitations on cross-border transfers.

Commissioner Edwards spoke about the new legislation and provided a brief history of the Act since 1993. It applies across the economy (both public and private sector organisations), is based on the 1980 OECD data protection principles and is technology-neutral. He noted the Act has remained largely unamended during the intervening decades.

New Zealand received an ‘adequacy ruling’ by the European Commission recognising that it provided an adequate level of protection to personal data of European citizens.  In 2011 the Law Commission carried out a review and found the Act remained broadly fit for purpose, although some modernisation was recommended.

The new law comes into effect from 1 December. It includes some new obligations and policy initiatives, including mandatory breach notification. It sets quite a high threshold for harm criteria, to prevent “over reporting” which can undermine public confidence.

The Office of the Privacy Commissioner has released a reporting tool, Notify Us, to help organisations assess a breach situation and report appropriately. The tool was developed with a user-centred design approach, to enable assessment and reporting even if the user knows very little about the Privacy Act.

The Act includes a new principle, limiting general powers of disclosure for overseas data transfers. It is not considered a disclosure if data is simply stored or transmitted, for example in a software-as-a-service or hosted environment. Data must not be used or tracked by the IT service provider for their own purposes. As with GDPR, there is some extraterritoriality and the Act will still apply if the organisation is considered to be carrying on a business in New Zealand, even if the recipient is outside New Zealand.

To facilitate cross-border transfers of personal information, advice and model contractual clauses will be available from the OPC website, along with another tool to print out tailor made contracts.

The Commissioner can issue compliance notices, not fines – although there are criminal offences for impersonating an individual or destroying personal information that has been requested. He noted that updates to the Act are based on recommendations almost 10 years old, so there may be scope for further improvement, but the principles-based approach offers a reliable framework over time.

Daimhin Warner on how practitioners can prepare

Daimhin encouraged privacy practitioners to focus on preparing for cross border transfers, noting there are a few tricky issues to tackle for compliance. The old Act encouraged a ‘reactive’ approach, but the new Act required proactive due diligence.

For example, every entity in a group of companies is considered a separate organisation, so it’s important to manage the risk of disclosure in data that may be transferred within the group.

He noted it will not apply to a service provider or data processor in the majority of cases. Situations that will need more careful consideration may include health research organisations or law enforcement agencies, potentially sharing personally identifiable data with counterparts around the world. Principle 12 does not apply in ‘controller to controller’ transfers if required for public safety.

The Act requires consent to be expressly confirmed but this does not necessarily mean it is freely given. Where citizens are accessing a service provided by government they may have very little choice. Daimhin emphasised consent should always be a last resort.

At a macro level, it can be difficult to compare privacy protections in different jurisdictions and the legal landscape is constantly evolving. As such, regulators are reluctant to issue “white lists” of countries where data can be safely transferred.

Daimhin explained several key things for organisations to consider. He encouraged the use of model contractual clauses issued by the OPC.

He also recommended engaging a local privacy expert, based in the receiving country, to understand how a law is actually being implemented in practice.

Dr Clarisse Girot on the consequences of regulatory cooperation

Dr Girot discussed the interaction and interdependence of data protection laws and data transfer requirements across the region. She noted it is a very complex area of law with a lot of differences in requirements and coverage.

ABLI’s Data Privacy Project considers the convergence of regulations on cross-border data transfers in 14 Asian jurisdictions. It was selected from 850 applications showcased at the 3rd edition of the Paris Peace Forum in November 2020.

The project has produced a comparative table and analytical review of the differences and commonalities across these regulations. It aims to provide up to date information, accessible in English, to support data transfers within APAC and between APAC and other parts of the world.

Data protection laws increasingly include extra territoriality, which means companies may be subject to many laws at once. This is not just the case with GDPR but many existing and upcoming regulations in the APAC region.

There are also challenges of scope. Even when the laws look very much the same, entire parts of an economy or society may not be covered. This has huge implications for regulatory cooperation and assessing adequacy or levels of data protection in a destination country.

Data localisation is another issue attracting attention in APAC. A growing number of countries require data to be maintained onshore not just for privacy reasons but also for national security or digital sovereignty.

Provisions are mushrooming across the region, many inspired by GDPR or OEDC privacy guidelines. A few of the countries issuing new or amended privacy legislation include China, India, Thailand, Malaysia, Indonesia, Sri Lanka and Pakistan. So there is a lot of uncertainty.

