privacy unbound iappanz - international association of ... · privacy unbound iappanz | issue 68...

26
PRIVACY UNBOUND IAPPANZ | Issue 68 ME_128501021_1 (W2007) UNLOCKING THE TRUTH ABOUT PRIVACY President’s By Kate Monckton President M: 61 409 613 029 Dear Members Welcome to the first ed Unbound for 2016. Wemonths in and there’s a much happening in the privacy space. I’d like to t who has volunteered their time by writing some r and interesting pieces in this edition and all the p without our members and hardworking Board Dir this would be possible. There are several workshops coming up soon acro and New Zealand including a series on Mandator Notification in Sydney, Melbourne and Brisbane. venues can be found in our Privacy Events calend and watch this space for news of NZ workshops v The Board is also working on its strategy and plan coming months, focusing on membership, spons U i a F s Letter dition of Privacy re only a few already been so thank everyone really engaging revious ones – rectors, none of oss Australia y Data Breach Dates and dar on page 23 very soon. nning in the orship and of course this year's Summit. We are new look format to the Journal. Check out the photo toward the e celebrating International Privacy D recognise anyone. Thanks to Grac Privacy After Hours event to mark for a Privacy After Hours event in y and we can help you get somethin By the time I write the next introd will have had the honour of attend Summit in Washington DC in early reporting back on the highlights a region. I know that a couple of ou stateside for the summit and I wou if you’ll also be there – either by em If you would like to contribute an a want to include in our next journal you would like to share, please con [email protected] – we’d love Enjoy! Kate Privacy nbound appANZ F ebruary/ March 2016 ISSUE 68 also looking at introducing a nd of some of our members Day in Melbourne – see if you e Guinto at PwC for hosting a k the day. If you have an idea your city, please let us know ng organised. uction for Privacy Unbound, I ding the IAPP Global Privacy y April, and look forward to nd takeaways for the ANZ ur members are also heading uld be great to hear from you mail or phone (number above). article, have a job advert you l or have any other feedback ntact us at to hear from you!

Upload: others

Post on 29-May-2020

23 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Privacy Unbound iappANZ - International Association of ... · PRIVACY UNBOUND IAPPANZ | Issue 68 ME_128501021_1 (W2007) A reminder about iap Membership benefits As an iappANZ member

PRIVACY UNBOUND IAPPANZ | Issue 68

ME_128501021_1 (W2007)

UNLOCKING THE TRUTH ABOUT PRIVACY

President’sBy Kate Monckton President M: 61 409 613 029

Dear Members

Welcome to the first edUnbound for 2016. We’months in and there’s a

much happening in the privacy space. I’d like to twho has volunteered their time by writing some rand interesting pieces in this edition and all the pwithout our members and hardworking Board Dirthis would be possible.

There are several workshops coming up soon acroand New Zealand including a series on MandatorNotification in Sydney, Melbourne and Brisbane. venues can be found in our Privacy Events calendand watch this space for news of NZ workshops v

The Board is also working on its strategy and plancoming months, focusing on membership, spons

Uia

F

s Letter

dition of Privacy ’re only a few already been so thank everyone really engaging revious ones – rectors, none of

oss Australia y Data Breach Dates and

dar on page 23 very soon.

nning in the orship and of

course this year's Summit. We arenew look format to the Journal.

Check out the photo toward the ecelebrating International Privacy Drecognise anyone. Thanks to GracPrivacy After Hours event to markfor a Privacy After Hours event in yand we can help you get somethin

By the time I write the next introdwill have had the honour of attendSummit in Washington DC in earlyreporting back on the highlights aregion. I know that a couple of oustateside for the summit and I wouif you’ll also be there – either by em

If you would like to contribute an awant to include in our next journalyou would like to share, please [email protected] – we’d love

Enjoy!

Kate

Privacy nbound appANZ

February/ March 2016

ISSUE 68

also looking at introducing a

nd of some of our members Day in Melbourne – see if you e Guinto at PwC for hosting a

k the day. If you have an idea your city, please let us know

ng organised.

uction for Privacy Unbound, I ding the IAPP Global Privacy y April, and look forward to nd takeaways for the ANZ

ur members are also heading uld be great to hear from you mail or phone (number above).

article, have a job advert you l or have any other feedback ntact us at to hear from you!

Page 2: Privacy Unbound iappANZ - International Association of ... · PRIVACY UNBOUND IAPPANZ | Issue 68 ME_128501021_1 (W2007) A reminder about iap Membership benefits As an iappANZ member

PRIVACY UNBOUND IAPPANZ | Issue 68

ME_128501021_1 (W2007)

Dear Members

Welcome back to another year of privacy practiceiappANZ has a solid year of events and benefits pmembers this year and we look forward to your inand feedback.

So, a quick summary of what you’ll find in the Febedition of Privacy Unbound…

We kick off with a view from our regulators. FirstZealand Privacy Commissioner, John Edwards teGibson (Director, Gibsons Law Limited in Aucklakey focuses in 2016, including projects and the intagenda – and a visit from UN Special Rapporteur Privacy, Professor Joseph Cannataci during PrivaWeek.

Australia’s Privacy Commissioner and Acting InfoCommissioner, Timothy Pilgrim outlines the hotAussie privacy professionals this year (spoilter aledata sharing, de identification, and mandatory danotification), the basis for the appeal by his Officedecision of the AAT in Telstra Corporation LimitedCommissioner (more about that later), impacts ofon Australian businesses and early thoughts on imof mandatory data breach legislation, should the Bill be passed.

Annelies Moens (Head of Sales and Operations, Malcolm Crompton (iappANZ Board Director anDirector of IIS) share some insights to their recenAPEC Cross-Border Privacy Rules System. PresenAPEC Steering Committee meetings in Lima, Pefocused on stakeholder views on the benefits of tAPEC economies and businesses.

Whilst, high-profile data breaches have placed thrisk firmly on the agenda for boards, law makers in Australia, cyber risk insurance has not been as embraced as may have been expected. In this artMooney, Minter Ellison Special Counsel highlight

Vice-President’s Foreword By Melanie Marks Vice-President [email protected]

e! The planned for nvolvement

bruary-March

tly, new ells Katherine nd) about his ternational on the Right to cy Awareness

ormation t issues for ert: big data, ata breach e of the

d and Privacy f the EU GDPR mplementation

current draft

IIS) and d Managing t report on the nted at recent ru, the report is

the CBPR for

he issue of cyber and regulators widely ticle, Leah ts findings from

a recent cyber risk survey of c-suitinformation technology, legal and

According to Anna Johnston, Dirneed to talk about Ben Grubb. In enough, this article critiques the acase by AAT Deputy President Stethat mobile network data is aboutdevices and not about an individuacould you take this argument? Coulrecords are only ‘about’ transactionreceiving money as part of those traclaim that medical records are ‘abopatients?...” Peter Leonard (PartnATT's “novel and controversial” deissue of how to work out when devinformation is a key issue that aris(‘IoT’) applications now entering thof the appeal to the Federal Court commence in August 2016.

Did you know that 28 January 201Privacy Day, which – like APAC Pripurports to raise awareness amonabout the importance of protectininformation, new trends/regulatiopromote privacy and data protectpage 17 to see pics from Privacy Acoordinated and hosted by Grace conjunction with the global IAPP oiappANZ team to celebrate Intern

Finally, maybe your New Years’ ReZealand Privacy Commissioner’s OPrivacy team of the Commonwealjob ads.

Happy reading.

Melanie

e and senior executives in the risk sectors.

ector, Salinger Privacy, we case that’s not enticing pproach taken in the Telstra

ephanie Forgie in concluding t connections between mobile al. As Anna asks: “How far ld banks start arguing that their

ns, not the people sending or ansactions? Could hospitals ut’ clinical procedures, not their

ner, G+T) also reviews the ecision, noting that the vexed vice information is personal

ses for many Internet of Things he market and gives us a view of Australia anticipated to

6 was International Data ivacy Awareness Week – g businesses and consumers

ng the privacy of their personal ons in the privacy realm and to

ion best practices? Turn to fter Hours in Melbourne, Guinto from PwC in

organisation and local ational Data Privacy Day.

esolution is to join the New Office or the Digital Trust &

th Bank? Turn to page 19 for

Page 3: Privacy Unbound iappANZ - International Association of ... · PRIVACY UNBOUND IAPPANZ | Issue 68 ME_128501021_1 (W2007) A reminder about iap Membership benefits As an iappANZ member

PRIVACY UNBOUND IAPPANZ | Issue 68

ME_128501021_1 (W2007)

A reminder about iap

Membership benefits

As an iappANZ member you are entitled to receiv

Also, through our affiliation with the global body,additional member benefits, including the knowlewww.privacyassociation.org.

