A human touch to the Australian Privacy Principles
Recent high-profile data breaches show difficulties organisations face in complying with the Australian Privacy Principles
The revelation by technology giant Cisco on 7 November 2016 of its leak of personal data is the latest in a string of high-profile data breaches in Australia, following hot on the heels of Australia’s largest ever (to date) personal data breach by the Australian Red Cross Service (Australian Red Cross) and the leak of the personal data of Apple’s customers.
In all of these cases, the leak was apparently due to human error and not inadequacies in the cybersecurity systems of these organisations – wrongly configured settings in the case of Cisco, erroneous loading of personal data on a publicly-facing website in the case of the Australian Red Cross, and inappropriate conduct on the part of Apple’s employees.
As well as being damaging to their reputations (not to mention ethically reprehensible in the case of Apple), these incidents demonstrate the difficulties that organisations face in complying with the Australian Privacy Principles (APP), and in the cases mentioned, specifically, APP 11.
The Technical and Human Aspects of Australian Privacy Principle 11
APP 11 provides that organisations and business subject to the APP (APP Entities) are required to take such steps as are reasonable to protect personal data that they hold. Given the way APP 11 is drafted, it is almost intuitive for APP Entities to focus (almost) entirely on the technical aspect of data protection, e.g. ensuring that they have the most updated and secure cybersecurity apparatus, and that such systems are in line with prevailing Australian and international industry standards, at the expense of the human aspect of data protection (as was demonstrated by the human errors involving Cisco, the Australian Red Cross and Apple).
While the Office of the Australian Information Commission (OAIC) is currently investigating these incidents and no conclusive findings have as yet been issued, APP Entities would do well to learn from these incidents and focus more (if not as much as they do on the technical aspect) on the human aspect of APP 11. In this regard, APP Entities should ensure that they have clear internal data protection policies and processes, including policies and processes which set out, amongst other things:
- what personal data is;
- managing personal data and how important data protection is, including, how extra care should be exercised when managing personal data;
- the importance of protecting personal data; and
- how to manage data breaches.
APP Entities should also ensure that their employees and vendors (and other service providers) are well acquainted and fully understand such policies and processes by, amongst other things:
- providing reading materials, including explanatory materials;
- providing training sessions and seminars; and
- continually emphasising that the protection of personal data and personal data security are of utmost importance to the APP Entity.
APP Entities can also consider obtaining legal advice, or guidance from the OAIC, or both, with respect to such policies and processes as well as related materials.
The Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth)
It should also be noted that currently, Australian law – save for some exceptions – does not require APP Entities to disclose breaches of security, including, leaks of personal data, to the OAIC and affected individuals (though APP Entities are encouraged to do). As such, but for the public nature of the personal data leaks involving Cisco, the Australian Red Cross and Apple, it is possible that the OAIC and affected individuals might never have found out about the leaks, if those organisations had chosen to not notify them.
However, this situation is likely to change in the short term. The Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth) is currently before the Parliament and if passed, will create a legal obligation for APP Entities to notify the OAIC and affected individuals of eligible data breaches.
Ask and you may receive - creditors’ rights to information and call meetings
By Sam Kingston & Mathew Gashi
When is an external administrator obliged to respond to requests from creditors to access information and call meetings?...
Year-end earnings surprises and continuous disclosure: COVID-19 impact
With the financial year end (or half year) looming for many companies and the impact of COVID-19 over the last few...
Government decision makers should think twice before jumping on the ban-wagon: lessons from the Brett Cattle class action
Judgement potentially lowers bar for those impacted by government decisions to claim an unlawful exercise of power
Time for a service? ACCC secures Court enforceable undertaking from Bob Jane
The ACCC continues to focus on upholding the Franchising Code of Conduct and protecting franchisees.