GDPR and NDB Scheme - Intersection with the Australian Research Sector - 13 September 2018

Video thumbnail (Frame 0) Video thumbnail (Frame 1708) Video thumbnail (Frame 3917) Video thumbnail (Frame 6532) Video thumbnail (Frame 11123) Video thumbnail (Frame 12857) Video thumbnail (Frame 14216) Video thumbnail (Frame 16755) Video thumbnail (Frame 20714) Video thumbnail (Frame 22530) Video thumbnail (Frame 25102) Video thumbnail (Frame 26807) Video thumbnail (Frame 29142) Video thumbnail (Frame 31086) Video thumbnail (Frame 32254) Video thumbnail (Frame 37699) Video thumbnail (Frame 43877) Video thumbnail (Frame 50904)
Video in TIB AV-Portal: GDPR and NDB Scheme - Intersection with the Australian Research Sector - 13 September 2018

Formal Metadata

Title
GDPR and NDB Scheme - Intersection with the Australian Research Sector - 13 September 2018
Alternative Title
GDPR and NDB Scheme - Intersection with the Australian Research Sector 2018
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2018
Language
English

Content Metadata

Subject Area
Abstract
In 2018 the European General Data Protection regulation (GDPR) and Australian Notifiable Data Breaches (NDB) scheme were introduced. The speakers in this webinar will overview these two pieces of legislation and examine how they apply to Research Institutions in Australia. -- Anna Johnston. One of Australia’s most respected experts in privacy law and practice. After serving as Deputy Privacy Commissioner for NSW, Anna founded Salinger Privacy in 2004 to offer specialist privacy consulting and training services. Salinger Privacy offers a suite of privacy compliance tools including template policies and procedures, checklists, online training modules, and eBooks including Demystifying De-identification. -- Samantha Chan from Risk and Compliance at Macquarie University. Samantha specialises in Privacy, Enterprise Risk Management and Fraud and Corruption Prevention. Samantha has implemented a privacy by design approach across the University. -- Professor Katina Michael of the School for the Future of Innovation in Society and the School for Computing, Informatics & Decision Support Engineering at Arizona State University. Katina heads up a Centre on Engineering, Policy and Society. She also holds a dual appointment at the University of Wollongong. -- David Vaile, Executive Director of Cyberspace Law and Policy Centre at UNSW. David's research interests include e-security and IT risk management, personal safety online, digital content regulation, privacy and data protection, communications confidentiality and personal information security, jurisdictional issues, copyright and digital IP, e-health records, and user-centred design. The webinar would be of interest to administrators and policy makers from Research Institutions.
Numbering scheme Service (economics) Information Regulator gene Decision theory Numbering scheme Building Multiplication sign Range (statistics) Computer program Expert system Neuroinformatik Amalgam (chemistry) Information privacy Cyberspace Information privacy Planning Sign (mathematics) Natural number Strategy game Website Information
Presentation of a group Context awareness Software developer Physical law Projective plane Analytic set Bit Data analysis Client (computing) Information privacy Computer programming Information technology consulting Information privacy Wave packet Performance appraisal Goodness of fit Term (mathematics) Self-organization System identification Quicksort System identification Spacetime
Numbering scheme Context awareness State of matter Multiplication sign Real number Diallyl disulfide Student's t-test Information privacy Mereology Rule of inference Thresholding (image processing) Expected value Mixture model Different (Kate Ryan album) Operator (mathematics) Software testing Information Information security Address space Physical system Mobile app Theory of relativity Information Physical law Limit (category theory) Frame problem Information privacy Arithmetic mean Process (computing) Universe (mathematics) Self-organization Spacetime
Point (geometry) Identifiability Information Link (knot theory) State of matter View (database) Physical law Set (mathematics) Information privacy Rule of inference Information privacy Formal language Process (computing) Statement (computer science) System identification Software testing Information Process (computing) Statement (computer science) System identification Identifiability
Point (geometry) Building Group action Numbering scheme Mobile app Service (economics) Multiplication sign Channel capacity Information privacy Rule of inference Facebook Goodness of fit Term (mathematics) Cuboid Physical law Utility software Software testing Process (computing) Information security Physical system Condition number Information Channel capacity Physical law Projective plane Database Basis <Mathematik> Information privacy Process (computing) Self-organization System identification Website Object (grammar) Information security Resultant Electric current
Covering space Standard deviation Trail Regulator gene Multiplication sign Software developer Physical law Line (geometry) Information privacy Rule of inference Sinc function Information privacy
Numbering scheme Computer file Information State of matter Physical law Staff (military) Information privacy Mereology Rule of inference Information privacy Type theory Category of being Arithmetic mean Internet service provider Universe (mathematics) Self-organization Normal (geometry) Information Office suite Extension (kinesiology) Traffic reporting
Rule of inference Mobile app Numbering scheme Service (economics) Computer file Information Insertion loss Information privacy Rule of inference Information privacy Category of being Arithmetic mean Internet service provider Authorization Self-organization Authorization Office suite
Service (economics) Service (economics) Multiplication sign Physical law State of matter Information privacy Mereology Information privacy Goodness of fit Mathematics Term (mathematics) Self-organization Physical law Right angle Fingerprint Condition number
Rule of inference Default (computer science) Focus (optics) Projective plane Information privacy Rule of inference Information privacy Formal language Basis <Mathematik> Personal digital assistant Self-organization Right angle Quicksort Pseudonymization Position operator Default (computer science)
Slide rule Functional (mathematics) Dependent and independent variables E-book Dependent and independent variables Physical law Shared memory Information privacy Template (C++) Portable communications device Information privacy Revision control Mathematics Term (mathematics) Design by contract Software framework Right angle Modul <Datentyp> Right angle System identification Form (programming)
Web page Email Frame problem Context awareness Numbering scheme Game controller Maxima and minima Infinity Information privacy Newsletter Perspective (visual) Data management Blog Term (mathematics) Different (Kate Ryan album) Single-precision floating-point format Chromosomal crossover Energy level Software framework Office suite Gamma function Extension (kinesiology) Information security Social class Dependent and independent variables Information Planning Coordinate system Database Incidence algebra Price index Information privacy Type theory Data management Process (computing) Software Personal digital assistant Telecommunication Universe (mathematics) Phase transition Software framework