You can access benefits available to you through the username. If you do not yet have a password how to create a new password will be sent to youiappANZ’s privacy policy, please let me know by e

Thanks

Emma Heath, iappANZ General Manager

And remember…..

Visit our website, join us o

To join the privacy conversationconnections in your professiona

Our website is www.iappANZ.ohomepage with your email and password or be reminded of youlog in box. If you still need help e

Our LinkedIn group is: http://www.linkedin.com/groups?

Follow us on Twitter at: https://t

pANZ membership:

ve a range of great member benefits as outlined at: www

, the International Association of Privacy Professionals (iedge and resources located within the members’ only ar

your iapp account. Simply login to your MyIAPP accounor have forgotten yours just click on the ‘Reset your pass

u. If you don't want us to confirm your membership detaemailing me at [email protected].

on LinkedIn or follow us on Twitter

n, keep up to date on developments and events anl community, connect with us today!

rg.au. You can log in to our member area from oupassword to access past bulletins. You can also g

ur username if you have forgotten it. Just click on email us at [email protected].

?gid=1128247&trk=anetsrch_name&goback=.gdr_1

twitter.com/iappANZ

w.iappanz.org.

iapp), you are also entitled to rea of the iapp website at:

t using your email address as sword’ link and instructions on ils to iapp in accordance with

nd to make

ur website et a new the links on the

1281574752237_1

Page 4: Privacy Unbound iappANZ - International Association of ... · PRIVACY UNBOUND IAPPANZ | Issue 68 ME_128501021_1 (W2007) A reminder about iap Membership benefits As an iappANZ member

PRIVACY UNBOUND IAPPANZ | Issue 68

ME_128501021_1 (W2007)

Q&A Privacy Co

1. What are some of the key focuses for

This year we will be continuing to focus on ‘makinreform.

In the dispute resolution space, we are continuingOur investigators are continuing to focus on earlyinvestigations for the more sensitive or complex cmore people faster access to remedies.

.

Wewe’encinfohow

Theand12,0sec

Finarecowomapub

2. You want to “make privacy easy” forthis year to achieve this?

In May this year we will release a tool that helps pwill be valuable for many people, as more than ha

We will be releasing new online education modulfor employers is in the pipeline, as is a module onHealth 101 (overviews of the Privacy Act and HeaAgreements and a guide to Privacy Impact Asses

We will continue our regional outreach strategy, Chambers of Commerce and District Law Societieand gives opportunity to promote things like the

3. Privacy has an ever increasing intern

A with John Edwards ommissioner (New Zealan

with Katherine Gibson

r your team for 2016?

ng privacy easy’ for agencies and individuals, as well as p

g to make changes to our processes to give people accesy resolution through phone conversations when possiblecases. This is a continuation of a process we started last

e are also focussing on improved privacy practice in the p’ve recently launched our transparency reporting pilot. Tcourage private sector agencies to publicly report the nuormation requests or demands they have received from gw many of those requests they complied with.

e trial report – launched in February – proved the concepd reporting the (anonymised) results. The headline result000 requests made during the 3 month trial. We will be etor agencies to do their own transparency reporting this

ally, the Minister of Justice has indicated that reforms toommended by the Law Commission in 2011 – are on therking with a number of other agencies on these reforms,ke necessary changes across our website, guidance mate

blications

r agencies as well as individuals. What projects do

people request their personal information from agenciesalf of our complaints each year are about access requests

es to help people understand their privacy rights and obn credit reporting. These will complement the existing moalth Information Privacy Code, respectively), a guide to Asments.

sending staff to cities and towns outside the main regiones. These visits help us engage with people who don’t cotools we develop and our online education modules.

ational dimension. What is on your internationa

4

nd)

preparing for upcoming law

ss to more timely remedies. e, leaving formal, written

year, and we expect it will give

rivate sector. To this end, This is a project to

mber of personal government agencies, and

pt by surveying 10 agencies t was that there were encouraging other private s year.

o the Privacy Act – first horizon, so we are

, as well as preparing to erial and a variety of other

o you have in the pipeline

that hold it. We expect this s.

ligations. A module on privacy odules, which are Privacy 101,

Approved Information Sharing

ns to speak to groups such as ome across our radar as often,

l agenda for this year?

Page 5: Privacy Unbound iappANZ - International Association of ... · PRIVACY UNBOUND IAPPANZ | Issue 68 ME_128501021_1 (W2007) A reminder about iap Membership benefits As an iappANZ member

PRIVACY UNBOUND IAPPANZ | Issue 68

ME_128501021_1 (W2007)

Our office is gearing up for another full year of intfast pace. New Zealand's privacy laws are just oneright at the highest international level and it is imto keep up with privacy developments.

We will also be playing our part with the Global POur involvement in APPA is an important part of Singapore in July and Mexico in November or DecInnovation, Growth and Social Prosperity, in June

We have a continuing role in organising the annuis currently the secretariat for the ICDPPC which wwork to do in preparing the programme for the cl

We will be hosting the United Nations Special RaCannataci is the world’s first privacy investigator public Privacy Forums in Wellington (11 May) and

4. We are looking forward to the visit frWeek in May this year. What do you

Since taking up the role in July 2015, Prof Cannatoverreaching intelligence gathering. He says proplaw that safeguards people’s online information.

For privacy authorities and anyone who works to rapporteur role devoted to privacy is a singular ungrowing international convention that privacy is a

We are looking forward to finding out more abouadd to our ongoing national discourse on privacy,

5. If you had to choose one area of focu

We’re big on dispute resolution. Last year, we clobetween the parties involved. A big portion of oupersonal information when requested. This is par

Our closing times for complaints are getting fastefiles (24%) were older than 6 months. This reduceWe’ll keep working at it.

In an access complaint, a successful resolution mthe information. In other complaints we see resolstaff retraining, or a compensatory payment. It’s Zealanders have learned the hard way about the court process. Dispute resolution is an area that wprofessionals could pay closer attention to.

John Edwards is the New Zealand Privacy ComKatherine Gibson is Director, Gibsons Law Limi

ternational activity as the field of privacy and data protee part of a world-wide picture of privacy protection. Priv

mportant to have regular and ongoing contact with our in

Privacy Enforcement Network (GPEN) and the Asia Pacifiour international engagement and we’ll be contributing cember. We’ll also be involved in the OECD Ministerial M2016 in Cancun, Mexico.

al International Conference of Data Protection and Privawill be held in Marrakesh in October. I am the Chair and losed session in Morocco.

pporteur on the Right to Privacy during Privacy Week that this international level. We’ll be looking forward to he

d Auckland (12 May). He then heads to Australia.

rom the UN Special Rapporteur on the Right to P hope Professor Joseph Cannataci’s visit will achi

aci has spoken about government and corporate surveillper oversight is the only way and he champions a univers

ensure the security and integrity of personal informationiversal elevation of privacy rights. It’s more than symboa value that needs special attention in changing world.

ut Prof Cannataci’s views and we believe he will have som, oversight and transparency.

us for Privacy Professionals for 2016 this year, wh

osed 827 complaint files and of these, nearly half were acr complaints relate to agencies failing to meet their oblig

rticular focus for us in 2016.

er, and our focus is on continuous improvement. For exaed to 19% by 2015, and by January 2016, only 10% of our

ight include providing the information a customer requelutions with an apology or an acknowledgement, a changusually a better option than expensive and time consumtime, cost and emotional drain of litigation, and the sub

we will continue to concentrate on and it is perhaps an ar

missioner ited in Auckland (http://www.gibsonslaw.co.nz)

5

ction continues to evolve at a acy is protected as a human ternational privacy colleagues

c Privacy Authorities (APPA). to the APPA Forums in

Meeting on the Digital Economy:

acy Commissioners. Our office we will have quite a bit of

is year. Professor Joseph ear what he has to say at our

rivacy during Privacy eve?

lance on the Internet and sal Geneva Convention-style

n, the creation of a UN olism; it’s a reflection of the

me thought provoking ideas to

at would it be?

hieved with a settlement gations to provide access to

mple, in 2014, a quarter of our r file load was over 6 months.

sted – or perhaps a portion of ge in an agency’s processes,

ming legal action. Many New stantial delays inherent in the rea that many other privacy

Page 6: Privacy Unbound iappANZ - International Association of ... · PRIVACY UNBOUND IAPPANZ | Issue 68 ME_128501021_1 (W2007) A reminder about iap Membership benefits As an iappANZ member

PRIVACY UNBOUND IAPPANZ | Issue 68

ME_128501021_1 (W2007)

Q&A with Timothy Acting Informa

1. What do you see as the hot issues an The regulatory framework for privacy is now wellunderstanding of their rights, responsibilities, andtechnology advances. So we must all step up to tincluding our clients and customers.

