Beyond Data Breach Notification: What's new in Privacy for Dr Jodie Siganto October 2017

Similar documents
GPs as data controllers under the General Data Protection Regulation

The EU GDPR: Implications for U.S. Universities and Academic Medical Centers

Protecting and managing personal data Changes on the horizon for hospitals and other health and care organisations

Data Breach Notification Guide Policies and Procedures

Draft Code of Practice FOR PUBLIC CONSULTATION

GDPR readiness at efinancialcareers. Our Responsibilities and the General Data Protection Regulation

GDPR DATA PROCESSING ADDENDUM. (Revision March 2018)

COLLECTION STATEMENT


1.1 About the Early Childhood Education and Care Directorate

Viewing the GDPR Through a De-Identification Lens: A Tool for Clarification and Compliance. Mike Hintze 1

Privacy Policy - Australian Privacy Principles (APPs)

Terms and Conditions of studentship funding

MINIMUM CRITERIA FOR REACH AND CLP INSPECTIONS 1

The National Patient Experience Survey Programme. Statement of information practices

Office of the Australian Information Commissioner

Precedence Privacy Policy

POLICY STATEMENT PRIVACY POLICY

Visiting Celebrities, VIPs and other Official Visitors

Addendum 1 Compliance indicators for the Australian Privacy Principles

TABLE OF CONTENTS. Assistance offered by The Leila Rose Foundation. Guidelines for Assistance. LRF Privacy Policy. Patient Advocate Disclaimer

PRIVACY POLICY. 1. Privacy Statement

Data Protection Privacy Notice

Summary Privacy Notice

PRIVACY BREACH GUIDELINES

LifeBridge Health HIPAA Policy 4. Uses of Protected Health Information for Research

Getting Ready for Ontario s Privacy Legislation GUIDE. Privacy Requirements and Policies for Health Practitioners

AUSTRALIAN RESUSCITATION COUNCIL PRIVACY STATEMENT

Data Integration and Big Data In Ontario Brian Beamish Information and Privacy Commissioner of Ontario

Student Privacy Notice

Asian Professional Counselling Association Code of Conduct

The Arizona HIO Statute

National Standards for the Conduct of Reviews of Patient Safety Incidents

Principles of Data Sharing for GPs and LMCs

PRIVACY POLICY OF THE W & L SCHWAB CHARITABLE TRUST. (The I & F Westheimer Trust is a subsidiary of the W & L Schwab Charitable Trust)

DATA PROTECTION POLICY (in force since 21 May 2018)

INVESTIGATION REPORT

Privacy Code for Consumer, Customer, Supplier and Business Partner Data

STEP BY STEP SCHOOL. Data Protection Policy and Privacy Notice

Sample Privacy Impact Assessment Report Project: Outsourcing clinical audit to an external company in St. Anywhere s hospital

National VET Data Policy

Technology Standards of Practice

Services. This policy should be read in conjunction with the following statement:

Summary guide: Safeguarding Adults: Pan Lancashire and Cumbria Multi Agency Policy and Procedures. For partner agencies staff and volunteers

Standards for the Provision of Pharmacy

Counselling Policy. 1. Introduction

STATEMENT OF ETHICS AND CODE OF PRACTICE

This policy has implications for all managers, staff, board members, students, apprentices and trainees, contractors and volunteers.

Access to Health Records Procedure

REGISTRATION FOR HOME SCHOOLING

SUMMARY OF NOTICE OF PRIVACY PRACTICES

Title 10 DEPARTMENT OF HEALTH AND MENTAL HYGIENE

Occupational Health Privacy Notice

THE PRIVACY ACT AND THE AUSTRALIAN PRIVACY PRINCIPLES FREQUENTLY ASKED QUESTIONS

Guidance for care providers in Scotland using CCTV (closed circuit television) in their services

Complaints Handling. 27/08/2013 Version 1.0. Version No. Description Author Approval Effective Date. 1.0 Complaints. J Meredith/ D Thompson

Code of Ethics and Professional Conduct for NAMA Professional Members

Fair Processing Notice or Privacy Notice

DUTIES OF A CUSTODIAN

PRIVACY BREACH MANAGEMENT GUIDELINES. Ministry of Justice Access and Privacy Branch

Sample. Information Governance. Copyright Notice. This booklet remains the intellectual property of Redcrier Publications L td

Application for Volunteer Work

PRIVACY POLICY 18/8/2016

Enrolment Form. Other (please specify) Yes. Yes. Do you speak a language other than English at home? (If Yes, please specify)

Making sure all licensed doctors have the necessary knowledge of English to practise safely in the UK

Community Child Care Fund - Restricted non-competitive grant opportunity (for specified services) Guidelines

