Beyond Data Breach Notification: What's new in Privacy for 2017 Dr Jodie Siganto October 2017
What I m going to talk about Australian Privacy Act developments (other than data breach): Definition of personal information Commissioner s powers De-identified information EU GDPR: New laws and implications for Australia Some thoughts about data breach notification
Privacy Act Developments Beyond Data Breach
Personal Information (Old) definition of PI: information or an opinion about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. Ben Grubb v Telstra: geolocation data the longitude & latitude of mobile phone towers connected to the customer s phone at any given time, whether the customer is making a call or not Telstra Corporation Limited and Privacy Commissioner [2015] AATA: Not information about an individual Privacy Commissioner v Telstra Corporation Limited [2017] (Fed Court) Must be about an individual
Personal Information OAIC Guide: What is Personal Information Common examples info about: Private or family life name, signature, home address, email address, telephone number, date of birth, medical records, bank account details Working practices or employment details Commentary or opinion PI can be about more than one thing
EU GDPR: Personal Information Simpler definition: data from which a living individual is identified or identifiable (by anyone), whether directly or indirectly. GDPR s recitals highlight types of online data that may be personal e.g.: Online identifiers Device identifiers Cookie IDs IP addresses (CJEU: Dynamic IP addresses may be PI depending on other data held)
De-identification De-identified data is not regarded as personal information De-identification involves removing or altering information that identifies an individual or is reasonably likely to do so. Generally, de-identification includes two steps: Removing personal identifiers, such as an individual s name, address, date of birth or other identifying information, and Removing or altering other information that may allow an individual to be identified, e.g. a rare characteristic of the individual, or a combination of unique or remarkable characteristics that enable identification.
De-identification De-identification Decision- Making Framework
Privacy Commissioner s Powers Commissioner powers where there s been an interference with privacy principle: Conduct a Commissioner Initiated Investigation (CII) call for witnesses, request info, publish report Seek & accept an enforceable undertaking Make determination - award compensation, direct change to processes/systems, require apology Apply to Federal Court for civil penalty: Serious or repeated interference
Enforceable undertakings Organica and Brygon (2016) Shared information for marketing purposes Agreed to implement policies, staff training & destroy data Australian Recoveries & Collections (2016): Optus customer info on Freelancer Undertaking: Implement improved information security & privacy training for staff Offer to reimburse cost of a 12-month credit monitoring alert service In consultation with the OAIC, engage a qualified third party to review ARC s handling of personal information & implement recommendations.
Enforceable undertakings Ashley Madison investigation (2016): Extra territorial operation of Australian Privacy Act Co-operated with Canadian regulator Accepted enforceable undertaking: Conduct comprehensive review of protections in place to protect PI & implement recommendations. Conduct Staff training program Delete data By 31 July 2017, provide OAIC with independent third party report documenting measures to come into compliance with the recommendations or certifying compliance with a recognised privacy/security standard satisfactory to the OAIC.