Commutative property Context awareness Length Multiplication sign Design by contract Set (mathematics) Frustration Client (computing) Mereology Information privacy Web 2.0 Software framework Lipschitz-Stetigkeit Information security Position operator Physical system Source code Collaborationism Email Satellite Regulator gene Interior (topology) Electronic mailing list Physicalism Bit Instance (computer science) Lattice (order) Data management Process (computing) Telecommunication Module (mathematics) Website Ocean current Point (geometry) Web page Multitier architecture Numbering scheme Mobile app Service (economics) Link (knot theory) Maxima and minima Limit (category theory) Sound effect Frequency Telecommunication Profil (magazine) Gamma function Computer-assisted translation Traffic reporting Maß <Mathematik> Address space Form (programming) Module (mathematics) Dependent and independent variables Information Gender Consistency Planning Database Line (geometry) Incidence algebra Cartesian coordinate system System call SI-Einheiten Vector potential Query language Universe (mathematics) Statement (computer science) File archiver Local ring
Sensitivity analysis Complex (psychology) Presentation of a group Context awareness Execution unit Source code Open set Information privacy Perspective (visual) Medical imaging Different (Kate Ryan album) System identification Information security Enterprise architecture Channel capacity Software developer Shared memory Electronic mailing list Sound effect Instance (computer science) Control flow Product (business) Category of being Data management Message passing Process (computing) Facebook Internet service provider Software framework Summierbarkeit Quicksort Web page Point (geometry) Slide rule Numbering scheme Open source Civil engineering Motion capture Control flow Rule of inference Element (mathematics) Goodness of fit Latent heat Internet forum Profil (magazine) Term (mathematics) Computer hardware Energy level Traffic reporting Address space Computing platform Form (programming) Standard deviation Dataflow Information Artificial neural network Physical law Content (media) Basis <Mathematik> Vector potential Perspective (visual) Word Software Personal digital assistant Universe (mathematics) Statement (computer science) Euler angles State of matter Multiplication sign View (database) Decision theory Direction (geometry) Set (mathematics) Insertion loss Parameter (computer programming) Mereology Database transaction Formal language Data management Facebook Cuboid Software framework Information Endliche Modelltheorie Extension (kinesiology) Position operator Vulnerability (computing) Area Source code Rational number Moment (mathematics) Computer Term (mathematics) Degree (graph theory) Type theory System identification Self-organization Right angle Metric system Thermal conductivity Row (database) Ocean current Server (computing) Game controller Enterprise architecture Identifiability Real number Virtual machine Heat transfer Content (media) Portable communications device Field (computer science) Theory Attribute grammar Power (physics) Revision control Business object Telecommunication Natural number Software Medizinische Informatik Utility software Right angle Domain name Dependent and independent variables Axiom of choice Projective plane Civil engineering Mathematical analysis Analytic set Database Incidence algebra Cyberspace Information privacy Forschungszentrum Rossendorf Pressure
good afternoon and welcome to our webinar where we are going to be discussing the general data protection regulation from the EU and the Australian notifiable data breaches scheme I'm Kaitlyn me and I'm from the Australian research data Commons we are an amalgamation of the Australian national data service nectar and RDS which are three n Chris facilities and we are funded through and crest if you are interested in information about where we come from and where we're going - please sign up to our newsletter and check out our websites so I just wanted
to quickly give a disclaimer that all information that we're going to be speaking about today is the general nature if you have any specific questions about your situation you need to seek some legal advice we have a great range of speakers today for our webinar and I'm very pleased that we've got all of these experts to be able to speak to you and I'm going to hand over in the interest of time straight to Anna Johnston from Sandra privacy who is going to start us off today Thank You
Kate afternoon or good morning those of you in the West Coast I am the director of Salander privacy so we're a specialist privacy consulting training and publications firm I come from a legal background but I'm no longer practicing as a lawyer so just bear that in mind as Kate said we're not doing legal advice here today but what I am going to be talking about is the kind of privacy law landscape that applies to researchers or people working around research and in particular what issues tend to come up most frequently for people working in the research sector so we you know some of that on the consulting side some of our clients are organizations conducting research projects or quite often now we're seeing lots of you know big data data analytics detail kind of program evaluations these sorts of projects coming up that we get asked to advise on in terms of the you know the privacy implications of those ends on their training side we also run some workshops on behalf of practice for prax sorry for members of human research ethics committees so on both sides of the business we have a fair bit to do with people working in the analytics and research space so in this session I'm just going to give a kind of tiny taster of the scope of privacy issues that we see coming up often in this context so what I'm going to be talking about is as
I mentioned the kind of regulatory landscape and then the most common privacy issues and the two hot topics we see over and over again are around consent and do identification of data a little bit about the new legal privacy developments around GDP our European privacy law and that has reached into Australia and notifiable data breaches and then what kind of what's coming next and then our other speakers will will speak more about those topics so we have
if you weren't already aware we have this kind of patchwork system of privacy laws in Australia it can start to get quite confusing for a search who might be working at an institution covered by state privacy laws so working or supervised dat at a public university for example or within the public hospital system so they're typically covered by state privacy laws but then say that research might be wanting to access data from an organisation covered by a different privacy law so the Federal Privacy Act so which covers federal government agencies most private sector businesses including particularly the health sector all all private health sector operators no matter how big or small they are so because we're talking in this you know limited time frame we've got today I'm not going to obviously cover that entire patchwork but just to recognize that it exists and in that research space you are often having to navigate across a mixture of state and federal privacy laws so I'm really only just going to talk today taking as an example the rule from the Federal Privacy Act about using and disclosing personal information so