MEMORANDUM OF UNDERSTANDING THE CHARITY COMMISSION FOR NORTHERN IRELAND AND THE FUNDRAISING REGULATOR

FREQUENTLY ASKED QUESTIONS (FAQS) FOR THE INDIVIDUAL HEALTH IDENTIFIER (IHI) JANUARY 2016

REVIEWED BY Leadership & Privacy Officer Medical Staff Board of Trust. Signed Administrative Approval On File

Accreditation Guidelines

The Queen s Medical Center HIPAA Training Packet for Researchers

Compliance with Personal Health Information Protection Act

SPECIFIC PRIVACY STATEMENT IMI JU

IVAN FRANKO HOME Пансіон Ім. Івана Франка

RECEIPT OF NOTICE OF PRIVACY PRACTICES WRITTEN ACKNOWLEDGEMENT FORM. I,, have received a copy of Dr. Andy Hand s Notice of Privacy Practice.

Clinical Governance & Risk Management Awareness. Incl. investigation of accidents, complaints and claims. Unit 2

Recommendation One. GNWT Response

Sentinel Scheme Rules

Rights and Responsibilities. A guide for patients, carers and families

Changes to the Common Rule

Standards of Practice for Optometrists and Dispensing Opticians

Statement of Guidance: Outsourcing Regulated Entities

CHI Mercy Health. Definitions

Privacy Toolkit for Social Workers and Social Service Workers Guide to the Personal Health Information Protection Act, 2004 (PHIPA)

Understanding Duty of Care

Application for Recognition or Expansion of Recognition

SAFEGUARDING CHILDEN POLICY. Policy Reference: Version: 1 Status: Approved

Third Party Trust Manage your outsourcing arrangements

A Case Review Process for NHS Trusts and Foundation Trusts

Complaints and Suggestions for Improvement Handling Procedure

Rules. gen[in] Student Innovation Challenge

UoA: Academic Quality Handbook

Australian Medical Council Limited

Chapter 9 Legal Aspects of Health Information Management

Submission to the Consultation on Development of a Framework on Secondary Use of My Health Record Data

Privacy health check: Diagnosing for law reform

HIPAA THE PRIVACY RULE

2018 Terms and Conditions for Support of Grant Awards Revised 7 th June 2018

ACC Privacy Policy. Policy Statement. Objective. Scope. Policy system. Policy standards. Collection

CHC30113 Certificate III in Early Childhood Education and Care

Transcription:

Beyond Data Breach Notification: What's new in Privacy for 2017 Dr Jodie Siganto October 2017

What I m going to talk about Australian Privacy Act developments (other than data breach): Definition of personal information Commissioner s powers De-identified information EU GDPR: New laws and implications for Australia Some thoughts about data breach notification

Privacy Act Developments Beyond Data Breach

Personal Information (Old) definition of PI: information or an opinion about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. Ben Grubb v Telstra: geolocation data the longitude & latitude of mobile phone towers connected to the customer s phone at any given time, whether the customer is making a call or not Telstra Corporation Limited and Privacy Commissioner [2015] AATA: Not information about an individual Privacy Commissioner v Telstra Corporation Limited [2017] (Fed Court) Must be about an individual

Personal Information OAIC Guide: What is Personal Information Common examples info about: Private or family life name, signature, home address, email address, telephone number, date of birth, medical records, bank account details Working practices or employment details Commentary or opinion PI can be about more than one thing

EU GDPR: Personal Information Simpler definition: data from which a living individual is identified or identifiable (by anyone), whether directly or indirectly. GDPR s recitals highlight types of online data that may be personal e.g.: Online identifiers Device identifiers Cookie IDs IP addresses (CJEU: Dynamic IP addresses may be PI depending on other data held)

De-identification De-identified data is not regarded as personal information De-identification involves removing or altering information that identifies an individual or is reasonably likely to do so. Generally, de-identification includes two steps: Removing personal identifiers, such as an individual s name, address, date of birth or other identifying information, and Removing or altering other information that may allow an individual to be identified, e.g. a rare characteristic of the individual, or a combination of unique or remarkable characteristics that enable identification.

De-identification De-identification Decision- Making Framework

Privacy Commissioner s Powers Commissioner powers where there s been an interference with privacy principle: Conduct a Commissioner Initiated Investigation (CII) call for witnesses, request info, publish report Seek & accept an enforceable undertaking Make determination - award compensation, direct change to processes/systems, require apology Apply to Federal Court for civil penalty: Serious or repeated interference

Enforceable undertakings Organica and Brygon (2016) Shared information for marketing purposes Agreed to implement policies, staff training & destroy data Australian Recoveries & Collections (2016): Optus customer info on Freelancer Undertaking: Implement improved information security & privacy training for staff Offer to reimburse cost of a 12-month credit monitoring alert service In consultation with the OAIC, engage a qualified third party to review ARC s handling of personal information & implement recommendations.