.

Big data, datissues for the

From its begiresponses lie guidance to adata context

Big data has Australian Priapproached tanalytics andtransparent acustomer mis

Connected to the issue of big data is de-identificaand value of information assets while at the samethan ever before, and they are using it in broader

Advances in technology means that methods of dexecuted correctly following a robust risk assessmfew high profile privacy cases, de-identification iscreate significant and large scale issues from seem

De-identification is also becoming more complexdata, data matching, and aggregation, and it is eson developments in this area. You can expect to hData this year.

Finally, as I have said many times, mandatory datAustralians, and I feel that it can be achieved withpassed, there will be a period of adjustment whilelooks forward to assisting with that integration.

Pilgrim, Privacy Commisation Commissioner (Aus

with Melanie Marks

nd challenges for privacy professionals in 2016?

established in Australia. Many organisations, agencies ad privacy processes. But privacy will continue to develophe challenge of managing our privacy, and meeting our

a sharing, de-identification, and mandatory data breache year ahead.

innings, big data has presented significant privacy challe in bringing big data into a privacy-by-design framework

assist organisations and agencies to take a privacy-by-de.

changed and will continue to change many privacy manarivacy Principles are flexible, and can support good businethe right way. Big data is big business. But businesses th

d data aggregation, which is rapidly becoming most businand accountable approach to the use of this technology, strust and regulatory attention.

ation, which is vital to get right. De-identification is a keye time safeguarding privacy. Businesses and governmentr and more varied ways than we would have thought pos

de-identification have evolved substantially over the lastment, deidentification can be an excellent privacy solutios not always being fully or correctly integrated with techmingly small mistakes.

x — it is a dynamic area which is more intrinsically bound ssential that all organisations that collect personal informhear a lot more from me, and the OAIC, on the subject o

ta breach notification is an important step in protecting thout an unnecessary burden on businesses. However, ase the changes are implemented and integrated into proc

6

ssioner and stralia)

and individuals have a good p and change, particularly as responsibilities to others;

notification are all key

enges. But the best k. The OAIC is developing esign approach in a big

agement practices, but the ess processes, if at rely on big data, nesses, must take a or they will risk serious

y tool to maximise the utility t are collecting more data sible, even five years ago.

t few years and, when on. But, as we have seen in a nology solutions, and this can

up in developments in big mation are keeping their finger f de-identification and Big

the personal information of suming the legislation is

cesses and policies, and OAIC

Page 7: Privacy Unbound iappANZ - International Association of ... · PRIVACY UNBOUND IAPPANZ | Issue 68 ME_128501021_1 (W2007) A reminder about iap Membership benefits As an iappANZ member

PRIVACY UNBOUND IAPPANZ | Issue 68

ME_128501021_1 (W2007)

2. The Information Commissioner has athe appeal? When can we expect the

My determination in this matter found that an indcircumstances where the metadata is informationthat metadata.

I found in this instance that customer metadata hcustomers access to this information on request.

That decision had implications for the operationasought review in the AAT, which took a different my determination.

That decision in turn equally has implications for important to obtain the certainty of a court findinthis nature. It’s for this reason that I have sought

The appeal will be heard and determined by a Fullisted for hearing during the Full Court and Appel

3. How might the EU GDPR affect Aust There are significant differences between the Eurand any Australian business that has dealings, or

The GDPR has a wider jurisdiction than the EU Dicovers any business that offers goods or services (such as cloud providers) that process data on berequirements similar to APP 1, including privacy bdata protection officer, in particular circumstance

The GDPR also introduces a mandatory data breavaries from the Australian model in a number of rfamiliarise themselves with the EU requirements4% of annual worldwide turnover, or €20mil.

For individuals, the privacy protections have beenorganisation that is covered by the GDPR must trimportantly, the GDPR includes the right to be fo

appealed the decision of the AAT in Grubb v Telste matter to be heard by the Federal Court?

dividual’s metadata could be personal information unden about an individual whose identity is apparent or can re

held by Telstra constituted personal information and that

al practices of organisations and agencies handling persoapproach to the meaning of personal information under

the information handling practices of organisations and ng to provide clarity to the thousands of Australian entitito have the Federal Court review the AAT’s decision.

ll Court, and although a date has not yet been set, we anlate Sitting period in August 2016.

tralian businesses with dealings in Europe?

ropean Union General Data Protection Regulation (EU Ga customer base, in the EU would be well advised to fam

irective, and now includes something similar to the Austto, or monitors behaviour of, EU residents. New obligatihalf of another business that is covered by the GDPR. Thby design. Businesses should also be aware that they maes, which the regulation spells out.

ach notification scheme. While Australia also has a proporespects. Accordingly, any business that trades in the EU. It is also worth noting that the fines for breaching the G

n expanded — for example, the GDPR includes the right ry to verify parental consent for individuals below 16 for uorgotten.

7

tra. What is the basis for

r the Privacy Act 1988, in easonably be ascertained from

t Telstra was obliged to give

onal information and Telstra r the Privacy Act and set aside

agencies and I think it is ies who handle information of

ticipate that the matter will be

GDPR) and the EU Directive, miliarise themselves with it.

ralia link in the APPs — it ions also apply to any business

he GDPR also includes ay be required to appoint a

osed scheme, the EU model U should ensure that they GDPR have been raised, up to

to data portability, any use of online services, and,

Page 8: Privacy Unbound iappANZ - International Association of ... · PRIVACY UNBOUND IAPPANZ | Issue 68 ME_128501021_1 (W2007) A reminder about iap Membership benefits As an iappANZ member

PRIVACY UNBOUND IAPPANZ | Issue 68

ME_128501021_1 (W2007)

4. One of the requirements for establishthat the regulator is adequately resonotifications do you expect to receiv

If the proposed scheme is enacted, the OAIC’s inito the scheme. However, where needed I can acccomplaints or on my own initiative) to ensure com

While it is impossible to put a precise figure on hoexperience of other jurisdictions that have movedto increase well above the number we are current

Timothy Pilgrim is the Australian Privacy Comm

Melanie Marks is Vice President of iappANZ and

hing a successful mandatory data breach notificaourced. If the proposed legislation is enacted, whave and how will the OAIC organise itself to respon

tial focus will be on providing guidance to assist affectedess a range of regulatory powers (including conducting i

mpliance.

ow many notifications will be made under the proposed sd from voluntary to mandatory schemes, we would expetly receiving.

missioner and is also the Acting Australian Information

d Executive Manager - Digital Trust and Privacy at Com

8

ation regime is ensuring at sort of volume of d to them?

d organisations to give effect nvestigations in response to

scheme, looking at the ct the volume of notifications

n Commissioner.

mmonwealth Bank

Page 9: Privacy Unbound iappANZ - International Association of ... · PRIVACY UNBOUND IAPPANZ | Issue 68 ME_128501021_1 (W2007) A reminder about iap Membership benefits As an iappANZ member

PRIVACY UNBOUND IAPPANZ | Issue 68

ME_128501021_1 (W2007)

APEC Cross-BNew Rep

by An

At recent SOM I Meetings in Lima, Peru, Informaon the benefits of the Cross-Border Privacy RuleMoens and Malcolm Crompton reported on coneconomies, including, Japan, Singapore, Mexicoand serve as a catalyst for further economy specif

The Report found that stakeholders were identifystakeholder perspective CBPR has the potentigenerally have policies to further economic groinception. For trade to increase, views were thapersonal information. CBPR is a scalable set of st

From an internal business perspective, CBPR playinterpretation can potentially help overcome ccomplex. Business stakeholders considered thatthan complex layers of compliance. One companin getting EU Binding Corporate Rules for its exist

From a regulatory perspective, CBPR can enabresources and efforts on systemic, high profile anAgents in the CBPR System are effective.