Additionally, a recent case between the Data Protection Commission (Ireland) and Facebook (often referred to as Schrems II), raised questions about EU-approved data transfer mechanisms including Safe Harbour, Privacy Shield and standard contractual clauses.

The findings have wider implications globally, including in the APAC region, and may act as the catalyst for regulatory alignment around the world. The interdependence of data protection frameworks is now very apparent. Policy makers are renegotiating and updating standard contractual clauses.

Dr Girot outlined some mechanisms that can be used to promote interoperability, such as contracts, binding corporate rules, certification, codes of conduct and other accountability measures.

Recent surveys show that information governance is regarded as a key enabler for managing data protection and safe data transfers. This includes knowing where your data is held (including copies), lifecycle management, storage and disposal.

If you would like to listen to the full discussion you can access a recording of the session here.

Author

Sonya Sherman is a member of the Information Governance ANZ Advisory Board and Principal at Zen Information.

OAIC Data Breach report: January – June 2020

by

The Office of the Australian Information Commissioner (OAIC) has released its Notifiable Data Breaches (NDB) Report for January to June 2020.

Malicious or criminal attacks remain the leading cause of data breaches involving personal information in Australia.    Commissioner Angelene Falk said,  'this trend has significant implications for how organisations respond to suspected data breaches — particularly when systems may be inaccessible due to these attacks. It highlights the need for organisations to have a clear understanding of how and where personal information is stored on their network, and to consider additional measures such as network segmentation, robust access controls and encryption.'

In other findings:

  • Health service providers continued to be the top reporting sector (115 notifications), followed by the finance and education sectors, and the insurance industry making the top 5 sectors for the first time.
  • The number of notifications resulting from social engineering or impersonation has increased by 47%.
  • Actions taken by a rogue employee or insider threat accounted for 25 notifications, and theft of paperwork or storage devices resulted in 24 notifications.
  • Human error accounted for 34% of data breaches. As Commissioner Falk stated, 'it reinforces the need for organisations and agencies to take reasonable steps to prevent human error breaches, including training for staff who handle personal information.'

The Commissioner has also reminded organisations that they must also continue to assess and address any privacy impacts of changed business practices, both during their response to the COVID-19 outbreak and through the recovery.

Read the Notifiable Data Breaches Report for January-June 2020.

Protecting Privacy by Minimizing Data

by

Posted with permission from Active Navigation, originally published on June 1.

Ten years ago, there was no such thing as too much data. Notions about data being the “new oil” prompted organizations to horde every byte they could, hoping that they might be able to harness it down the road. Combined with the notion that “storage is cheap,” this belief has led many companies to exponentially increased their risk rather than their opportunity.

New data privacy regulations in Europe and the United States impose a significant burden of care on organizations regarding their data collection processes. In fact, data minimization is a fundamental principle within the European Union’s General Data Protection Regulation (GDPR). Whether governed by the GDPR or state privacy regulations like the California Consumer Privacy Act (CCPA), businesses must now limit the personal data they collect and dispose of it once it is no longer needed for a legitimate business purpose.

New obligations require organizations not only to rein in data collection practices, but also to reduce the data already held. Furthering this imperative, over-retention of records or other information can lead to increased fines in the case of a data breach. As a result, organizations are moving away from the practice of collecting all the data they can toward a model of “if you can’t protect it, don’t collect it.” The focus now is on mitigating risk by adopting a strategy of data minimization.

ROTT(en) Data

Because regulations do not specify precisely what data should be erased, determining where to start with data minimization can be difficult. For most organizations, mapping their data estate is the most pragmatic way to begin.

Data governance experts frequently use the acronym ROT (redundant, obsolete, trivial) to describe data that provides no business value to an organization. Some experts expand that acronym to ROTT, adding “transitory” as another area of data vulnerability or duplication.

Using the ROTT acronym as a guide, the search for data that can be easily disposed of should be organized along the following lines:

Redundant: People tend to grossly underestimate how much of their data is redundant. Redundant information is duplicated in multiple places, either in a single system or across multiple systems. At any given time, up to 30% of an organization’s storage might be duplicate data. That is a huge amount of information that can be removed and will also make searching for information easier.

Obsolete: The value of information decreases precipitously over time, while its risk-to-value increases. Information can become obsolete if it is incomplete, outdated or incorrect. Using obsolete information can lead to poor decision-making, further posing risk to the business. An easy way to quickly assess obsolescence is by checking the creation or last accessed date.