Australian privacy principle a pp6 regulates how personal information can be used or disclosed so first of all if you didn't already know the definition of personal information is incredibly broad it's not just what you might consider private or sensitive it's any information or an opinion about an individual who is either identified or reasonably identifiable so that is the scope of what's covered by personal information it's incredibly broad and the Australian privacy principles regulate how organizations handle the personal information that they've got they're collecting or holding so if that organisation wants to use or disclose that personal information it has to follow a P P number six and this would include let's say an organization being asked to disclose personal information about its patients its students its customers to a researcher who might be from within the organization or somewhere else entirely so that organization can use or disclose that personal information for a number of different or under a number of different grounds the first is if that user disclosure is for the primary purpose of collection so let's say that you are a company that sells jeans your primary purpose of collecting information about your customers is to sell them jeans maybe online you're going to ask what their jeans size is the kind of jeans they want to buy that you take some money you get a shipping address you send it out to them that's your primary purpose conducting research into what shoppers like about jeans is not part of your primary purpose the next test is they can use or disclose the personal information for a directly relation secondary purpose within the customers reasonable expectations so this might include for example processing refunds about you know jeans that have been returned because they're the wrong size or whatever and the next reason you can use or disclose personal information is if it is required or authorized by another law so some other Lord says you have to or can use it'll disclose information in some other way or if you can't meet one of those first three tests then you are looking to either you get the person's consent and we'll talk about in a second what that means or you need to look for or one of a number of public interest exemptions and there's a whole bunch of other exemptions national security law enforcement find missing person there's also some research exemptions so in the context of this rule some of the common privacy issues I get asked about first of all is this data we're talking about even personal information because this is a real threshold issue if it's not personal information you don't need to apply the privacy rules at all so is it personal information once it's been - identified that's one common question the next is what does consent mean in practice how do I get it what does it look like and then the third one is well what does the research exemption say how do I meet the tests so on this first question it won't be personal
information if the data has been de-identified but what does that actually mean in practice so I'll mention shortly this gdpr the new European privacy law it actually sets a test which is quite tough it says that privacy law only up sorry doesn't apply only if you have rendered the data to a point where no one is identifiable at all from it whereas the test under the Australian Federal Privacy Act says personal information has been de-identified and therefore is no longer covered by the privacy rules if the information is no longer about an identifiable individual or an individual who is reasonably identifiable so under the Australian test de-identified data is low-risk but not zero risk of re-identification so it's not necessarily meeting the same zero risk test as under European privacy law so that's something to bear in mind I think there's a lot of confusion around the what D identification means sometimes
it's treated as and now and sometimes it's just a verb if you like so we and by we I mean so much privacy our approach is to say D identification is a process it's not the end state so to you might use the language to D identify or to anonymize or two confidential eyes it's to do something to the data to try and break that identifiable link back to it an individual so it's a set of processes it's not necessarily a promise that it is perfectly anonymous or that the that there is zero risk of re-identification so de-identified data means in my view data to which ID identification process has been applied it's not necessarily a statement that the data is anonymous or free of privacy risk when do identification is useful
it's this you know the it's utility is that a number of points one is if an organization wants to make its data perfectly anonymous which is obviously hard to do but the objective might be just say well now we don't need to worry about privacy or europeans call that data protection law at all but that's as I said very difficult to achieve other reasons why organisations might want to look at the identification include minimizing data security risks and so for example when data is in transit between organisations sometimes it's building into the design of a new system or a process or a database or a technology or whatever it is and sometimes it's to allow the secondary use or disclosure of information which is the most likely scenario in research so under GAAP are those rule about legitimate interest it might be easier to meet that test will enable you to use or disclose personal information if you've tried to at least D identify it and under some research exemptions again differs between States territories the federal and but often the human research ethics committee II their approval going forward for that project might require the organization that holds the data to at least attempt to de-identify it before even giving it to the researcher and almost certainly there'll be a requirement on the researcher to D identify the results of there is search before they publish now on to the
question of consent so remembering back to that rule under a pp six an organization can use or disclose personal information if they have the subjects consent the person who the information is about but consent under privacy law if you're going to rely on that ground to let you use or disclose their personal information it's quite well the law sets quite a high bar so to be valid under privacy law consent must be voluntary meaning the person was free to say no and not suffer any repercussions it must be informed and specific so they need to be told what kind of research is going on here and it needs to be current you can't rely on something that's too old and obviously given by person with capacity so difficult for younger children adults with acquired brain injury injury intellectual disability etc so in short how a consent must be proactive sometimes this is described as opt-in consent will only be valid if as I said the person was free to say no and they still chose to say yes so they have to proactively tick a box to say yes if you like it must be as easy to withdraw consent as it was to give it so if they've said yes and then they change their mind and want to say no you can only still say that you had valid consent if it was easy for them to turn around and change their mind later so it can't be a condition of doing business with an organisation so back to my example of the website that sells jeans online cannot say it is a condition of buying jeans from us that you consent you know diverted commerce for your data to be you know used for this research project or to you know be shared with Facebook for example consent can only be relied on if the person had the ability to say no and still receive the goods or services though after buying the jeans in the first place for example so you can't as a researcher you can't get someone's consent or infer a customer's consent or a person's consent to something simply because it was included in terms of conditions of a website they used or an app they downloaded it can't be buried in a collection notice it can't be buried in an organization's privacy policy it has to be a separate proactive opt-in process that the person has quite actively participated in however of course lots of time research won't be on the basis of consent and the research exemptions so again I'm taking the
Federal Privacy Act example here often has some rule saying well if you can't get consent which is kind of the gold standard here's what you need to do next so a research exemption might say something along the lines of the researcher needs to demonstrate to the human research ethics committee for example that it is impracticable to seek consent and get that again that standards set quite high so the fact that it's just expensive or inconvenient or a hassle or take some time is usually not enough the researcher needs to be able to demonstrate that it is going to be at least in inverted commas very difficult to find the individuals so on to new developments in privacy law so
