Legal Insights

Make privacy a priority for developers: key questions all developers should be asking and emerging privacy issues for the sector

• 02 March 2023 • 15 min read

From the Parliament to the Pub, Australians have been talking about personal information and privacy. In this Article, Maddocks Privacy and Cyber experts Partner Sonia Sharma and Lawyer Colin Yuan explain why developers should be making privacy a compliance priority.

What has happened?

Late last year Australia was rocked by two of the biggest data breaches Australia has ever seen with the Optus and Medibank cyber attacks impacting millions of Australian.
Cyber security experts warn that Australia remains a ‘soft target’ in the wake of these attacks.
In response to the Optus and Medibank breaches, the Australian Government significantly increased the penalties under the Privacy Act 1988 (Cth) (Privacy Act) from $2.2 million to in excess of $50 million.
In addition, the Privacy Act which governs the handling of personal information is under review and further reforms can be expected.

These factors have cemented privacy as a key compliance issue and risk for ‘data rich’ businesses such as those operating in the development and construction industry, who are often custodians of significant amounts of personal information.

Ultimately, it’s a huge responsibility to be trusted with personal information of your customers, suppliers, contractors, tenants, staff and other stakeholders.

Given the current landscape and the significant legal and reputational risks, privacy and cyber risks need to be proactively managed. This compliance issue is a whole of business concern, it’s a Board issue, and creating a “privacy as a priority” and “privacy by design” culture ultimately has huge business benefits in the short and long term.

Questions all Developers should be asking

Our observation working with a range of clients in the sector is that while many Developers have mature privacy and cyber security risk frameworks, many are struggling with basic compliance. Regardless of compliance maturity, given the current landscape, we recommend that all organisations in the sector take stock and conduct an urgent privacy “health check” to identify key risks and issues and develop a plan of action to address these concerns.

	Urgent Privacy Health Check Question
	Be honest. Have we underinvested in privacy and cyber risk management? Put simply, many Australian organisations have underinvested in managing privacy and cyber risks and compliance under the Privacy Act for the last decade. If your organisation falls into this category, you will need to set aside budget and resources to play some serious “catch-up”. However, even organisations with mature privacy and cyber risk management levels will need to invest to account for increased threats and proposed legal reforms. We recommend organisations ensure they have set aside sufficient budget and people resources. Given the current risk landscape, resources will need to be uplifted, regardless of current maturity levels.
	Have we conducted a data mapping exercise to understand the personal information your organisation actually holds and how it is collected, used, disclosed and handled, and what systems store what kinds of personal information? Trust is critical but how can you manage risks if you don’t have a very clear picture of your organisation’s data flows and systems which hold personal information. Many organisations still do not have a record or data map of the personal information they hold and what information is stored on which systems. This information needs to be documented internally and now is the time for doing a holistic privacy and data review if your organisation does not have a current and accurate picture.
	Do we collect personal information we don’t need? The over collection of personal information, which is not required, has been a long-standing liability. Old forms or historical processes may ask for personal information such as date of birth, gender or identity documents or details (such as driver's licences or Medicare details), which may not be required but pose a significant risk if compromised. It’s time to critically think about what personal information your organisation actually collects in the first place and if this is needed.
	Are we holding personal information we no longer need? 'Over retention' or keeping personal information for longer than required is a very real risk which has been in the spotlight with recent major data breaches. Data retention and destruction is a complex issue to manage. However, organisations should be conducting an urgent review to consider if sensitive or valuable personal information is being held past its 'used by date'. All organisations should have clear policies and procedures documenting how long records should be held for and operational controls to ensure records are securely deleted or destroyed. *Hypothetical example:* A malicious third-party gains access to an employee’s mailbox after the employee falls for a phishing email scan. The employee has worked with the Developer over 10 years and has personal information, including some copies of ID documents, collected from subcontractors, purchasers and tenants dating back years. The malicious third party extracts a copy of the mailbox. Under the Privacy Act, Developers must store personal information securely and destroy or deidentify personal information which is no longer required.
	Do we know how to respond to a data breach with a clear data breach response plan which is properly tested? The Office of the Australian Information Commissioner (OAIC) expects organisations to have a clear data breach response plan that sets out procedures and clear lines of authority for responding to a data breach, including proper assessment if a data breach meets the 'serious harm' threshold under the Privacy Act and is notifiable. In certain circumstances reporting under other regimes may also be required. For example, the amendments to the Security of Critical Infrastructure Act 2018 require that specific critical infrastructure assets must report certain types of cyber security incidents. Many organisations still do not have a data breach response plan despite the mandatory data breach regime being several years old. The plan needs to be tested and rehearsed with key internal stakeholders, including legal, IT and comms. Processes and escalation points need to be understood by front line staff to the Response Team. *Hypothetical example:* A Developer suffers a ransomware attack whereby the malicious third-party gains access to a mission critical IT system containing all of the stored personal information relating to tenancy and rental applications. They demand a significant ransom and threaten to release all of the information on the dark web. The Developer does not have a data breach response plan and assigned roles and responsibilities for dealing with the incident.
	Do we train our staff about privacy? Do you provide regular training and education which is “fit for purpose” at all levels, from front-line staff (such as phishing email campaigns) to the executive and the Board (e.g. running tabletop and hypothetical scenarios)? Now is the perfect time to launch privacy refresher training, given privacy is currently in the spotlight. We remain surprised that many IT teams still do not undertake privacy training. Privacy training and education for all staff should be ongoing and tailored to their role. We see limited value in off-the-shelf privacy training, which does not consider specific business requirements and needs.
	Do you have an appointed privacy officer and privacy and cyber champions within the business? These issues are a whole of the business concerns and not merely the responsibility of IT or legal! While many organisations have a privacy officer, the appointment of privacy champions is important to embed a culture of privacy within an organisation.
	Do you take a privacy design approach by conducting Privacy Impact Assessments (PIAs)? The OAIC has made clear that entities should have systems and processes in place to conduct privacy impact assessments. PIAs allow organisations to consider privacy at the start of the project and embed privacy controls early on. *Hypothetical example:* The use of new technology is part of your strategy in order to maximise efficiency and meet your core value of innovation. In the pipeline you have a range of new projects using new and emerging technologies, for example, facial recognition or Internet of Things (IoT) devices in Smart Buildings, or software programs to automatically process tenancy applications in Build to Rent projects. For all of these projects, the privacy regulatory would expect PIAs to be documented to consider the privacy risks and implement privacy controls. For example, biometric information captured by facial recognition technology is ‘sensitive information’ and has additional rules which apply to it.
	Do you have a privacy management plan? A privacy management plan helps to embed a culture of privacy, establish robust and effective privacy practice, implement procedures and systems, evaluate what you are doing and enhance your response. We are continually seeing many private sector organisations operating without a clear privacy framework and plan in place.
	What is our ‘Essential Eight’ maturity level? It is often said that privacy and cyber security are different sides of the same coin. Different businesses will be exposed to different cyber risks and different potential consequences. The ‘Essential Eight’ are a series of mitigations the Australian Cyber Security Centre recommend as one of the most effective approaches to making it harder for malicious parties to compromise systems. For those at the start of their journey, implementing the Essential Eight as quickly as possible should be a priority. Other entities should be looking to increase their Essential Eight maturity level as outlined by the Australian Cyber Security Centre. Don’t forget that cyber and privacy stakeholders should be collaborating and not working in isolation (which we frequently see).
	Do you monitor and stay on top of legal reforms? The Privacy Act is under review and there are many other legal reforms in the data and privacy space. It is critical to understand potential changes in order to plan proactively. Developers should have internal stakeholders appointed to monitor changes and a clear compliance roadmap which address steps to be implemented to deal with legislative change.

