Five key themes from recent IAPP Privacy Summit
13 December 2022
After a Covid-enforced break, the annual IAPP (International Association of Privacy Professionals) ANZ Summit took place in Sydney in late November. As well as keynotes from the New Zealand Privacy Commissioner and the Australian Information Commissioner, various panels and speakers traversed topical privacy issues from indigenous data rights, to biometrics, AI and facial recognition technology, and a growing trend towards 'people-centric' privacy.
There were five clear themes that came through at various sessions during the summit.
- Cyber attacks are not going away
The recent Optus and Medibank cyber attacks in Australia were hot topics. Described by the Australian regulator as "a wake up call", the Optus breach in particular re-emphasises how essential it is to minimise data retention and ensure data isn't kept for longer than needed – after all, you can't lose what you don't have.
There is a clear expectation that organisations need to get their houses in order now to minimise damage in a worst-case scenario (and organisations that don't do this will risk regulatory attention). This might involve:
- Knowing what data you hold (and doing an audit if this isn't clear)
- Ensuring adequate investment in security, as well as tested back up and disaster recovery plans
- Reviewing retention, archiving and deletion policies and practices, to make sure that you are only holding on to what you need
- Taking another look at any anonymised or aggregated datasets to check that they aren't vulnerable to re-identification, given the large amount of data available online as a result of other recent breaches.
- Australian privacy reform is coming
In the wake of the Optus breach, the Australian government moved to introduce harsher penalties for non-compliance with privacy obligations by way of the Privacy Legislation Amendment (Enforcement and Other Measures) Act 2022 (currently awaiting Royal assent). That legislation increases penalties for interference with privacy to the greater of A$50m, three times the value of the benefit obtained from the privacy interference (if that can be determined), or 30% of the organisation's turnover during the relevant period.
Those penalties will bring Australia closer into line with the EU/UK General Data Protection Regulation (GDPR) penalties and are significantly higher than the equivalent in New Zealand.
It is also only the first step in Australian privacy reform, with more substantial legislation promised for this parliamentary term. Again, it's expected that the move will be to align Australian privacy legislation more closely with GDPR.
While the New Zealand Privacy Act is still relatively new, the Australian changes will possibly serve as a signpost of any future privacy reform on this side of the ditch.
- A move towards 'fair and reasonable' data practices
Organisations that are 'privacy mature' are increasingly seeing good privacy practice as an organisation wide exercise, and an extension of good customer service and good corporate citizenship. Whether this trend moves beyond good practice to an area of possible legislative reform (in the same way that fairness in consumer and small business contract terms has been codified in both Australia and New Zealand in recent years) will be one to watch.
- Indigenous data rights – so much more than just a privacy issue
This is because Māori data may be much more than 'personal information': information relating to a maunga or other aspects of te ao Māori is as deserving of safeguarding as personally identifiable information, and (conversely) information relating to identifiable individuals may give rise to rights vesting in iwi or hapū, and not just the individual(s) concerned. This means that principles of Māori data sovereignty may not align neatly with the Information Privacy Principles in the Privacy Act. Where issues do overlap, Māori data sovereignty considerations may be so fundamental that they pre-empt or override the approach to privacy. Each situation may require nuanced analysis from a public law, tikanga and Te Tiriti perspective (as well as a privacy perspective) to find the right outcome.
- Getting the basics right remains fundamental
With fast paced global regulatory change, increasingly sophisticated cyber criminals, and the constant availability of new data-led technologies, there is a lot going on that can keep privacy specialists up at night.
The key message from the summit was that, while the stakes are certainly getting higher, the fundamentals of a good privacy programme are not materially changing overall. By focusing on the basics like only collecting and keeping data that is really needed, treating individuals fairly, communicating transparently, and knowing what data is being held, organisations can set themselves up to manage privacy risk in a way that remains resilient for years to come.