Overall the Report finds that awareness and undethe CBPR depends on:

• Each economy’s underlying domestic law• Underlying domestic law of current and • Requirements of stakeholders

The independence and professionalism of Accouintegral to the credibility of the system and impa

1. APEC member economies and businessfull cost/benefit analysis from their own

2. An urgent review and update of CBPR do3. Consideration be given to stronger and m

The IIS report is available at from the IIS websit

Annelies Moens is Head of Sales and [email protected]

Malcolm Crompton is Managing Director at [email protected]

Border Privacy Rules Sysort on Stakeholder View

nnelies Moens and Malcolm Crompton

ation Integrity Solutions presented the much anticipatees System (CBPR) for APEC economies and businesses.nsultations with government, business and regulator s, Canada and the USA. The purpose of the Report was fic cost/benefit analyses.

ying significant trade benefits as well as internal businesial to advance global trade and economic growth poowth and prosperity and this has been a fundamentaat a trusted environment is required, especially when mandards that can potentially also alleviate localisation pr

ys a role towards having one global compliance system. cultural differences that would otherwise make cross-t a simplified compliance system allows businesses to

ny has also benefited greatly from its CBPR certification tting global privacy program.

le regulators to potentially improve resource allocationd high impact privacy issues, rather than first line comp

erstanding of CBPR is low. The extent to which business

w future trading partners

untability Agents, Privacy Enforcement Authorities andcts overall regulatory benefits. The authors recommend

ses use the preliminary assessment in the Report to staperspectives ocumentation take place – to make it accessible and easmore visible promulgation of CBPR

te (under “Publications” and “APEC”) and at this link.

ns at Information Integrity Solutions and can be contac

ormation Integrity Solutions and can be contacted at

9

stem: ws

d Report on stakeholder views The Report authors, Annelies takeholders from a sample of to raise awareness of benefits

s benefits. From a government olicy objectives. Governments al objective of APEC since its more and more trade involves ressures.

Having one standard with one border data flows even more focus on better privacy rather through lowered cost and time

on, by enabling them to focus plaint handing if Accountability

es and economies find value in

the Joint Oversight Panel are ed the following next steps:

rt the process of conducting a

y to understand

cted at

Page 10: Privacy Unbound iappANZ - International Association of ... · PRIVACY UNBOUND IAPPANZ | Issue 68 ME_128501021_1 (W2007) A reminder about iap Membership benefits As an iappANZ member

PRIVACY UNBOUND IAPPANZ | Issue 68

ME_128501021_1 (W2007)

Perspectives on

A number of recent high-profile data breaches haregulators. Against this backdrop there has beenorganisations increasingly choose to allocate risk

However a recent cyber risk survey by MinterEllissectors revealed that, while cyber risk is front-of-embraced as may have been expected given the r

The Survey MinterEllison conducted a survey (the Survey) atposture in relation to cyber attacks and cyber reschairmen, directors and chief executive offices (Bsecurity officers, general counsel and other risk-rthe Board Survey and 78 responses to the CIO Su

Only 29% of survey respondents confirmed their whether cyber risk was addressed in their existing

Cyber Risk Insurance While specialist cyber risk (or security and privacychip’ insurers now offer this cover. Most of the avcost of hiring technical experts to identify and adconduct reputational repair services) and regulatoaddition to third party liability cover for any claim

The reasoning behind the decision on the part of contributing factors include a lack of awareness opossible expectation of coverage under the organ

Organisations should exercise caution in seeking a data breach as these policies are not designed tinsurance policies (such as fidelity and crime policunlikely to provide protection in the event of a da

Cyber Resilience While organisations should certainly consider thea balanced cyber risk response. The Survey also r A significant number (27%) of CIO Survey responplace. Further, more than half (56%) of CIO Survepersonnel on an ad hoc basis. Accordingly, there

cyber risk: how resilient by Leah Mooney

ave placed the issue of cyber risk firmly on the agenda fon an increase in the availability and uptake of specialist cyks through securing insurance.

son of c-suite and senior executives in the information temind for Australian organisations, cyber risk insurance hrise of cyber risk to prominence in recent times.

t the end of 2015 in order to provide an overview of Austrilience capability. Two different surveys were distribute

Board Survey) and another directed at chief information elated managers (CIO Survey). A total of 159 responsesrvey, were received and evaluated.

organisation held specialist cyber risk insurance. A furthg insurance arrangements.

y) insurance policies are relatively new products in the Auvailable policies are hybrid products providing cover for fdress the cause of the data breach and engaging public rory costs (such as fines or penalties, and notification and

ms arising from any data breaches.

many organisations not to secure specialist cyber insuraof the availability of cyber insurance cover, an organisationisation's existing suite of policies.

to rely on their existing suite of traditional insurance polto respond to cyber risks. By way of example, referencescies) are generally references to tangible property and thata breach.

e benefits of a specialist cyber risk insurance policy, insurrevealed that organisations can do more to improve thei

dents reported that their organisation did not have a datey respondents reported that they only conducted inform is room for Australian organisations to improve their cy

10

are you?

or boards, law makers and yber risk insurance policies as

chnology, legal and risk has not been as widely

ralian organisations' risk d: one directed at the officers, chief information

s, comprising 81 responses to

her 32% were unsure of

ustralian market, most ‘blue-first party losses (such as the relations professionals to

d monitoring expenses) in

ance is unclear. Possible on's appetite for risk and the

licies for cover in the event of s to 'property' in traditional herefore these policies are

rance is just one component of r cyber resilience capabilities.

ta breach response plan in mation security training for ber resilience.

Page 11: Privacy Unbound iappANZ - International Association of ... · PRIVACY UNBOUND IAPPANZ | Issue 68 ME_128501021_1 (W2007) A reminder about iap Membership benefits As an iappANZ member

PRIVACY UNBOUND IAPPANZ | Issue 68

ME_128501021_1 (W2007)

A useful starting point is the development of a cy

• Undertaking a contractual review to iden• Identifying critical systems, data and ser• Investing in employee training; and • Understanding and implementing antivi

The Office of the Australian Information Commishave in place a data breach response plan settingrespondents to the CIO Survey (27%) reported thorganisations to improve their cyber resilience.

For the complete results of that survey in our Pers

Leah Mooney is a Special Counsel at Minter Elli

yber resilience plan. This process should include:

ntify the allocation of risks and responsibilities; rvices;

rus software, firewalls and data encryption.

ssioner also recommends that all organisations covered bg out the framework for responding to a data breach. Giv

at their organisation did not have a data breach plan in p

spectives on cyber risk report click here.

ison and can be contacted at leah.mooney@minterell

11

by the Privacy Act 1988 (Cth) ven a significant number of place, this is an area for

ison.com.

Page 12: Privacy Unbound iappANZ - International Association of ... · PRIVACY UNBOUND IAPPANZ | Issue 68 ME_128501021_1 (W2007) A reminder about iap Membership benefits As an iappANZ member

PRIVACY UNBOUND IAPPANZ | Issue 68

ME_128501021_1 (W2007)

How Stepunde

We need to talk about Ben.

Specifically, about Ben Grubb, the tech journo whor undermine Australia’s privacy laws. (We’ll get o

Actually, we really need to talk about the word ‘aword – about – which has caused such a ruckus.

When is information ‘about’ Ben, and when is it ‘a

First, the background. When the Australian Govetelcos to keep ‘metadata’ on their customers for twhat metadata, such as the geolocation data colla German politician, to illustrate the power of geointimate relationships, health concerns or politica

While much fun was had replaying the video of thalso worked on a seemingly simple premise: “the

Exercising his rights under what was then NPP 6.information – namely, “all the metadata informat

At the time of his request, the definition of ‘persoforming part of a database), whether true or not, apparent, or can reasonably be ascertained, from

(Since then, the definition of ‘personal informatiohave been passed, including a provision that metthis case has ramifications even under the update

Telstra refused access to various sets of informatto NPP 6.1. Ben lodged a complaint with the Austa folder of billing information, outgoing call recorBen had originated a call, which is data kept in its

What was not provided, and what Telstra continu‘network data’. Telstra argued that that geolocatcustomer’s phone at any given time, whether thebecause on its face the data was anonymous.