Enforceable undertakings Ashley Madison investigation (2016): Extra territorial operation of Australian Privacy Act Co-operated with Canadian regulator Accepted enforceable undertaking: Conduct comprehensive review of protections in place to protect PI & implement recommendations. Conduct Staff training program Delete data By 31 July 2017, provide OAIC with independent third party report documenting measures to come into compliance with the recommendations or certifying compliance with a recognised privacy/security standard satisfactory to the OAIC.

Enforceable undertakings Copy of Red Cross database of blood donors stored on web facing test server Discovered by white-hat Red Cross: Engaged AusCERT & third party security experts to investigate Engaged IDCare to respond to questions Apologised Comprehensive social media campaign

Enforceable undertakings OAIC investigation reports issued in July 2017: No unauthorised disclosure by Red Cross (APP 6) Was unauthorised disclosure by Precedent Were failures in security by both Commended the Red Cross on response the Commissioner commends the Blood Service for its quick response and handling of the breach. Overall, the Blood Service acted appropriately and in a timely manner to rectify the data breach, and its response to the data breach provides a model of good practice for other organisations. The circumstances of this incident and the Blood Service s response mean that it is unlikely that there will be adverse consequences for affected individuals. All copies of the database backup have now been destroyed.... The Commissioner believes the community can have confidence in the Blood Service s commitment to the security of their personal information. Accepted enforceable undertakings from both

Data breach investigations iinet investigation finalised (March 2017): Alleged data breach by Westnet (2015) No evidence of any breach No investigation report released Other investigations under way: Cosmetics Institute Flight Centre

Determinations LU and Dept of Defence (2017)/LB and Comacre (2017): Poorly redacted Comcare report posted on Comcare website/emailed by Dept of Defence to 1200 staff and stored without access restrictions in Defence DMS Awarded: Apology Dept of Defence $10,000 compensation (non-economic loss) + $3,000 for legal expenses/comcare $20,000 compensation ) + $3,000 for legal expenses LP and The Westin Sydney(2017): Recorded call without consent Awarded: Apology $1,500 compensation (non-economic loss)

EU GDPR Beyond Data Breach

Reasons for EU GDPR EU General Data Protection Regulation is intended to: Increase legal certainty (one overarching legal authority), Reduce the administrative burden and cost of compliance for organisations operating in multiple EU Member States, and Increase individual protections. EU member states will be required to pass new domestic data protection laws consistent with the GDPR

EU GDPR Timeline https://www.dlapiper.com/en/uk/focus/eu-data-protection-regulation/background/

Who does EU GDPR apply to? Scope of EU data protection law expanded Territorial vs Destination Approach GDPR will apply to: The activities of a controller or a processor in the EU with an EU establishment, regardless of whether the processing takes place in the EU or not; and A data controller or a processor not established in the EU, where the processing activities are related to the offering of goods or services to data subjects residing in the EU, even for free, or the monitoring of their behaviour in the EU.

Scope: Offering goods or services Offering goods or services to data subjects who are in the Union Must be more than an accessible website But don t have to have physical presence in the EU to be covered Indicators that offering goods or services to data subjects in the Union: Use a language or currency generally used in an EU Member State, or Refer to customers or users who are in the EU Many questions: e.g. Does it cover the offer of services to a person in the EU where the services will be delivered in Australia? e.g. Degrees offered by Australian education provider; or Internal flights within Australia arranged by an Australian travel agent

Scope: Monitoring Will be covered by GDPR if you process personal data of EU data subjects when it is related to monitoring of their behaviour within the EU e.g. If you track users in the EU and use data analytics to profile individuals to identify and predict personal preferences, behaviours and attitudes Is intended to cover: Operators of social networks Online providers of services such as email accounts Operators of search engines Websites

Implications for Australia Australian companies could be covered by EU GDPR. Things to do: Understand and assess the grounds on which you collect and use data Assess whether your online activities amount to offering goods or services to, or monitoring the behaviour of, EU residents If yes need to transition to compliance with the GDPR. May need to appoint a representative in the EU.

Enhanced rights of data subjects GDPR intends to strengthen and expand data subjects rights compared to rights granted to them under the EU Directive. Infringements of the provisions relating to data subjects' rights are subject to the maximum level of fines under the GDPR.