under the again the Federal Privacy Act in Australia since February this year we've had a new law introducer and amendments the law that introduces mandatory notification of data breaches I'll cover that in sec and the other one is as I've mentioned the GAAP are the general data protection regulation which is a European privacy law which has some reach into Australia so data breach
notification first so the scope of this
new law there's three types of organisations covered by this law meaning if you have a data breach you need to follow these new rules the first is all organizations that hold tax file numbers now this is actually almost every organisation you can think of in Australia because as employers as organisations employee staff they collect tax file numbers about that those staff if nothing else there's also a whole bunch of organizations that hold tax file numbers for the reasons like banks superannuation funds and obviously the tax office but at the very least lots of organizations hold tax file numbers and they may be caught by this rule in the Federal Privacy Act even if the normal privacy principles under that act don't apply to them so state you know public hospitals public universities as I mentioned before covered by state privacy law but to the extent that they hold tax file numbers they're also covered by this particular part of the Federal Privacy Act so that's the first category the second one is credit providers credit reporting bodies not going to talk about them and then the third is any organizations that are known as a PP entities I'll say what they are in a second to the extent that they have a data breach involving personal information so if you are at a organization that has a data breach involving tax file numbers you'll be covered by this if you are an organization already covered by the a PPS in the Privacy Act and if you have a data breach involving any kind of personal information you'll be covered by these new rules so appa entities
means or Australian government federal government agencies almost all businesses and nonprofits with a turnover of more than three million dollars a year then we've also got all private sector health service providers even if they're under that 3 million dollar turnover rule any organization that is a contracted service provider to the Commonwealth again even if their turnovers less than three million dollars and then some specific organizations covered by anti-money laundering rules no need to go into that so what is required data breach means
loss unauthorized access or unauthorized disclosure of tax file numbers credit information or personal information those three categories what makes a data breach notifiable is if that data breach is likely to result in serious harm to more than one sorry one or more individuals and what's required is notification as soon as possible to the office of the Australian Information Commissioner this is where the Privacy Commissioner sets any affected individuals and there's some hefty fines for non-compliance
gdpr has had a lot of hype this is the new European privacy law I'm gonna go very quickly through this because I can see the times already being used up there's been a lot of hype
my suggestion is don't believe most of that hype lots of people claim it's revolutionary it's going to we have to treat European citizens differently some people think it requires you to get consent for everything this is not true some people believe it's really easy to get consent you just put it in your terms and conditions' make people click yes that's also untrue and there's a belief that this new right to erasure is going to ruin everything including make research impossible so just briefly gdpr
as an overview it's an update of existing privacy laws that hasn't come completely out of the blue but the big changes and the reason it gets lots of attention and lots of hype they're really significant penalties 20 million euros or 4 percent of global annual turnover this is aimed squarely at the big tech companies and this is the other novel part of it it has extended reach outside of Europe but this isn't relating to all data about European citizens what it actually says is so if you are an organisation in Australia of any size its small business is included but if you offer goods or services to so you sell jeans online to people in the EU or you monitor the behavior of people in the EU if you're doing that actively proactively then you might be covered by GA PR I'm going to skip over what since
I'm going to go straight to search under
the GAAP are so again it's it's not expressed in the same ways as our Australian privacy principles but basically it has rules about we would put it in the language of there's all sorts of rules about the primary purpose for which an organization might collect and use personal data as the phrase used in Europe and as long as you've collected and using it under one of these grounds one of which is with consent but there's five other grounds as well then it says well we've got this idea of compatible purposes that will also be allowed and this includes research in the public interest it talks about very much that the default position however for protecting privacy during a research activity or project will be to aim for anonymization or at least sudama's ation and there's been as i mentioned a lot of focus on the right to erasure but it does not apply to research data people do have the right to object to their data being used in research and in that case the organization needs to demonstrate that the public interest in the research project outweighs the individual's right to privacy so that's
pretty much it from me except to mention the next big things coming in terms of privacy law in Australia the federal government the Department of Prime Minister and cabinet is currently drafting a data sharing and release bill the whole idea is to open up more government held datasets for research that bill will establish the National Data Commissioner though the original version talked about the National data custodian I don't know why there's been a change in that title but will be interesting to see how the government sets up their the functions and responsibilities of that role and then we've also got this idea of a consumer data right so having greater data portability so just finally from me from
our company we've got a few different resources that that might be of interest or benefit to you and you can have a look at the slides later no doubt so
thank you for listening to my little spiel and I'll be hanging around and answering questions later thanks for
having me I'm gonna very briefly take you through some of our experiences in dealing with the notifiable data bait tracing in the context of the page up for each so this is from the McCoy universities perspective why the