The Privacy Commissioner ruled against Telstra ogeolocation data by a process of cross-matching which found that data which “may” link data to a

hanie’s broken down carermining your privacy

by Anna Johnston

ho triggered an on-going legal case, the resolution of whonto Stephanie and her troublesome car shortly.)

bout’ – what it means for information to be ‘about’ Ben.

about’ a device or a network?

rnment was preparing in 2013 to introduce mandatory dtwo years in case law enforcement types needed it later,lected from mobile phones, would actually show. He wanolocation data to reveal insights into not only our movemal interests.

he Attorney General’s laughable attempt to explain what government can access my Telstra metadata, so why ca

1, Ben sought access from his mobile phone service provtion Telstra has stored about my mobile phone service (0

onal information’ was “information or an opinion (includi and whether recorded in a material form or not, about a

m the information or opinion”.

on’ has changed slightly, NPP 6.1 has been replaced by Aadata is to be considered ‘personal information’ under th

ed laws.)

ion, including location data on the basis that it was not ‘tralian Privacy Commissioner. While the complaint was ords, and the cell tower location information for Ben’s mos billing systems.

ued to argue was not ‘personal information’ and thus neeion data – the longitude and latitude of mobile phone to

e customer is making a call or not – was not ‘personal info

on that point in May 2015, finding that a customer’s idendifferent datasets. Privacy Commissioner Timothy Pilgrin individual, even if it requires some “cross matching … w

12

is

hich might yet either reinforce

Because it is that one little

data retention laws, to require , Ben Grubb was curious as to nted to replicate the efforts of

ments, but our behaviour,

t metadata actually is, Ben an’t I?”

vider, Telstra, for his personal 04…)”.

ng information or an opinion an individual whose identity is

APP 12, and the metadata laws he Privacy Act. Nonetheless,

personal information’ subject ongoing, Telstra handed over

obile phone at the time when

ed not be provided, included owers connected to the ormation’ about a customer,

tity could be linked back to the im made a determination with other data” in order to do

Page 13: Privacy Unbound iappANZ - International Association of ... · PRIVACY UNBOUND IAPPANZ | Issue 68 ME_128501021_1 (W2007) A reminder about iap Membership benefits As an iappANZ member

PRIVACY UNBOUND IAPPANZ | Issue 68

ME_128501021_1 (W2007)

so, is “information … about an individual”, whoseexperiment”. The Privacy Commissioner ordered

Telstra appealed the Privacy Commissioner’s detTelstra’s favour. Now here is where it gets interes

We knew that the case would turn on how the dethe argument would centre on whether or not Beother systems or data could be expected to be en

And at first, that looked like how the case was goeach of Telstra’s different systems, and what effotechnical expertise to even do that, and how diffithe topic of identifiability, the AAT drew no solid in question.

Instead, the AAT veered off-course, into questionhistory of car repairs, Deputy President Stephani

“A link could be made between the service recordwhich I had taken the care (sic) in for service. Theorder form does not, however, change the nature

The AAT therefore concluded that mobile netwoindividual”, notwithstanding that a known individ

“Once his call or message was transmitted from tdirected to delivering the call or message to its incall or sent a message or about the number or addata is all about the way in which Telstra deliversnetwork data relates to the way in which Telstra dinformation about Mr Grubb. It is information abo

Well. That was a curve ball I did not see coming.

This interpretation seems to conflate object with the sole point of reference when determining whthe information is for also dictates what the infor

In my view, this interpretation of ‘about’ is ridicul‘about’ something or someone else as well? Why and more than one thing?

Even car repair records, which certainly have beehave information about the car owner. At the veryCitizen, of 10 Smith St Smithfield, tel 0412 123 45

If we accept the AAT’s view that the car repair recto that information, and the car repairer has no pto Jane’s violent ex-husband, she would have no and valuable car was stolen from her garage as a access the information held by the car repairer, to

e identity is ascertainable, meaning “able to be found out that Telstra hand over the remaining cell tower location

ermination, and in December 2015 the Administrative Asting.

finition of ‘personal information’ should be interpreted, en was ‘identifiable’ from the network data, including howncompassed within the term ‘can reasonably be ascertain

oing. The AAT judgment goes into great detail about precort is required to link or match them up, and how many pcult it might be. But then – nothing. Despite both partiesconclusion about whether or not Ben was actually ident

ning whether the information was even ‘about’ Ben at alle Forgie stated:

ds and the record kept at reception or other records showe fact that the information can be traced back to me frome of the information. It is information about the car … or

rk data was about connections between mobile devices,dual triggered the call or data session which caused the c

the first cell that received it from his mobile device, the dntended recipient. That data is no longer about Mr Grubb

dress to which he sent it. It is not about the content of th the call or the message. That is not about Mr Grubb. It cdelivers the service or product for which Mr Grubb pays. out the service it provides to Mr Grubb but not about him

subject, by suggesting that the primary purpose for whicat that record is ‘about’. In other words, the AAT judgmemation is about.

ous. Why can’t information be generated for one reasoncan’t information be ‘about’ both a person and a thing?

n created for the primary purpose of dealing with a car ray least, the following information might be gleaned from

56, owns a green Holden Commodore rego number ABC

cord has no information ‘about’ Jane Citizen, then Jane hprivacy responsibilities either. If Jane’s home address was

redress. If the car repairer failed to secure their records aresult, Jane would have no cause for complaint. Jane wo

o check that it is correct.

13

t by trial, examination or n information.

Appeals Tribunal (AAT) found in

and I for one expected that w much cross-matching with ned’.

cisely what data fields are in people within Telstra have the s making their arguments on ifiable from the network data

. Using the analogy of her own

wing my name and the time at m the service records or the

the repairs but not about me”.

rather than “about an connection. Ms Forgie stated:

data that was generated was b or the fact that he made a he call or the message. The could be said that the mobile

That does not make the data m”.

ch a record was generated is ent appears to say that what

n, but include information Or even more than one person

ather than a human being, will m a car repair record: “Jane

123”.

has no privacy rights in relation s disclosed by the car repairer against loss, and Jane’s rare on’t even have the right to

Page 14: Privacy Unbound iappANZ - International Association of ... · PRIVACY UNBOUND IAPPANZ | Issue 68 ME_128501021_1 (W2007) A reminder about iap Membership benefits As an iappANZ member

PRIVACY UNBOUND IAPPANZ | Issue 68

ME_128501021_1 (W2007)

How far could you take this argument? Could bansending or receiving money as part of those transnot their patients? Could retailers claim their loyapurchases?

Surely, this is not what Parliament intended in 192014, when the amendments were claimed to bri

In this era of Big Data, it is the digital breadcrumbinsights with the most value – and are thus in nee

The Privacy Commissioner is appealing the AAT’sinformation created for an operational purpose mindividuals who expect their privacy to be protect

The alternative is to let Stephanie’s broken-down

Anna Johnston is Director, Salinger Privacy Salinger Privacy provides specialist privacy consultlaw, including an annotated guide to the NSW priv

nks start arguing that their records are only ‘about’ transsactions? Could hospitals claim that medical records are alty program records are ‘about’ products purchased, not

988 when our privacy laws were first drafted – or indeed, ng Australia’s privacy protection framework into the mo

bs left behind in operational or transactional systems whed of privacy protection.

s decision to the Federal Court. I can only hope the Federmight also contain both deliberate and incidental informated, no matter how or why the records were created in th

n car throw a major spanner in the works of privacy prote

ting and training services. Salinger Privacy publishes a blogvacy laws. Find Salinger Privacy at www.salingerprivacy.c

14

actions, not the people ‘about’ clinical procedures, t the people making those

when they were updated in odern era.

hich can yield the business

ral Court can see that ation ‘about’ individuals – he first place.

ection in Australia.

g, as well as eBooks on privacy com.au

Page 15: Privacy Unbound iappANZ - International Association of ... · PRIVACY UNBOUND IAPPANZ | Issue 68 ME_128501021_1 (W2007) A reminder about iap Membership benefits As an iappANZ member

PRIVACY UNBOUND IAPPANZ | Issue 68

ME_128501021_1 (W2007)

A review of TeAustralia

Australian Administrative Appeals Tribunal, no

The Tribunal overturned the earlier determinaticertain data relating to Mr Grubb’s use of Telstrwork out when device information is ‘about an inkey issue that arises for many Internet of Things

In May 2015, the Australian Privacy CommissioneFederal Privacy Act 1988 (the ‘Privacy Act’) by faiTelstra telecommunications services as collectede.g. operation of the network and monitoring its required application of the pre-March 2014 definiapparent, or can reasonably be ascertained, fromdefinition of ‘personal information,’ which is infor

The Commissioner considered that the question orequired assessment as to how unreasonably highinformation must be before an entity receiving anwhich an individual’s identity can reasonably be asome network data relating to use by Mr Grubb oincluding manual matching) of tracing and matchidentity was not apparent in relevant Telstra dataother transactional information there held could and on to personally identifying databases (in parlaw enforcement agencies for lawful assistance amatching processes.

