Wednesday, 12 March 2014

Privacy and your organisation, do you understand the rules?

The Australian Privacy Amendment Act 2012 will come in to force on 12th March 2014 and will introduce significant amendments to the Privacy Act 1998.

The Privacy Act changes will give the Information Commissioner the ability to: 
  • Resolve complaints, use external dispute resolution services, conduct investigations and promote compliance;
  • Investigate serious breaches (including the right to impose penalties of up to 1.7 Million on businesses);
  • Assess the privacy performance of businesses.
Who must comply with the Act?

The Privacy Act protects personal information handled by businesses with an annual turnover of more than $3 million and health service providers of any size.

The Act may also apply to a small business however if they pose a higher risk to privacy, for example, small businesses that hold health information and provide health services or those that:
  • trades in personal information
  • provides services under a Commonwealth contract
  • runs a residential tenancy database
  • is related to a larger business
  • is a reporting entity under the Anti-Money Laundering and Counter-Terrorism Financing Act.
Other small business operators may choose to opt in to the regime or may be brought into the regime by regulation.

If you’re not sure whether the Privacy Act applies to your business, try the 9 Step Privacy Checklist for Small Business External linkon the Office of the Australian Information Commissioner (OAIC) website.

How will the changes affect you?

The changes will affect how businesses can:
  • Handle and process personal information;
  • Use personal information for direct marketing;
  • Disclose personal information to people overseas.
Although you may already have a requirement to comply with the Privacy Act you need to be particularly aware of the changes as you will need to change your privacy policies and practices significantly in order to comply with requirements of the Australian Privacy Amendment Act 2012.

A point to note

Each State has its own Privacy legislation and therefore you must understand the legislative restrictions on processing personal data, not only within the State you reside, but of the States you interact with!

NSW for example has the Privacy and Personal Information Protection Act 1998 (NSW) together with the Health Records and Information Privacy Act 2002.  

Private sector company’s should be aware of requirements if they provide services to a NSW government agency.

Private sector health services providers of any size in NSW will have to comply with the Health Records and Information Privacy Act 2002 and also the Commonwealth Privacy Act 1988.

How confident are you in your Privacy practices?
For example, APP11 requires an organisation to take reasonable steps to ensure personal information is protected from “Interference, unauthorised access, modification and disclosure”. 

  • How do you provide this assurance?
  • Are you able to demonstrate ‘reasonable’ steps have been taken to protect personal data?
You must take reasonable steps to “implement practices, procedures and systems that ensure compliance with the APPS”.

So how well do you know your information processes?  What personal information do you collect and do you understand its lifecycle within your organisation?  Are you able to answer the following:
  • What personal information is collected, where, when, why and by whom?
  • What controls do you have at the collection point?
  • Do you collect consent?
  • How do you record consent?
  • Do you understand the purpose(s) for which information is collected?
  • How is it kept relevant?
  • Where does the information go?
  • How is it stored?
  • How is it kept up to date?
  • What format is data stored? For how long?
  • What happens at ‘end-of life’?
If you’re not confident you can answer these questions, we are here to help!

CQR Services

CQR is able to help organisations through the following services:



Privacy Compliance Jumpstart

We will conduct a Privacy Impact Assessment (PIA), Provide an implementation roadmap and draft a Privacy Policy.

Privacy Impact Assessment (PIA)

We will conduct a series of interviews to understand how you currently use and protect personal information.

Provide recommendations on how you can improve your processes to ensure the personal information is:

·         Processed fairly

·         Kept accurate, complete and up to date

·         Kept secure

·         Made available to data subjects

Update to Privacy Policy

We will review and update your Privacy Policy to ensure it captures the requirements of the Australian Privacy Amendment Act 2012.

Third Party Audit

We will conduct an audit on how you manage third party relationships.

Information Security Gap Analysis

We will conduct a series of interviews to understand how you currently protect personal information using ISO 27001 information security standard as the benchmark for compliance.

Privacy Audit

We will conduct an audit on your privacy practices covering:

·         Consent management

·         Subject access requests

·         How you use and protect personal data

·         Defined roles and responsibilities

·         Review of Privacy Policies, Procedures and Guidelines

·         Risk Management

Friday, 7 March 2014

Social Bronze Age

In October 2013 I wrote a blog entitled Stone Aged Security, where I noted that we've been through the journey of Stone Age to Industrial Age twice before, first for civilisation taking 12,000 years, and then again for IT, but this time 200x faster and only taking 60 years, and that we had started the cycle again for the Social Stone Age.

The Social Stone Age (2000-2013) will be looked back on fondly.  It's the age when we discovered social media.  It's the age when we were encouraged to share.  It's the age when we naively assumed that private actually meant private, and that big brother didn't really exist - or at least if they did, they were only watching the bad guys.  It's the age when we weren't having discussions about metadata.

That age is over.  2014 is the start of the Social Bronze Age.  This age is marked by two distinct phase changes in the way that we communicate on the Internet.

The first phase change is that we are moving from a default unencrypted Internet, where we only encrypt that information that we consider to be sensitive, to a default encrypted Internet, where we encrypt everything all the time.  Facebook and Twitter moved from only encrypting logins, to encrypting everything.  Google started encrypting all searches.  This would have happened eventually, but it has really been forced this year by the realisation that the threat model has fundamentally changed.  We are no longer trying to protect ourselves just from cybercriminals, but also from the security services that are recording everything all the time.

The second phase change is that we have moved to a default "in" position for social media.  It is now assumed that everyone has at least one social media account, and that the only people who don’t have one have consciously chosen not to, and they are just a little odd.  Private mailing lists have almost entirely gone, replaced by social media groups.  Moreover social media is replacing e-mail as the normal way that people communicate with each other.

My calculations show that the Social Age is running 2.5x faster than the IT Age, and 500x faster than civilisation!  It's hardly surprising that we really aren't coping that well.  If this trend continues, then here are my predicted dates for the remainder of the Social Age, and some key expectations.

2018: Social Iron Age.  The end of centrally controlled social media, and the end of companies like Facebook and Twitter.  Social media will be peer-to-peer with all the processing, privacy and communication controlled by the users and happening in an app on their phones.  The Internet of things will be real and it will all be IPv6.

2021: Social Middle Age.  The end of e-mail and text based communication.  Everything will be voice controlled, and keyboards will seem quaint.  Real-time language transcription and translation will be practical for everyday use.  Language will no longer be a barrier to communication.

2023: Social Industrial Age.  Avatars will do most of the work for you.  Expect the first real cyber world war.  What we see as science fiction today, will be practical reality, except that we still won't have artificial intelligence, robots or flying cars.

2024: The next age starts - the Machine Stone Age.

It's going to be an interesting 10 years.