universities need to comply cuz we're not covered by the Commonwealth ah yes sorry the next couple databases and yes it is under the showing privacy and while we are primarily governed by the New South Wales privacy and personal information protection act a notifiable data breach scheme it's applicable to our controlled indices and consequently we decided to proactively adopt the scheme this is in part because of the significant crossover and sisters and people's between the University and controlled entities and is very hard for external stakeholders to be able to differentiate between the two so the council is a consistent approach so what have we done so the notifiable data breach response plan at the sub 24,000 certain classes management framework and it holds the same at floating process as debt zero so we still most of the the actual plan from the one that's available from the OIC which is actually very helpful so first step zero we have four different levels of crisis management in terms of escalation processes so step level one the breach was minor and it might already be contained and then we already just do a notification usually a business as usual type our haven't seen a single incident level two it's the breakthrough significance but it's contained we will notify our crisis management team coordinator who operationalize our crisis Incident Response Teams as required level three that's an uncontained major incident where the extent is not yet known or the breach of still occurring so if we've seen some malicious activity occurring on our network for example and we're not sure to the extensive which is actually preceded so we'll inform our crisis management team coordinator as soon as possible and they'll definitely operationalize our crisis response team level four we call that a critical incident and obviously former coordinator and then we'll operationalize our response pain who will then respond to LBC as well so an intense investigation team will be appointed through each of these phases as well when necessary by and expertise usually in the case of a data breach we will have their information security manager involved and the privacy officer so myself the level that I've just talked to through they also assist in determining the extent of the investigation and the senior management involvement that's required when responding to an incident they also within our crisis management plan they ensure that our communications are consistent streamlined and responsibilities and accountabilities are very clearly defined including where we're going to actually notify that several stakeholders or whether we're going to I'm keeping internal so since they sit in the background about what
happened to pager on the 23rd of May some malicious activity was detected by a page up and they launched a forensic investigation quite quickly page up went public with a breach on the 50 G but they couldn't say at that point whether the client data had actually been compromised at that point once the initial forensic investigation was performed it was actually determined that some personal information was impacted and this included things like contact details including name email address physical telephone numbers um biographical details so gender data birth middle name if you have one nationality and whether you're a local residence time of the application and then employment details as well so this includes things like the current employment status company and title and if your application had gone through to a referee tech then some additional details would have been included in that as well such as like your technical skills I shall feel aside from the team that you're working in the length of tenure at accompany reason for leaving that position is about and the links the relationship between the application the applicant and the referee so some of the more critical data such as resume financial information your cats are number and employment reports and contracts they weren't affected in this instance okay have several different modules where information is stored so they weren't able to get to these module so no that are included in that new set of forms onboarding or performance learning modules were actually affected by that so then on the 18th of June once they had confirmation of what was actually potentially compromised they release the joint statement through that oh I see so then on the 23rd of June we determined that the breach was also notifiable we did call the OIC to determine whether we did have to go through the notification process so I'm very helpful in walking us through this there is some guidance from the OAS a website that states that if there's more than one entity that has been involved in a data breach only one entity needs to notify however in this instance it was a little bit confusing for and stakeholders so the applicants so many of the users in our recruitment systems and they might have not even been aware that they are affected by cepacia reach so in that context we decided that we were going to notify individuals as well just make sure that they are aware of what was going on by this included notifying fire email around 86,000 affected individuals quite a few people the following day we've then formed a response team to deal with any queries that came through or any concerns from our prior applicants so this includes myself subscriber security manager and also somebody from HR on a diet a business analyst to make sure we had a consistent approach to responding to all of these queries this was in part because we thought that there was three possible avenues that they could have gone down if they were fix our concerns two emails were included in that the actual communication through to the affected individuals so cyber security and myself and we needed to make sure that we were consistently responding to them and if they had actually emailed multiple stakeholders making sure they had one contact that they were going through so we had about we only had about 70 people actually contact us with concern most of them were actually requesting that their information would be deleted from paid-up and our additional databases as well so it wasn't as bad as what we're and what we actually thought but making sure things were consistent we really key in dealing with how we approach that so lessons learned once the initial
period of response since decided to slow down a little bit we conducted and less important meeting to understand what the cousin a little bit better so first of all communication communication is absolutely key so first of all we paid up paid up we're really forthcoming with their communications to us which assisted in the notification process however in saying that it's very handy to be aware of the guidance that some of the others were surviving in being a third party there was quite a few people who also notified and each of them had a little bit of a very response in how they were advising their individuals to deal with certain breach so in this instance some companies that actually notified individuals that they could alter their profile themselves and collect the information the profile themselves but this wasn't something that we had in our in our profile and it made of course in frustration to some of our users so internally we have quite a collaborative working relationship with cybersecurity and HR so we were really easily able to form a cain't respond to this situation and have a unified response to our queries also by using our incident and crisis management response we're really clear on who which responsible communication both to our applicants and to the regulator as well so we only have one person speaking to the OIC to make sure we have the same approach the entire way through so secondly our flexibility in responses how you really need to understand that you can to play the ala various legislation so in particular this time around it was got that we required to retain the applicant information for two years after a job has been killed however this legislation isn't widely understood by the public you really need to understand that you ensure you understand their retention requirements and have a local response to those who do want their data as a leader in this instance where people was really concerned we archive their information on some of our internal systems where their inspection couldn't be this hard deleted the applicants request and most people are quite happy with that sadly use the available resources the OIC actually has some really good