Of course, Telstra’s practice of assisting law enfoexistence of a possibility of tracing from source inindividual’s identity can reasonably be ascertainePresident Coghlan in WL v. La Trobe University [2inquiries that would be needed to ascertain the ininformation and the individual’s identity could behealth survey information that had to be extractedatabase ‘and even then the making of any possiconcluded that this went “beyond what is reasonhandling of tens of thousands of requests made bcustomers may access their metadata on requestrecords management systems to ascertain the idexceed the bounds of what is reasonable” (Ben G

Tribunal Deputy President S A Forgie, in the AdmDetermination, stated that where an individual is

elstra Corporation Limitean Privacy Commissionerow under appeal to the Full Federal Court of Australia [2015] AAT

By Peter Leonard

ion by the Australian Privacy Commissioner granting joura mobile services. The Tribunal’s Decision throws open ndividual whose identity may be reasonably ascertaines (‘IoT’) applications now entering the market.

er, Mr Timothy Pilgrim PSM, had found that Telstra had bling to provide Mr Grubb with access to requested metad and held by Telstra in various databases for various purpperformance: Ben Grubb v. Telstra Corporation [2015] AICition of ‘personal information,’ being ‘information about

m the information or opinion’ (this definition is be contrasrmation ‘about an identified individual or an individual w

of whether an individual’s identity can ‘reasonably be asch the level of effort necessary to link an individual througn access request can say that the access that is requestedascertained. It was not contended that Mr Grubb as an inof his mobile phone through a multi-step process (requirihing records through multiple databases in Telstra’s systabases where relevant metadata was held, the device idebe traced through from mobile tower records to operatirticular, the Telstra customer billing database). Telstra res to use of mobile phones by persons of interest by unde

rcement agencies as required by law did not of itself ansnformation to identifying information should lead to a deed from the information. The Privacy Commissioner quot005] VCAT 2592 that such consideration requires examin

nformation and the degree of certainty with which possibe made. In circumstances where an individual’s identity ced from different databases, cross-matched and then croble connections would not identify with certainty’ the reable” (WL at para 52). By contrast, the Privacy Commiss

by law enforcement bodies, together with its recent publt, suggests instead that Telstra has the capacity through entity of an individual and this process of ascertaining anrubb v. Telstra at para 101).

ministrative Appeals Tribunal’s Decision overturning the Ps not intrinsically identified in information, a two-step ch

15

ed and r TA 991, 18 December 2015

urnalist Ben Grubb access to the vexed issue of how to

ed from the information’ - a

breached the Australian data relating to his use of poses, some purely technical Cmr 35, 1 May 2015. The case an individual whose identity is

sted to the current Privacy Act who is reasonably identifiable’).

certained’ from information gh to non-identifying d is not to information from dividual could be linked to ng significant labour input and ems. Although Mr Grubb’s entifiers or IP addresses or onal and network databases egularly facilitated requests by ertaking such tracing and

wer the question of whether etermination as to whether an ted a decision by Deputy nation of the complexity of the ble connections between that ould only be ascertained from

oss-matched to an external levant individual, DP Coghlan ioner found that “Telstra’s lic statement affirming that the use of its network and

n individual’s identity does not

Privacy Commissioner’s aracterisation process should

Page 16: Privacy Unbound iappANZ - International Association of ... · PRIVACY UNBOUND IAPPANZ | Issue 68 ME_128501021_1 (W2007) A reminder about iap Membership benefits As an iappANZ member

PRIVACY UNBOUND IAPPANZ | Issue 68

ME_128501021_1 (W2007)

be applied. The first step is determining whether an individual’s identity “can reasonably be ascertaindividual” that is the end of the matter. But if inf

It was in relation to the first step that the reasonithat the range of what may be considered to be inrelating to the person’s physical description, residDP Forgie stated (at para 112):

“Had Mr Grubb not made the calls or sent mobile network data. It generated that datransmitted from the first cell that receivecall or message to its intended recipient. Tor about the number or address to which hthe way in which Telstra delivers the call odata relates to the way in which Telstra deinformation about Mr Grubb. It is informat

Similar reasoning may suggest that, for example:

• a transient or ephemeral device identifiemanage interactions between an interne

• a more pervasive identifier such a mobilenumber;

• service records or records of use of a hou• a motor vehicle licence plate;

may not satisfy the first step of this characterisatinformation about an inanimate object that may about an inanimate object may be retrievable by object information about an individual.

The problem is that the first step has an element New Zealand Human Rights Review Tribunal, appSievwrights (14 February 2005, HRRT 44/031), stat

“[59] The matter is further complicated bedepend on how the question is asked. If onfact that the building is insured ‘personal ibuilding.’ On the other hand, if one were t‘personal information’ about A?’ then the ain respect of the building that she owns.’

The NZ Tribunal concluded that there is no ‘brighinformation, if there is a ‘sufficient connection’ topersonal information about that person. Howevepoint does an inanimate object associated with ainformation ceases to be only ‘about the object’ a

1 available on www.nzlii.org

relevant information is “about an individual.” The seconained from the information or opinion.” If relevant informformation is information “about an individual,” the secon

ng of DP Forgie most clearly diverged from the Privacy Cnformation “about an individual” is infinite and included,dence, place of work, business and business activities, te

the messages he did on his mobile device, Telstra wouldta in order to transmit his calls and his messages. Once hd it from his mobile device, the data that was generated

That data is no longer about Mr Grubb or the fact that hehe sent it. It is not about the content of the call or the me

or the message. That is not about Mr Grubb. It could be saelivers the service or product for which Mr Grubb pays. Thtion about the service it provides to Mr Grubb but not ab

:

er, such as an internet protocol (‘IP’) address used to estaet service provider and a user; e phone’s unique 15 digit International Mobile Station Eq

usehold device; and

tion process, because it is not information “about an indivbe associated with an individual. Or to put it another wareference to an identified individual does not of itself ma

of circularity, as had been noted in a number of New Zeaplying a similar definition of ‘personal information’ in theted:

ecause the answer to the question ‘Is this personal informne were to approach an observer and ask: ‘A owns a buildnformation’ about A?’ the answer might well be ‘no, it is o approach the same person but ask ‘Is the fact that A haanswer might well be ‘yes - it is information which tells m

ht line’ test, suggesting instead that although a person mo an individual that connection may justify a conclusion ter, this reasoning interposes another phrase to be interprn individual become ‘sufficiently connected’ to that indiv

and becomes ‘about the individual’? If information about

16

d step is working out whether mation is not “about an nd step must be applied.

Commissioner. After noting , for example, information lephone number and so on,

d not have generated certain his call or message was was directed to delivering the made a call or sent a message

essage. The data is all about aid that the mobile network hat does not make the data

bout him.”

ablish an internet session and

quipment Identity (‘IMEI’)

vidual”: rather, it is y, the fact that information ake the information about the

aland cases. For example, the e case of Apostolakis v.

mation?’ can, we suspect, ding which is insured. Is the information about the

as insurance on her building me something about A’s rights

may not be identifiable in the hat the information is reted and applied: at what vidual such that the t use of a mobile phone,

Page 17: Privacy Unbound iappANZ - International Association of ... · PRIVACY UNBOUND IAPPANZ | Issue 68 ME_128501021_1 (W2007) A reminder about iap Membership benefits As an iappANZ member

PRIVACY UNBOUND IAPPANZ | Issue 68

ME_128501021_1 (W2007)

typically carried on a person through most of therecord of) a person’s life, is not information aboutby the NZ Tribunal) ‘sufficiently connected’ to anthere does appear to be an underlying concept ofconnection. Applying DP Forgie’s reasoning, a disgathers information about an individual, and cellunotwithstanding handoffs between mobile towertracking movement of an individual.

In stating the second stage test, DP Forgie followindividual’s identity “can reasonably be ascertainextrinsic materials as are reasonably available. DP

“In dealing with a request [by an individuafollow that an organisation need scour theinformation or opinion it holds in order to keep in mind what might be matters of gesongwriter who died prematurely,’ I do noascertained from that information. If the inher identity would also not be reasonably aknown for her eclectic mix of musical genrWhitehouse], I suggest that the identity ofregarded as part of the broad body of gene

DP Forgie then continued: “Beyond what might be considered to be ginformation and means of searching informidentity is reasonably ascertainable from tappears overstated: release of purportedlyintruder could be anticipated as able to appersonal information.

The reasoning of the Administrative Appeals Tribappealed the Tribunal’s Decision to the Federal CAugust 2016. One possibility is that on appeal thebefore it, namely, working out what information individual. In that context, considerations of pracdecisions by data controllers to release purportedmotivated intruders to seek to re-identify any indrightly be subject to a test which imposes a highea range of context-specific tests to be developed

As the IoT continues to grow, we may be confidewill arise for determination in many jurisdictions.

