The Privacy Act - obligations, changes and where to next

Wednesday
 
27
 
November
10:30 am
 - 
11:10 am
Topic
Policy / Legislation
Agenda
Sign in to add this session to your agenda
Add to My AgendaAdded to My Agenda
Location
Room 217
Theme
Leadership & Governance in Cyber Security

Speakers

Georgia Marwick
Georgia Marwick

Georgia Marwick

Georgia Marwick

Data Privacy Lead
CSO Group

Synopsis

  1. At a fairly high level, discussion regarding the current state of the Privacy Act, the Australian Privacy Principles, known as the APPs; the proposed changes to the act and principles;
  2. The regulatory environment – what's happening in the space;
  3. Data Acquisition & Use - phases in the administration of information;
  4. Boards & Executives - awareness, responsibilities and initiatives;
  5. Where things can go wrong - the Medibank example.

The Privacy Act

Ultimately its all about the protection of personal information and ensuring individuals have control over how their data is collected and used (and then shared, and disposed).

I will then discuss each of the APPs at a high level and focus on some key ones including APP11 regarding security. Each of the APPs feeds into good governance practices - with the onus on organisations.

Why is all of this important for auditors and consultants? Well, if organisations want to be compliant to a certain standard or similar, a lot of these elements need to be satisfied, but at the basic level, they are legally required to comply with the APPs, so it makes sense that the requirements of the APPs should be built into the standard practices, policies and procedures of the organisation before you even look at measuring against another standard.

Proposed Changes

Discussion around key proposed changes and what that will mean for auditors and organisation alike in terms of new considerations - e.g. amendment to the definition of "personal information"; organisational accountability; security and destruction and new rights of the individual.

The Regulatory Environment

  • touch on GDPR
  • discussion of the OAIC powers, enforcement activities and recent enhancement to civil penalties (fines of $50M +).
  • ASIC - specifically comments by Chair Joe Longo regarding cyber resilience and privacy.
  • APRA
  • Private litigation risks,

Data Acquisition & Use

Discussion regarding organisations collecting more personal information than they need; a real example.

Some questions to empower auditors and consultants to dig a bit deeper into organisations reasons for collection, use and disclosure of personal information to determine whether they're legitimately collecting information for a business purpose or whether it's just nice to have.

Boards & Executives

Board's roles and responsibilities regarding cyber and privacy, their duties and obligations, including for good governance, but also from a statutory perspective.

Cautionary Tale - how thigs can go wrong, the Medibank example

  • discussion regarding the statements to the market Medibank made about their cyber and privacy practices and how they became the basis for the allegations that Medibank engaged in misleading or deceptive conduct.
Back to Program

Acknowledgement of Country

We acknowledge the traditional owners and custodians of country throughout Australia and acknowledge their continuing connection to land, waters and community. We pay our respects to the people, the cultures and the elders past, present and emerging.

Acknowledgement of Country