tools on their website and we did call them on numerous occasions to get some guidance from the notification process this is the first time we have we actually have to do it they also assisted us on making a call whether to notify or not they helps walk us through how individual stakeholders would actually perceive this data breach and what was going to be required as a notification process also there's the notification tool on the OIC web spam is actually really easy to use and really helpful then lastly make sure that you examine your contractual arrangements so one key thing that we probably could have done bit better is having had some the data for twenty comments in our service agreement here tightly refined so many of the apps individuals on our notification list had applied through the universe in many years ago so we probably could have reduced the number of notifications that we actually have to make ideally so the more information that unnecessarily retained is the greater the risk it is if you if you lose it and to credit the administer dessert and as we learned so then one of the biggest learning points overall was how interlinked privacy is with many a Maryland processes across the university it's really key have privacy by design is an approach to ensure situations like this responded to in a timely manner and ensuring exact across the universe they're comfortable with escalation and communication of potential privacy breaches and I think that's where we have unnoticed a notifiable average plan as a sub plan about this in crisis management framework also indicate how seriously would take these issues so this all commercial that we had that our communications to external regulating like the OIC they're consistent and they're also in line with our reporting requirements as well and just picking up
where we've left off a great presentation there on page up in Macquarie University we're going to be talking in this session about the rights of people to control their own data and whether that is an individual consumer a small to medium enterprise or large business or actually a government entity it's all about data rights now where does that data reside is a very important question who stores it and how do they store it and what kind of agreement is used to transfer that data between say the consumer and the business entity and potentially one business business entity and another and even a business entity and a government and that kind of third-party transference is what we're talking about in this era of open banking of which our next speaker will be talking about will be looking at data portability as stipulated for instance in the GD P R and also in the Australian consumer data right law that's being proposed how does consent work between a consumer and a third party how you know and what rights does the consumer have to know about what data is stored on them and we're not just talking about personal information we're also talking about data about relating to consumers and so we looked at for instance the Facebook in Cambridge analytical scandals sure consumers can actually download all the data that they've offered up freely on the Facebook platform but now that data is proactively profiled how it's matched up with third-party information wasn't actually made aware to most of the Facebook subscribers on the platform and when individuals started making requests about their data and it's proactive profiling or relationship to advertising and some would say manipulation they found a lot more for instance some people were identified as having 5,000 data points related to their personal information the other question is how we treat sensitive information in the consumer data right who the Accrediting companies are to allow for that transference of information and how they become accredited what consent actually means whether if a company for example has 250 or more employees and is doing business with the EU whether they are keeping adequate documentation on the actual databases they are storing of personal information or other information for example the type of attributes how long that's going to be maintained for and why it's being kept and how that information may be shared with other third parties all this information now has to be documented in good security profile practices and that's what it's all about the better our security practices are the more we can say there'll be less harm on individual consumers now on this slide I have identified business data rights and also government data rights in the u.s. for instance government data rights are as pronounced as consumer data rights although most people don't believe there is actually adequate privacy here in the States so a government data right usually takes the form of licensing governments then actually owned or have titles to data but what they do is they offer licensing schemes particularly for technical data in computer software and they may contract out to a small organization and say we are going to actually license this out although it's an exclusive relationship but back on the consumer data right increasingly we're going to see utilities wanting to have data portability to ensure perhaps the best price on offer for that individual subscriber and to be able to compare prices between one you know provider and another companies will have to abide in the consumer data rights by three things the privacy safeguards that are stipulated in the bill the Australian privacy principles and if they do business with the EU the GDP are and how to segregate that data will become important to prove and have evidence that actually the company is abiding by the consumer data rights so I'll probably leave it at that in summation to give our last speaker some time to talk about the movement towards open banking and just to say one of the things that is occurring is that possibly the blockchain may well be one way to facilitate the accreditation and the transference of data between third parties and consumers to have the right to know what is actually being stored about them thank you what I'm going to cover is looking at particular the the issues arriving out of quote unquote open data and particularly questions about re-identification that enough's already touched on and questions about informed consent that go to that but I'll be probably presenting them slightly more sort of critical view than some of the others I start off as someone who's had some exposure to the health research ethics committee I've sat on that sort of briefly I've also done reports for the New South Wales and federal governments about sort of open data and those risks help this foundation of the Center for health informatics and the data to decisions Cooperative Research Center so you know I'm not a sort of a that much of an outsider in the sense of not being exposed to this but I do probably come from the consumer of citizen our civil rights advocate sort of perspective and I think it's important for people on the the inside of the data using community particularly in research to be aware of their I suppose strict legal compliance obligations but also this is an area where Trust is extremely important and Trust depends on being trustworthy and the the real issue is if you do something that ultimately ends up hurting or compromising or damaging the interests of data subjects that you're working for then that trust disappears very quickly and so there's an element of this that's about sort of compliance and you know reasonable sort of business and and research behavior but there's also an element about being aware of the potential for the loss of trust to have quite serious consequences for both individual research projects but also the the capacity to sort of continue after a particularly large disaster the next question would like to touch on a sort of a preliminary