Peter Leonard is a Partner with Gilbert + Tobin

ir waking hours and intimately associated with (and oftet an individual, what information recorded by IoT device individual? The AAT in the Telstra appeal did not refer tof closeness of association, or as the NZ Tribunal put it, wstinction might be made between a Fitbit or other persoular network connectivity features of a mobile phone thars, where relevant location information is collected for ca

wed generally accepted reasoning in Australia and New Zed from” information as allowing reference to extrinsic m

P Forgie then gave a striking illustration of how this test

l for access to personal information about them] under te public domain to ascertain whether there is informationascertain the identity of the individual. What it means is

eneral knowledge. If, for example, the information were at think that it could be said that the identity of that indivnformation were ‘female singer and songwriter who diedascertainable. If the information were ‘English female sin

res of soul, rhythm and blues and jazz but who died premf the individual can be reasonably ascertained from the ieral knowledge” (at para 107).

general knowledge, I do not think that regard needs to bmation that is available in the public arena in determininthe information or opinion held in an organisation” (at pay de-identified information into the public arena in circum

pply means of re-identifying an individual is generally reg

bunal is both novel and controversial. The Australian PrivCourt of Australia. A Full Bench of the Federal Court will he Decision may stand and the Tribunal’s reasoning limiteshould be made available by a data controller in respons

cticality and cost mitigate against overly broad disclosuredly de-identified data sets into the public arena, where itdividual through use of exhaustive searches or strong anaer level of foresight and control. Of course, the words ‘rea.

nt that cases addressing similar questions to those consi

Lawyers in Sydney, and can be contacted at pleonard

17

en creating an electronic s is (to use the test suggested o the New Zealand cases, but hether there is a sufficient nal health device which clearly at enable continuous calls all management, not for

Zealand as to whether an materials, but only such might be applied:

the Privacy Act, it does not n that can be married with the that the organisation must

along the lines of ‘singer and vidual can reasonably be d prematurely,’ I suggest that nger and songwriter who was

maturely in July 2011’ [Amy nformation which would be

be had to the wide range of g whether an individual’s

ar 108). This proposition mstances where a motivated

garded as a disclosure of

vacy Commissioner had hear the appeal, probably in ed to the specific context se to an access request by an e requirements. By contrast, t may be reasonable to expect alytical techniques, might asonably ascertainable’ enable

dered in Ben Grubb v. Telstra

[email protected]

Page 18: Privacy Unbound iappANZ - International Association of ... · PRIVACY UNBOUND IAPPANZ | Issue 68 ME_128501021_1 (W2007) A reminder about iap Membership benefits As an iappANZ member

PRIVACY UNBOUND IAPPANZ | Issue 68

ME_128501021_1 (W2007)

International D

28 January 2016 is the International Data Privacy consumers about the importance of protecting thand to promote privacy and data protection best

In honour of Data Privacy Day, a Privacy After Howas coordinated and hosted by PwC in conjunctioway to connect the local privacy professionals anthe latest hot topics in the privacy realm and mosgreat evening with a diverse group of privacy proorganisations' representatives, legal professionalworking locally and abroad in the US, Canada andnibbles and privacy related wit.

Grace Guinto is a Director at PricewaterhouseC

ata Privacy Day – in MelbBy Grace Guinto

Day. The purpose of Data Privacy Day is to raise awarenhe privacy of their personal information, new trends/regupractices.

ours event in Melbourne was held at the Campari House (on with the global IAPP organisation and local iappANZ d members of the iappANZ, and enable local privacy pro

st importantly, to get to know others who are working infessionals attending the event, ranging from local Victorls, information technologists, and consulting firms, who d UK. It was a fun night where everyone enjoyed a relaxin

Coopers in Melbourne and can be contacted at grace.g

18

bourne!

ness among businesses and ulations in the privacy realm

(23-25 Hardware Lane), which team. The event was a great

ofessionals to network, discuss this space locally. It was a

rian government have a range of experiences ng Melbourne evening of beer,

[email protected]

Page 19: Privacy Unbound iappANZ - International Association of ... · PRIVACY UNBOUND IAPPANZ | Issue 68 ME_128501021_1 (W2007) A reminder about iap Membership benefits As an iappANZ member

PRIVACY UNBOUND IAPPANZ | Issue 68

ME_128501021_1 (W2007)

Employment oppor News about employment opportunities is provemployment opportunities at your organisatiopage).

CAREER OPPORTUNITY JOB TITLE: PRIVACY ADVISOR

LOCATION: SYDNEY CBD AREA

JOB NUMBER: 973926

• Career move with Australia's Leader in Fina

• World Class Facilities based in Sydney CBD

Here is a great opportunity for an experienced

Are you currently in a Consulting or Legal Firm

your privacy experience in a commercial role

launches your career.

What will be your responsibilities?

Reporting to the Portfolio Manager – Digital Tr

rtunities for privacy pro

vided as a service to iappANZ members. If you would on published in Privacy Unbound, please contact our e

ancial Services

D

d Privacy Advisor to grow their career with the market

m or Policy Advisor role in Government and looking to

on the client side? If so, this could be the career mo

rust & Privacy, this role delivers Privacy Impact Asses

19

ofessionals

like a notice about editors (see details on last

t leader.

build on

ove that

ssments

Page 20: Privacy Unbound iappANZ - International Association of ... · PRIVACY UNBOUND IAPPANZ | Issue 68 ME_128501021_1 (W2007) A reminder about iap Membership benefits As an iappANZ member

PRIVACY UNBOUND IAPPANZ | Issue 68

ME_128501021_1 (W2007)

and privacy assurance services to the Bank. Re

• Conducting Privacy Impact Assessments a

within the Bank;

• Working with business to design data privac

• Providing SME support to internal custome

• Undertaking ad hoc research and assisting

• Maintaining awareness of new privacy and

practices and integrating these into technolo

• Monitoring legal and policy data privacy dev

• Enhancing relationships with key stakehold

• Participating in and maintaining relationship

Your new team

The Digital Trust & Privacy Team is an integra

mandate the protection of the CBA Groups' (the

security, privacy, trust and operational risks. Fu

the security, privacy and operational risk to cre

preparing and protecting the Group for our digita

The team provides practical privacy advice to

support the Bank in embedding privacy best pr

will enhance the Bank's position of trust with

crucial to Bank securing a leading place in the D

What are we looking for?

We expect you will have sound experience wi

technology provider, or in a legal or policy advi

and data security. You will of course posses

practices, laws and regulations as they ap

communicator with a strong customer focus

service delivery.

At CommBank each of us globally is dedicated

solutions to help our customers manage their fin

Regardless of where you work within our organ

the impact that we can make with our work. Tog

esponsibilities include:

nd providing other privacy assurance services to custo

cy requirements in systems, projects, products and ser

rs through meetings and written communication and ad

with strategies to drive the digital trust agenda;

network security laws and regulations as well as indus

ogy and business processes;

velopments in countries where the organization operat

ders, internal and external; and

ps with industry networks and associations.

al part of the Digital Protection Group (DPG), which ha

e Group) platforms, systems, data, assets and reputati

urther, the DPG is charged with leveraging our capab

eate innovative and market-leading products and capa

al future.

o teams across the Bank and the Group. Our purpo

ractice into its DNA as well as leading strategic initiativ

customers and the community. The role the team

Digital Future.

ithin Financial Services or another large corporate or

isory practice with recent and extensive experience in

ss strong knowledge and understanding of current

pply to privacy and data protection. You will be

and demonstrated commercial acumen and experi

d to offering outstanding service, excellent advice and

nances in the ways they want to.

isation, your initiative, talent, ideas and energy all contr

gether we can achieve great things. Sound like you?

20

omers

rvices;

dvice;

stry best

es;

as as its

ion from

bilities in

abilities,

ose is to

ves that

plays is

leading

privacy

industry

a good

ence in

intuitive

ribute to

Page 21: Privacy Unbound iappANZ - International Association of ... · PRIVACY UNBOUND IAPPANZ | Issue 68 ME_128501021_1 (W2007) A reminder about iap Membership benefits As an iappANZ member

PRIVACY UNBOUND IAPPANZ | Issue 68

ME_128501021_1 (W2007)

SANS Institute: DDevelopment (ALocations: based in Melbourne and Sydney

Job title: Director, Business Development (Austr

Company: SANS Institute

Closing date: COB 1 May 2016

Location: Home-based role. Melbourne or Sydney

Job description:

Apply now to take the next great leap forwar

For any enquiries please call Deepti Sondh

USEFUL LINKS:

Director, Business Australia)

ralia)

y preferred, other locations considered.

rd in your Privacy career!

hi in the Talent Acquisition team on 0409 864 396

21

6

Page 22: Privacy Unbound iappANZ - International Association of ... · PRIVACY UNBOUND IAPPANZ | Issue 68 ME_128501021_1 (W2007) A reminder about iap Membership benefits As an iappANZ member

PRIVACY UNBOUND IAPPANZ | Issue 68

ME_128501021_1 (W2007)

To support the continued growth of our programswith the creation of a new role - Business Develoand the Managing Director, APAC, the Business D

• Develop new business and relationships finance, telecommunications, profession

• Generate significant new revenue and su• Manage exiting key customer relationsh• Develop and implement marketing strat• Support our local operations as required• Propose other initiatives to strengthen S

To succeed in this new role, the Business Develop

• Demonstrated success in sales and businenterprises in industry sectors with an in

• An extensive network of existing relation• A commitment to excellence in custome• A willingness to tackle all the challenges

Australia (extensively) and the APAC reg• A collaborative, enthusiastic, team-focu• The right to work in Australia, with 5 yea

conditions. • A satisfactory outcome from all pre-emp

process.

