The digital transformation of society has added to the complexity of doing business today for large corporations, international conglomerates and small owner operators, as well as for individuals. Risks and threats are evolving on a daily basis due to the widespread use of internet-enabled devices and processes. Recent high-profile cyberattacks demonstrate the extent of possible losses to institutions and business and their impact on civil society when the daily operations of banks, airlines, hospitals and other institutions have been compromised. This situation has been further compounded by increasing physical and financial damage relating to data privacy breaches. The challenge for business is to ensure it protects personal and other information while simultaneously being able to utilise the information for operational business needs.
Online privacy faces new risks and threats with each emerging technology, which could affect how web-based data is protected, or exposed. Privacy concerns exist wherever personally identifiable information or other sensitive information is collected, stored and used in digital form. The challenge for business is to increase the way it protects personal and other information, and thereby enhance its business resilience. An additional challenge for many organisations is how to use information while maintaining protection of data privacy and protecting the individual’s privacy preferences and his personally identifiable information from inappropriate or unauthorised use. This is particularly challenging when data comes from a wide range of information sources.
In Australia, the Privacy Act 1988 regulates how personal information is handled. The Privacy Act defines personal information as ‘… information or an opinion, whether true or not, and whether recorded in a material form or not, about an identified individual, or an individual who is reasonably identifiable’. The Privacy Act includes 13 Privacy Principles that outline how all private sector and not-for-profit organisations with an annual turnover of more than $3 million and some small businesses must handle, use and manage personal information. These Privacy Principles also apply to most Australian and Norfolk Island Government agencies and to all private health service providers.
While the Privacy Principles are not prescriptive, each entity needs to consider how the principles apply to its own situation. The principles cover:
- an individual having the option of transacting anonymously or using a pseudonym where practicable
- the collection of solicited personal information and receipt of unsolicited personal information, including giving notice about collection
- how personal information can be used and disclosed (including overseas)
- maintaining the quality of personal information
- keeping personal information secure
- the right for individuals to access and correct their personal information.
The challenge for many organisations is how to collect and use personal data without breaching the Privacy Act. For example, while data collection agencies and marketers state they keep users’ data private by viewing it only in aggregate, the extensive volume of data a cookie can collect about any individual can enable the cookie’s owner to infer a surprising amount about the individuals being tracked.
Obtaining consent from an individual to a secondary use or disclosure is permissible, but organisations need to be aware that under the Privacy Act, the individual can reasonably expect that the secondary use or disclosure is related to the primary purpose of collection or, in the case of sensitive information, directly related to the primary purpose.
Cyber risks are complex to understand and calibrate, especially given the significant potential for related exposures. For example, the trend to use cloud-based data storage, while convenient for access, means increased exposure to risks to the data stored, which may belong to the online service as well as to the business using the service. The increasing number of cyberattacks on large and small organisations means that extra caution needs to be taken to protect personal information and data. It is not enough to simply ‘air-gap’ the specified data, as this would inhibit operational business needs. What is necessary is to ensure cybersecurity procedures are current and integrated into mainstream resilience management strategies and practices.
Further information about the Privacy Act 1988 and Privacy Principles can be obtained from the Office of the Australian Information Commissioner.