Key emerging privacy issues and risks in the Development industry

The Development sector is a diverse and ever-changing landscape which is characterised by its own unique challenges and risk profile. Some of the key factors driving positive change (such as emerging technology and greater interconnectivity) are the same factors that make the sector vulnerable when it comes to privacy and cyber security risks.

Managing additional vulnerabilities in increasingly sophisticated projects:
1. As technology becomes more integrated with the built environment, additional avenues for hacking and cyber security incidents emerge. As far back as 2013, a data breach resulted from hackers getting into the system through the air-conditioning connected to Target’s main IT network.
2. As the sector moves toward highly sophisticated projects such as Smart Buildings, a huge range of devices, including small components, can return large volumes of data. Without a ‘Privacy by Design’ approach, all this data becomes a soft target for potential attacks which could compromise the functioning, security or even the safety of a building and the people in it.
  
  Hypothetical example: A malicious third-party gains access to an IT system relating to the security of an office building you operate. They release malicious codes which locks down the security system so no one can leave the building.
Do Developers need to be custodians of personal information?
1. Developers have historically collected a significant amount of personal information, such as contact information from mailing lists and sign-up processes, CCTV recordings, and valuable information such as ID documents from employees, contractors and other stakeholders.
2. However, with the emergence of new development models such as Build-To-Rent, some developers are now responsible for large amounts of personal information for longer periods of time (for example identity documents, financial documents, contact numbers, address, next of kin details and health information/ information about a disability regarding tenants). That requires planning and thought about how to manage that data and information.
Ensuring sufficient investment is allocated to managing systems as projects become more expensive to run and profitability margins become tighter
1. Development sector clients are increasingly forced to implement expensive technology and adapt to new scenarios in order to excel in a fast-paced and highly competitive space. This creates the risk that new projects or technologies will be implemented without appropriate privacy and security measures.
2. However, the cost of not being proactive and taking steps prior to executing projects can be significant. According to IBM, the average cost of a data breach in Australia is $3.3 – 4.2 million.

About the Authors - how Maddocks can help

Sonia Sharma is a recognised as a leading privacy and cyber security expert in Australia. She specialises in cyber and data resilience advice with particular experience conducting privacy impact assessments and providing privacy advice on new cutting edge technologies as well as advising on complex privacy issues for ‘big data’, consents, cloud-computing, cross-border transfers and data breach laws.

Sonia and Colin assist Maddocks development clients with their privacy and cyber security needs. If you would like more information on how we can assist your organisation, please get in touch with our Cyber and Data Resilience Team.