one is about the terminology and the use of sort of framing words - I suppose guide or focus how people think about what they're dealing with and there's a very brilliant short work called don't think about an elephant by lack of Lak Oh double if we he talks about the the use of words to essentially win the debate before you even start by by framing what the sort of mental image or the sort of the narrative is going to be all about so the particular sort of words that I'm concerned about here are open as in open data sharing which is sort of a concept that's been popularized by say Facebook and also to a lesser extent the ID of Rights now I think essentially the problem is that we are not in a fair fight we're not in a reasonable open sort of discussion about this we're in a sort of a public sort of domain where the what's known as behavioral economics or the sort of nudge theory of government that to some extent initiative some British of developments thinks that it's okay to push people in the direction of doing something that you claim to be sort of beneficial without necessarily having an open conscious sort of rational sort of argument about it if you can just make them more likely to do what you want then that's fine what this book ends up in is the the fiasco that we see now with the my health record which is not actually a clinical record there the the the concept of consent is abused because there's it's not informed and there's no consent involved but the a lot of the messaging behind it or rather the the reluctance to have a messaging that says what it is and what it isn't and to discuss any risks those sort of things that normally you would expect with informed consent in a you know a medical or research context the justification for quite manipulative use of language and of messaging is on the basis of the behavioral economics units trying to use nudge tactics just to get people to sign up so my my I suppose caution is that that is not an isolated incident when we hear something described as open data that's a brand that's designed to sort of discourage I suppose critical thinking about what it is in the same way of sharing in a sense that's used in disclosure without necessarily having the consent of the individual the open data is often personal information that's been weakly de-identified and re-published without the the the host taking responsibility those sorts of you know much longer and less snazzy titles more likely to appoint attention to the sort of risks and problems you are dealing with but they're anathema to those who want to essentially use it for PR purposes anyway I'll stop the rant on that topic what what I do want to say though is that the use of terms like open data and sharing are not neutral they're not necessarily accurate they are sort of part of a an attempt to normalize some of the activities there which when you look closely may be problematic when we looking at open data there is many types of data in the report that I did for the Commonwealth you know there's lots of stuff that are not sensitive information that are not personal information that is it's absolutely fantastic to use the sort of ideas from the open source software movement and open content movements of encouraging sort of more relaxed sort of publication and use of that sort of information rather than insistence on traditional sort of strict proprietary rights to lock things down and the problem comes around when you look at the sort of information that should not be essentially published to the world as quote-unquote open data and the obvious one would be personal information recently we had a visit from the UN Special Rapporteur on big data and open data and that the the forum at that it was it was generally considered there was just absolutely no basis for publishing personal information the the the the real area of a dispute was was basically to what degree can you ever justify publishing unit level data derived originally from personal information from individual metric medical records obviously this is the sort of thing that a lot of the proponents want to do and there are there are beneficiaries of this sort of publication and the the problem from my perspective is that the real dent efficacious CONTU in just a second actually is a very serious and profound and long-lasting problem that's only getting worse and so in that forum at the UN Special Rapporteur I mentioned there was a consensus starting to form the need for great caution about in a sense deprecating or perhaps starting off with the presumption against publishing unit level data derived from sort of personal information I know this is a realm of continuing sort of discussion and controversy but probably the the message that you might take about sort of open data is essentially to do an audit and an analysis of the risk profiles of the different sort of information particularly focusing on the possibility of re-identification and essentially you're doing triage as you're saying some of these things are pretty well safe they don't need much attention there's there's no sensitivity risks of that data there's other information that should be left right out and just not touched and there's the category in the middle that's potentially sensitive information that's been there's been a the identification process that's gone on but they remain question marks about the effectiveness and that's what I'll talk again at the moment just before I get off the open data as a general concept to me I would suggest in your thinking about it rather than using the sort of nudge and framing term open data think of it as poorly de-identified personal information if you're lucky it might be okay if not not then that raises the question of risk and so the another point before I look at the detail of the question of the identification is the nature of risk and risk management it's the concern that I have here is that the by publication of information has opened you end up with risk projected onto the data subject that risk is often intangible it's often unclear what it is it's often a very complex set of circumstances that might manifest it the person may never know about that they may never appreciate the harm or discrimination against them or other sort of consequences that may come from that so if you are saying can I get away with this so this is the the sort of Facebook or Google model of move fast and break things and disruptive innovation and you know not wanting to be responsible for stuff the bad answer is yes you can probably get away with it because they won't know the that to me suggests that you're not trustworthy if you're trying to take advantage of your greater control and power and knowledge and the ignorance and sort of supposed lack of technical capacity on the side of the data subject then you know you're someone who's dangerous I mean you you will get away with it so Facebook and for a long time got away with it until one day they didn't and so that the danger is that if your attitude to risk is that you know because it's ambiguous and uncertain and and complicated to sort of see how the harm would manifest and you know we can probably escape we're not planning to do an audit we're not asking we're not going just to check for years and years whether for instance the D identification is broken and we think you know we can get away with it I'll personally be in another job those are some of the things that seem to come out of some of the reviews that I did then that's really quite dangerous on the other hand if you are recognized that those are the things that drive the risk and make it worse then that may may stop you from going much further and just mentioning re-identification the big problem is that it's not a one-off thing techniques that were reasonably effective in the past to make it you know difficult to reasonably identify