Timothy Pilgrim PSM - Data & privacy - FutureData 2017
-
Upload
cebit-australia -
Category
Data & Analytics
-
view
412 -
download
2
Transcript of Timothy Pilgrim PSM - Data & privacy - FutureData 2017
Data & Privacy
Timothy Pilgrim — Australian Information and Privacy Commissioner PSM17 October 2017
Enhancing the protection of personal information
Unlocking the potential of dataData has immense value. It may be used to:
• Identify gaps in the provision of services
• Improve Products
• Better inform policy‐making and decision‐making
There is the potential for broad public support for data use – where a case is made for the public benefit.
However, there is a persistent need to demonstrate that personal information is protected to the highest standard, to build community confidence in data use.
Australians’ views on the reuse of personal dataThe 2017 Australian Community Attitudes to Privacy Survey revealed:
• 86 per cent of Australians consider the secondary use of personal information a misuse of that information
• Only 33 per cent are comfortable with government agencies sharing personal information with other agencies. Only 10 per cent are comfortable with businesses sharing personal information with other organisations
• However, there is the potential for broad public support for government’s sharing personal information for ‘research, policy development or policy development purposes’. 46 per cent were comfortable and 21 per cent were neither comfortable or uncomfortable.
De‐Identification• De‐identification allows data to be shared or released with a wider
audience in a way that simultaneously protects individual privacy
and maintains data utility
• The De‐Identification Decision‐Making Framework empowers your
organisation with an understanding of de‐identification, and how
to evaluate and balance risk
• The guidance presents ‘functional de‐identification’ – where data
custodians consider not just the data, but also the data
environment it is released into.
De‐identification and the Privacy Act• Where re‐identification is so impractical there is no real likelihood of it occurring –
generally the information will not be regarded as personal information for the purposes
of the Australian Privacy Act
• Understanding whether someone is ‘reasonably identifiable’ requires an evaluation of
context
• Organisations should take a risk‐management approach, and acknowledge that a ‘de‐
identified’ status is often contextual.
The Notifiable Data Breaches scheme
• About 95% of Australians already believe they should be told if an
organisation loses their personal information
• The NDB scheme provides individuals with an opportunity to
mitigate harm following a breach, and encourages improved
privacy capability in organisations
The threshold for notification• Only data breaches that are likely to result in serious harm
trigger notification obligations
• Serious harm can be psychological, emotional, physical,
reputational, or other forms of harm
• Remedial action may reduce the likelihood of serious harm
following a data breach — if successful, notification is generally
not required.
Assessing a suspected data breach• If you suspect an eligible data breach has occurred, you must
conduct a reasonable and expeditious assessment of the breach
• Generally, you have 30 calendar days to complete this
assessment
• Ahead of the NDB scheme, it is important to review your data
breach response framework, with the view that your technical
systems and governance processes should result in relevant
personnel being aware of a breach as soon as practicable.
The role of the OAIC• Receiving notifications of eligible data breaches
• Encouraging compliance with the scheme, including by handling complaints, conducting
investigations, and taking other regulatory action in response to instances of non‐compliance
• Offering advice and guidance to regulated organisations, and providing information to the
community about the operation of the scheme.
Sign up to the Privacy Professionals’ Network: https://www.oaic.gov.au/engage‐with‐us/networks
Attend the NDB scheme webinar on 21 November 2017.