Enforceable undertakings Copy of Red Cross database of blood donors stored on web facing test server Discovered by white-hat Red Cross: Engaged AusCERT & third party security experts to investigate Engaged IDCare to respond to questions Apologised Comprehensive social media campaign
Enforceable undertakings OAIC investigation reports issued in July 2017: No unauthorised disclosure by Red Cross (APP 6) Was unauthorised disclosure by Precedent Were failures in security by both Commended the Red Cross on response the Commissioner commends the Blood Service for its quick response and handling of the breach. Overall, the Blood Service acted appropriately and in a timely manner to rectify the data breach, and its response to the data breach provides a model of good practice for other organisations. The circumstances of this incident and the Blood Service s response mean that it is unlikely that there will be adverse consequences for affected individuals. All copies of the database backup have now been destroyed.... The Commissioner believes the community can have confidence in the Blood Service s commitment to the security of their personal information. Accepted enforceable undertakings from both
Data breach investigations iinet investigation finalised (March 2017): Alleged data breach by Westnet (2015) No evidence of any breach No investigation report released Other investigations under way: Cosmetics Institute Flight Centre
Determinations LU and Dept of Defence (2017)/LB and Comacre (2017): Poorly redacted Comcare report posted on Comcare website/emailed by Dept of Defence to 1200 staff and stored without access restrictions in Defence DMS Awarded: Apology Dept of Defence $10,000 compensation (non-economic loss) + $3,000 for legal expenses/comcare $20,000 compensation ) + $3,000 for legal expenses LP and The Westin Sydney(2017): Recorded call without consent Awarded: Apology $1,500 compensation (non-economic loss)
EU GDPR Beyond Data Breach
Reasons for EU GDPR EU General Data Protection Regulation is intended to: Increase legal certainty (one overarching legal authority), Reduce the administrative burden and cost of compliance for organisations operating in multiple EU Member States, and Increase individual protections. EU member states will be required to pass new domestic data protection laws consistent with the GDPR
EU GDPR Timeline https://www.dlapiper.com/en/uk/focus/eu-data-protection-regulation/background/
Who does EU GDPR apply to? Scope of EU data protection law expanded Territorial vs Destination Approach GDPR will apply to: The activities of a controller or a processor in the EU with an EU establishment, regardless of whether the processing takes place in the EU or not; and A data controller or a processor not established in the EU, where the processing activities are related to the offering of goods or services to data subjects residing in the EU, even for free, or the monitoring of their behaviour in the EU.
Scope: Offering goods or services Offering goods or services to data subjects who are in the Union Must be more than an accessible website But don t have to have physical presence in the EU to be covered Indicators that offering goods or services to data subjects in the Union: Use a language or currency generally used in an EU Member State, or Refer to customers or users who are in the EU Many questions: e.g. Does it cover the offer of services to a person in the EU where the services will be delivered in Australia? e.g. Degrees offered by Australian education provider; or Internal flights within Australia arranged by an Australian travel agent
Scope: Monitoring Will be covered by GDPR if you process personal data of EU data subjects when it is related to monitoring of their behaviour within the EU e.g. If you track users in the EU and use data analytics to profile individuals to identify and predict personal preferences, behaviours and attitudes Is intended to cover: Operators of social networks Online providers of services such as email accounts Operators of search engines Websites
Implications for Australia Australian companies could be covered by EU GDPR. Things to do: Understand and assess the grounds on which you collect and use data Assess whether your online activities amount to offering goods or services to, or monitoring the behaviour of, EU residents If yes need to transition to compliance with the GDPR. May need to appoint a representative in the EU.
Enhanced rights of data subjects GDPR intends to strengthen and expand data subjects rights compared to rights granted to them under the EU Directive. Infringements of the provisions relating to data subjects' rights are subject to the maximum level of fines under the GDPR.
Collection Notices Information to be provided prior to collection of PI: How long the data will be stored Contact details of the DPO Legal basis for any processing Very specific info re international data transfer Must inform data subjects of rights including e.g. Right to withdraw consent at any time & to data portability Information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language. Visualisation through standardised icons, is encouraged
Right to be forgotten, rectify, object etc Right to erasure or right to be forgotten on request: If data no longer necessary for purpose for which it was collected or otherwise processed or f the data subject withdraws consent. Right to object extended: Can object. Controller must demonstrate compelling legitimate grounds for the processing which override the interests etc of the data subject Can object to direct marketing & profiling without having to show cause Right to data portability (new) Right to restrict processing (new)
Consent Definition of 'consent' in EU Directive is: 'any freely given specific and informed indication' of the individual's wishes signifying agreement to data processing New definition in GDPR: any freely given, specific, informed and unambiguous indication of the [individual s] wishes by which he or she by statement or by a clear affirmative action signifies agreement to data processing
Profiling Data subjects can object to being subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. Examples: automatic refusal of an on-line credit application e-recruiting practices without any human intervention. Are rules around profiling e.g. must be doe in a way that minimises discrimination Are circumstances where decision may still be made e.g.: Where based on the data subject's explicit consent.