Trivial: A surprisingly large amount of the information circulating around an organization’s systems does not have a legitimate business purpose. Documents detailing who is bringing what to the office potluck and back-and-forth conversations about meeting schedules do not provide value and should be deleted as soon as practical.

Transitory: Data in motion—information moving around a private or corporate network—should have a classification of its own for data minimization. Transitory data is not exactly duplicate data, but often includes data that is secured elsewhere. This type of data has sometimes fallen into the wrong hands, revealing sensitive information that was subsequently misused. It needs to be culled to minimize the risk it poses by remaining accessible and ungoverned.

Using Data Mapping to Improve Data Hygiene

Few organizations understand the totality of their data, and even fewer have a single, focused data protection or governance officer. Instead, there is a broad constituency in the C-suite overseeing data collection and usage for their separate domains. The CISO obsesses about leaks, hacks and phishing attacks. The CIO focuses on ensuring the business can monetize its data. The CTO looks at data through the lens of storage. And the legal team—some of the most vocal champions of data minimization—sees data as a legal and regulatory threat.

Even though only one is usually the designated custodian for information governance, each executive also has a different perspective on data hygiene. While each officer will naturally champion their own area’s needs, the one thing that will bring these widely differing interests together is understanding all the data the organization owns and the risks it poses. Data mapping is therefore key to minimization.

To start, it is essential to locate all data that an organization retains and expose the hidden areas of “dark data.” Gartner defines this as “assets organizations collect, process and store during regular business activities, but generally fail to use for other purposes,” such as analytics, business relationships and direct monetization. This is the only way to measure the depth of an organization’s exposure, assess the location and magnitude of the data, and identify what needs remediation and what is overdue for erasure. To do so, a company can use a range of technology to:

· Gain a cross-repository inventory of all content to identify the real data of value in your business

· Add pre-defined rules for handling a wide range of e-trash, stale, outdated and transitory (ROTT) content

· Adapt rules to make them actionable in your environment

· Test minimization policies across large volumes of files to understand their impact

First and foremost, shed light into all potential data repositories. For example, even if one department has decided to use a specific data storage solution like Dropbox, there is a good chance that different departments might be using others, like SharePoint or Box. All must be examined.

Once the data mapping is complete, organizations must digest and process the extent of their data chaos. Internally, this includes discussions on budget, responsibilities, authority, timing, people and processes. Organizations need to understand the various business drivers, stakeholders and risk areas in data privacy, such as audits, litigation, GDPR and CCPA regulations, and data migrations to the cloud. With this step complete, organizations can then decide what to fix and what type of tools or support they will need to remediate the issues.

Whatever the company needs to do, bear in mind that it cannot be done overnight. No one wants to get bogged down in a multi-year, multimillion-dollar initiative. After the initial sense of urgency, efforts can sometimes stall as a result of thinking too big. Instead, break down a project into modular, bite-sized chunks.

Throughout the journey, start to build in minimization concepts during the earliest phases of a data accumulation program. Acquire data progressively, and only when genuinely needed. The less information collected, the less to store and manage. This is the way to achieve good data hygiene, and a path to ongoing data minimization.

P3 Project Privacy Podcast from Active Navigation

by

Looking for a new podcast about data privacy?  Active Navigation has exactly what you need – the P3: Project Privacy Podcast aims to help you understand the evolving data privacy landscape.

Episodes include:  The ROI of Proper Data Management; Records Management in Highly Regulated Industries; High Stakes Records Management; The NIST Privacy Framework; Open Data During Times of Crisis.  You can listen to the podcast anytime on the Active Navigation website.

Information Security Risk Management Practitioner Guide – OVIC

by

The Office of the Victorian Information Commissioner (OVIC) issues security guides to support the Victorian Protective Data Security Standards (VPDSS).

This document provides organisations with guidance on security risk management fundamentals to enable them to undertake a Security Risk Profile Assessment (SRPA) as required under s89 of the Privacy and Data Protection Act 2014(PDP Act) and is designed to support practitioners and information security leads.

OAIC Privacy Assessment tool

by


OAIC launched a new Privacy Impact Assessment Tool (DOCX), which helps you conduct a PIA, report its findings and respond to recommendations.

Accompanying the Guide to undertaking privacy impact assessments, entities are encouraged to take a flexible approach and adapt this tool to suit the size, complexity and risk level of their project.