Collection Notices Information to be provided prior to collection of PI: How long the data will be stored Contact details of the DPO Legal basis for any processing Very specific info re international data transfer Must inform data subjects of rights including e.g. Right to withdraw consent at any time & to data portability Information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language. Visualisation through standardised icons, is encouraged

Right to be forgotten, rectify, object etc Right to erasure or right to be forgotten on request: If data no longer necessary for purpose for which it was collected or otherwise processed or f the data subject withdraws consent. Right to object extended: Can object. Controller must demonstrate compelling legitimate grounds for the processing which override the interests etc of the data subject Can object to direct marketing & profiling without having to show cause Right to data portability (new) Right to restrict processing (new)

Consent Definition of 'consent' in EU Directive is: 'any freely given specific and informed indication' of the individual's wishes signifying agreement to data processing New definition in GDPR: any freely given, specific, informed and unambiguous indication of the [individual s] wishes by which he or she by statement or by a clear affirmative action signifies agreement to data processing

Profiling Data subjects can object to being subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. Examples: automatic refusal of an on-line credit application e-recruiting practices without any human intervention. Are rules around profiling e.g. must be doe in a way that minimises discrimination Are circumstances where decision may still be made e.g.: Where based on the data subject's explicit consent.

Implications for Australia Consider updating privacy notices to reflect the new information requirements: Extended content; and Transparency/plain language requirements. Consider implementing right to be forgotten and erasure Consider ensuring that consent is secured in accordance with stricter definition: Don t use opt-outs, pre-ticked boxes, bundled consent Prepare for possible data portability requirement in future Be careful of use of automated profiling

Data breach notification Data controllers to report data breaches: Have to notify SA of data breach unless the breach is unlikely to result in a risk for data subjects' rights and freedoms Have to notify data subjects if the breach is likely to result in a high risk for their rights or freedoms (are exceptions). Timing for notification to SA: Without undue delay and, where feasible, within 72 hours of becoming aware of the breach. A proper justification shall accompany the notification if it is not made within 72 hours.

Data security Controllers and processors are required to implement appropriate technical and organizational measures GDPR suggested security actions include: The pseudonymisation & encryption of personal data. The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services. The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Implications for Australia Consider whether worth complying with higher notification requirements of GDPR: Notify where high risk" for individuals rights or freedoms; Notify within 72 hours. Consider ensuring compliance with more prescriptive security requirements

Data protection by design GDPR introduces key concepts from Privacy by Design Requires that controllers ensure that: Individual s privacy is considered from the outset of each new processing product, service or application and By default, only minimum amounts of personal data as necessary for specific purposes are collected & processed. Must be able to demonstrate compliance. Use of pseudonymisation (to ensure compliance with data minimisation obligations) specifically referred to.

Data Protection Impact Assessment Privacy Impact Assessments Data Protection Impact Assessments will be required in cases of: An evaluation of personal aspects based on automated data processing including profiling; Processing on a large scale of special categories of data; and Systematic monitoring of a publicly accessible area.

Data Protection Impact Assessment Privacy Impact Assessments As a minimum, the GDPR requires that a PIA include: A description of the processing activities and their purpose; An assessment: of the need for and proportionality of the processing, the risks arising and measures adopted to mitigate those risks, in particular safeguards and security measures to protect personal data and comply with the GDPR. If a DPO has been appointed, his/her advice on the carrying out of the PIA must be sought. Must consult a supervisory authority before any data processing commences if PIA identifies high level of unmitigated risk in certain circumstances. Controllers must seek views of affected data subjects and their representatives in conducting a PIA.

Implications for Australia These requirements are consistent with advice from Privacy Commissioner that entities should: Implement Privacy by Design; Undertake Privacy Impact Assessments Include provisions re these in your organisational Privacy Management Framework Refer to OAIC Privacy management plan template Consider BS 10012: Privacy Information Management System

Data breach notification: Some thoughts Data Breach Notification

Some thoughts How will you find out about data breach? What might that mean for: Your assessment of the likelihood of serious harm being incurred? Your decision on whether to notify or not?

Research Affect of DBN on identify theft Affect of data breach on share price of disclosing entity Does investment in IT Security reduce the risk of data breach?

Research Other recent research: Do organisations learn from a data breach? Communications lessons from 5 retail industry data breaches: Press don t follow the company s publicity strategy: make company appear un-caring AND exaggerate seriousness of breach Crisis communications strategy: Need to be more apologetic

Likely Effect of DBN Laws More visibility of the problem Greater potential for reputational damage Difficulties in managing the messaging May reduce identity theft May lead to better security Unlikely to lead to litigation in Australia

Summary Think about how your organisation should define personal information and what that means for the data you re collecting or handling or disclosing Think about de-identification and implementing a deidentification decision making framework Consider the action the Privacy Commissioner might take if there is an interference with a privacy principle Does the EU GDPR apply to your organisation? Even if no consider implementing some of the measures Get ready for data breach

Contacts Dr Jodie Siganto Ted Ringrose 0408 275 733 0421 627 498 jodie.siganto@ringrosesiganto.com.au ted.ringrose@ringrosesiganto.com.au www.ringrosesiganto.com.au

2024 © careersdocbox.com Privacy Policy | Terms of Service | Feedback