Implications for Australia Consider updating privacy notices to reflect the new information requirements: Extended content; and Transparency/plain language requirements. Consider implementing right to be forgotten and erasure Consider ensuring that consent is secured in accordance with stricter definition: Don t use opt-outs, pre-ticked boxes, bundled consent Prepare for possible data portability requirement in future Be careful of use of automated profiling
Data breach notification Data controllers to report data breaches: Have to notify SA of data breach unless the breach is unlikely to result in a risk for data subjects' rights and freedoms Have to notify data subjects if the breach is likely to result in a high risk for their rights or freedoms (are exceptions). Timing for notification to SA: Without undue delay and, where feasible, within 72 hours of becoming aware of the breach. A proper justification shall accompany the notification if it is not made within 72 hours.
Data security Controllers and processors are required to implement appropriate technical and organizational measures GDPR suggested security actions include: The pseudonymisation & encryption of personal data. The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services. The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
Implications for Australia Consider whether worth complying with higher notification requirements of GDPR: Notify where high risk" for individuals rights or freedoms; Notify within 72 hours. Consider ensuring compliance with more prescriptive security requirements
Data protection by design GDPR introduces key concepts from Privacy by Design Requires that controllers ensure that: Individual s privacy is considered from the outset of each new processing product, service or application and By default, only minimum amounts of personal data as necessary for specific purposes are collected & processed. Must be able to demonstrate compliance. Use of pseudonymisation (to ensure compliance with data minimisation obligations) specifically referred to.
Data Protection Impact Assessment Privacy Impact Assessments Data Protection Impact Assessments will be required in cases of: An evaluation of personal aspects based on automated data processing including profiling; Processing on a large scale of special categories of data; and Systematic monitoring of a publicly accessible area.
Data Protection Impact Assessment Privacy Impact Assessments As a minimum, the GDPR requires that a PIA include: A description of the processing activities and their purpose; An assessment: of the need for and proportionality of the processing, the risks arising and measures adopted to mitigate those risks, in particular safeguards and security measures to protect personal data and comply with the GDPR. If a DPO has been appointed, his/her advice on the carrying out of the PIA must be sought. Must consult a supervisory authority before any data processing commences if PIA identifies high level of unmitigated risk in certain circumstances. Controllers must seek views of affected data subjects and their representatives in conducting a PIA.
Implications for Australia These requirements are consistent with advice from Privacy Commissioner that entities should: Implement Privacy by Design; Undertake Privacy Impact Assessments Include provisions re these in your organisational Privacy Management Framework Refer to OAIC Privacy management plan template Consider BS 10012: Privacy Information Management System
Data breach notification: Some thoughts Data Breach Notification
Some thoughts How will you find out about data breach? What might that mean for: Your assessment of the likelihood of serious harm being incurred? Your decision on whether to notify or not?
Research Affect of DBN on identify theft Affect of data breach on share price of disclosing entity Does investment in IT Security reduce the risk of data breach?
Research Other recent research: Do organisations learn from a data breach? Communications lessons from 5 retail industry data breaches: Press don t follow the company s publicity strategy: make company appear un-caring AND exaggerate seriousness of breach Crisis communications strategy: Need to be more apologetic
Likely Effect of DBN Laws More visibility of the problem Greater potential for reputational damage Difficulties in managing the messaging May reduce identity theft May lead to better security Unlikely to lead to litigation in Australia
Summary Think about how your organisation should define personal information and what that means for the data you re collecting or handling or disclosing Think about de-identification and implementing a deidentification decision making framework Consider the action the Privacy Commissioner might take if there is an interference with a privacy principle Does the EU GDPR apply to your organisation? Even if no consider implementing some of the measures Get ready for data breach
Contacts Dr Jodie Siganto Ted Ringrose 0408 275 733 0421 627 498 jodie.siganto@ringrosesiganto.com.au ted.ringrose@ringrosesiganto.com.au www.ringrosesiganto.com.au