How to apply details:

For a confidential discussion about the role and hor email [email protected].

Further Information:

About the SANS Institute

The SANS Institute was established in 1989 as a the largest source for world-class information secGIAC, an affiliate of the SANS Institute, is a csecurity. SANS offers a myriad of free resournewsletters; and it operates the Internet's early wpractitioners in varied global organizations fromcommunity. (www.SANS.org)

s in Australia and the Asia Pacific region, SANS is seekpment Manager (Australia). Reporting directly to the Dir

Development Manager will work closely with our existing

with customers in State/Territory and Federal Governmnal services, defence industry and/or ICT security sectorsupport business profitability through direct sales and bus

hips and other partnerships in Australia in order to grow btegies to drive revenue growth in Australia using email, p through contributions to local event logistics and stude

SANS market profile in assigned markets and sectors.

pment Manager will have:

ness development with customers in Government agencnterest or capability in cyber security. nships on which to draw in order to engage new businesser service and relationship management. s of local service delivery as part of a small, high-performgion (occasionally) for business development activities. ssed approach to achieving results and contributing to b

ars or more of recent residence in country and knowledge

ployment background and police history checks we will p

ow to apply, please call Steven Armitage (Country Direc

cooperative research and education organization. SANScurity training and security certification in the world offecertification body featuring over 25 hands-on, technicarces to the InfoSec community including consensus prwarning system - the Internet Storm Center. At the heart m corporations to universities working together to help

22

king to expand our APAC team rector, Asia Pacific in Australia g APAC team to:

ent agencies, banking and s. siness development activities. business. print, web and social media. nt administration.

ies and/or commercial

s.

ing team, and to travel within

business success. e of the local market

perform during the selection

ctor, Australia) on 0402067768,

S is the most trusted, and by far fering over 50 training courses. al certifications in information rojects, research reports, and of SANS are the many security the entire information security

Page 23: Privacy Unbound iappANZ - International Association of ... · PRIVACY UNBOUND IAPPANZ | Issue 68 ME_128501021_1 (W2007) A reminder about iap Membership benefits As an iappANZ member

PRIVACY UNBOUND IAPPANZ | Issue 68

ME_128501021_1 (W2007)

iappANZ’s writinEntries have now opened for this year's writFebruary to October 2016. Anyone can enteran article between 500-1500 words that tells All articles must be submitted by email, preby 20 October 2016. We will need the autholike. The winner will be announced at our Privacy website. We also hope to profile the winner i More details about the writing prize if you ar Our Editorial team, Veronica Scott, Caro

President Malcolm Crompton, will decidand relevant to our members.

Some people won't be eligible for the pand their family members.

After the winner is announced we will noenough not to be at our Summit.

There will (sadly) be one prize only. Its va We may need to verify the winner's ident If the prize is not claimed for any reason

by the Editorial team will receive the priz To make sure things go smoothly and fairlyto any aspect of the award of the prize, binding and not up for discussion.

ng prize 2016: entries have oting prize for an article that is published in our mor (you don't have to be an iappANZ member), simpus something interesting, new and relevant about

eferably in Word, to [veronica.scott@minterellisonor's email address and contact number. You can sub

Summit in November 2016 and their name and detn our Journal. So alert your network and get writing

re interested: olyn Lidgerwood and David Templeton, plus Presidede on the winner whose article they judge to be th

prize (sorry!). They are: iappANZ board members,

otify them and arrange for the prize to be delivered

alue is AUS$300, so that’s pretty good really. tity so we don't give the prize to the wrong person. (and we hope this won't happen) the author of the

ze.

y (and we are sure they will) we just have to say tincluding the content and publication of subm

23

opened!

onthly Journal editions from ly by writing and submitting privacy.

n.com or an iappANZ email] bmit as many articles as you

tails will be published on our g!

ent Kate Monckton and Past he most interesting, original

contractors and employees

d to them if they are unlucky

e runner-up article as judged

hat our decision in relation mitted articles, is final and

Page 24: Privacy Unbound iappANZ - International Association of ... · PRIVACY UNBOUND IAPPANZ | Issue 68 ME_128501021_1 (W2007) A reminder about iap Membership benefits As an iappANZ member

PRIVACY UNBOUND IAPPANZ | Issue 68

ME_128501021_1 (W2007)

Privacy Events

Where and when Event dSYDNEY

Thursday 31 March

4.00 – 6.00pm

Gilbert + Tobin L37, 2 Park Street Sydney 2000

iappANZ

Mandatorproposed

Speakers details

MELBOURNE

April Date TBC

3.30pm for 4.00pm start – 6.00pm

Minter Ellison Rialto Towers 525 Collins Street Melbourne 3000

iappANZ

Mandatorproposed

Speakers details

BRISBANE

Thursday 14 April

12.00pm for 12.30pm start – 2.00pm

Corrs Chambers Westgarth Level 42 111 Eagle Street Brisbane 4000

iappANZ

Mandatorproposed

Speakers details

details Training Workshop

ry Data Breach Notification Law: What is being and impacts

to be announced- check iappANZ.org for more

Training Workshop

ry Data Breach Notification Law: What is being and impacts

to be announced - check iappANZ.org for more

Training Workshop

ry Data Breach Notification Law: What is being and impacts

to be announced - - check iappANZ.org for more

24

Price FREE to iappANZ members $99 incl. GST for non-members

FREE to iappANZ members $99 incl. GST for non-members

FREE to iappANZ members $99 incl. GST for non-members

Page 25: Privacy Unbound iappANZ - International Association of ... · PRIVACY UNBOUND IAPPANZ | Issue 68 ME_128501021_1 (W2007) A reminder about iap Membership benefits As an iappANZ member

PRIVACY UNBOUND IAPPANZ | Issue 68

ME_128501021_1 (W2007)

IAPP Certification

Privacy is a growing concern across organizationonly to those who can demonstrate expertise. provides you with internationally recognized evidin your field.

Our global body, the International Association of

'In the rapidly evolving field of privacy anprinciples and practices and is a must for pvalidates your expertise and distinguishes y

What certifications are available? Are they rele

The iapp offers six specialised credentials, twInformation Privacy Professional/ Information Te

To achieve either of these credentials, you must covers basic privacy and data protection conceptand data protection and is a foundation for the di

What about testing?

Certification testing is available to iappANZ mecertification registrations and materials, and youZealand.

FIND OUT MORE at: http://www.iappanz.org/ind

ns in the ANZ region and, increasingly, privacy-related rSimilar to certifications achieved by accountants and adence of your knowledge, and it may be the edge you ne

f Privacy Professionals (iapp) says:

nd data protection, certification demonstrates a compreprofessionals entering and practicing in the field of privacyyou from others in the field.'

vant to my work here?

wo of which are particularly relevant to iappANZ meechnology (CIPP/IT) and the Certified Information Privacy

first successfully complete the Certification Foundationts from a global perspective, provides the basis for a muistinct iapp privacy certifications.

mbers locally (at iapp-approved computer-based testin can set an appointment to sit your exam online at a tes

dex.php?option=com_content&view=article&id=34&Item

25

roles are being made available auditors, privacy certification eed to secure meaningful work

ehensive knowledge of privacy y. Achieving an IAPP credential

embers, namely the Certified y Manager (CIPM).

n. The Certification Foundation lti-faceted approach to privacy

ng centres). The iapp manages ting centre in Australia or New

mid=5

Page 26: Privacy Unbound iappANZ - International Association of ... · PRIVACY UNBOUND IAPPANZ | Issue 68 ME_128501021_1 (W2007) A reminder about iap Membership benefits As an iappANZ member

PRIVACY UNBOUND IAPPANZ | Issue 68

ME_128501021_1 (W2007)

Our contact details Privacy Unbound is the journal of the Internation193, Surrey Hills, Victoria 3127, Australia (http://w

If you have content that you would like to submit Veronica Scott ([email protected] Lidgerwood (carolyn.lidgerwood@riotDavid Templeton ([email protected] Please note that none of the content published in t

nal Association of Privacy Professionals, Australia-New Zwww.iappanz.org/)

t for publication, please contact the Editors:

com) tinto.com) m)

the Journal should be taken as legal or any other profession

26

ealand (iappANZ), PO Box

nal advice.