the person afterwards to re-identify likely to fall one by one particularly with the advent of big data advanced analytics machine learning neural networks artificial intelligence all of those techniques mean that what was once accepted as probably good enough in terms of D identification it's no longer there Anna mentioned that in Australian terms it's not absolute what I would suggest is that yes that's true but the likely risk of future re-identification is only growing and unless you have a an engagement with the global debate about this sort of thing and unless you're monitoring and auditing and sort of projecting into the future then it's quite likely you have an under appreciation of that the final thing I might just mention in passing the data sharing and Bill and the consumer data right the issue there is there is no right from for the individuals to sue for a breach of privacy and so these I see as very hostile attacks on what should be remedying that great hole in our privacy law the fact that you can't sort of pursue that the right for the consumer data right that's likely although it's presented as a right it's likely to result in pressure to do that sharing and so it doesn't and none of those things look to me like they're starting off from a respectful or trustworthy position that it sounds like they are quite comfortable not to have any of the remedies but particularly the right to sue for a breach to be the platform that would give people rights to you know use the law that exists already there are sort of a way around that to ignore individual data subjects current weakness anyway look forgive me for taking up so much of the time and thank you for that one person has asked is there a source of truth for which countries GDP are affected one that we can rely on to be updated if countries leave or join I might add this is Anna I might answer that so that everyone is potentially a topi are affected so the G APR is all about the European Union and there are 28 member states in the European Union and you can just google what other countries in the European Union it also directly applies to the three countries that are in the European Economic Area but not in the European Union which is Iceland Norway and Liechtenstein just to be confusing but the whole point of the GDP are is that it is supposed to have extraterritorial reach it anywhere in the globe to any organization that is actively trying to capture data about people who are in one of those twenty-eight countries so it's not about the citizenship or the residency of your customers it's where they physically are so in terms of privacy rights any of us Australians who go to Italy on holidays when we are in Italy we are in the EU and we have privacy rights under the GD P R and if an Australian business is actively trying to target us while we are on holidays in Italy it will have to comply with the rules under GAAP R so there's no definitive list of countries where the gdpr applies other than to say every country in the world if that organization is actively trying to collect or use data about people who are physically in one of the EU countries and it's it's right and as well that it also depends on where the equipment the data equipment is storing the information is it in the EU zat outside the EU and we did see a few companies try to flee Island for instance very recently just to escape actually the GD P R because if it took its servers out so we are seeing very interesting maneuvers by large transnational corporations taking pieces of equipment hardware that store information consumer information out of the area I think into that is that there's also the pragmatic end of it you're finding that a lot of the large data giant's in the US or and some of the smaller businesses cloud businesses are recognizing that in effect the GD P R has set the global standard the US has sort of vacated the field that they have not attempted to produce sort of comprehensive rights that in a sense apply to other people and many industries and businesses are looking at this and saying well we'd better try and comply with the GDP as best we can because basically we could be touching on Europeans at some somewhere so we could be that sort of technically subject to that legal jurisdiction but in any case everybody's heading that way and it makes it simpler and we'll have less trouble if we do you know we've got to do it for someone so we might as well do it for all so in practice there's there's a larger effect rather than just the narrow specific compliance jurisdiction we've also had a question around I guess it's related to Brick's it really does the gdpr apply to UK and will it in the future when BRICS that has completed so that's a really good question so right now it applies to the UK because the UK is one of those 28 member states the UK has flagged its intention to keep complying with the gdpr and act as if it is one of those countries even after brexit but what they haven't yet negotiated is how the UK will be treated by the remaining countries in the GAAP are because one of the rules under the gdpr is all about limiting the cross-border transfer of data so let's say from Germany to England will England become a third party country like Australia is transfer of data from Germany Australia and have to start jumping through hoops to allow that transfer to take place so the UK Information Commissioner's Office is actively trying to negotiate that with the European Commission at the moment but at least their intention in the UK is to keep applying the gdpr as its form of domestic privacy law even after brexit okay one other question was about the notifiable data breaches scheme has someone asked if we know of any other universities that have proactively adopted the scheme like Macquarie has I know that there was quite a few universities that were affected by the page up breach and McRoy was certainly not the only University that notified as out of that breach are you aware of any other universities that have implemented that or if anyone is aware of any could you pop it in the question box and we'll be able to read that out as well I know I'm not aranaut so if there's any other questions that we didn't get to please put them in the question box or and we'll address them later through a Q&A document but I just like to thank all of our speakers for making time to come and speak to us today it was a really interesting set of talks and I think that the importance of property identification and consent really came through quite strongly related to that the new national statement on ethical conduct in human research that's owned by NHMRC came out recently the revised version and it has some things to say around identifiability of data and so that would be another place for people to have a look and there's new requirements in there around data management and sharing Iraq as well and we had a webinar on that last week so if you're interested in that please check out our recording and I'd also say around open data and personal information that the five safes framework that was developed in the UK and that's being implemented both in the UK and in some Australian government agencies and some other places where they're looking at not only making data safe through some process of the identification but also looking at a more holistic picture of who is accessing it where are they accessing it and are the users for which they're proposing to use that data appropriate that five safes framework is a really great framework and it's also being proposed to be used in the new government data sharing and release legislation so I think that's another really great thing to have a look at in this area so thank you very much to our speak and we will be sending out a recording and our resources and slides to everyone who registered after this thank you for attending
Feedback