Big data privacy in Australia

Three actions you can take towards compliance

  • Share

There are three actions that organisations can take to help manage big data and privacy. Big data fundamentally changes the way information is gathered, stored, used, altered and managed and it is vital to consider these differences to effectively protect against breach or regulatory issues in the future.

  1. Big data privacy impact assessment
    A big data privacy impact assessment (PIA) will help you identify the privacy related considerations for your proposed use of big data and what is required to mitigate those risks.

    It can highlight how personal information flows through a project/organisation, the possible impacts on privacy how to avoid, minimise or mitigate these, as well as how to include “privacy by design” into projects to ensure compliance.

    From a regulatory point of view, performing a PIA is critical to demonstrating that organisations have considered all of the risks associated with big data, and how these risks will be mitigated, prior to the initiative being implemented.

    From an operational risk perspective, performing a big data PIA over the big data can avoid any “nasty surprises” and ensure that the appropriate controls and processes have been considered up front.

  2. Big data privacy management framework; “privacy by design”
    An effective privacy governance perspective provides the “top down” guidance around privacy management. The PIA provides the “bottom up” view of where the data is and what it is being used for, as well as the process and technology controls in place to ensure privacy compliance including security.

    Other important considerations for any big data initiative include staff culture, training and awareness (people are usually the weakest link), as well as your reliance on third parties (particularly if your big data initiative involves vendors or cloud technologies) as well as incident management.

    What would you do if something went wrong? How would you deal with the inevitable media and customer fall out?
    The aim of a privacy management framework is to help organisations develop good privacy governance which can lead to:
    • • Improved business productivity
    • • More effective business processes
    • • Better risk mitigation and management of privacy breaches

    Four steps to develop a privacy management framework:

    1. Embed a culture of privacy that supports compliance.
    2. Establish robust, effective practices, procedures, systems.
    3. Evaluate your systems, procedures, processes and practices to enable ongoing effectiveness and compliance.
    4. Enhance your response to privacy issues.

    The OAIC outlines each step in detail and what should be done to develop this framework.

  3. Information security risk assessment
    A successful hack or an unwitting data leak is now a matter of when, not if.
    Advanced organisations are building on preventative controls (e.g. access controls) to detect and respond controls, such as holistic security monitoring and incident response procedures.

    The more personal information you collect and aggregate as an organisation, the greater your security obligation is under APP II.

    An information security risk assessment can help identify potential problem areas within your organisation and allows you to address and secure these before a breach occurs. An information security risk assessment is more specific than a PIA because it covers identifying and evaluating risks, threats and problem areas relating to information.