How financial institutions should prepare for a new privacy regime

As Australia’s financial institutions assess the increasing risk of a data breach, the consequences of sprawling legacy systems, a data asset mentality and ageing privacy regulation are coming into view.

Recent data breach incidents have revealed a potential mismatch between the expectations of the Office of the Australian Information Commissioner (OAIC) and the reality of how most organisations operate and manage data. The regulator expects companies to know what customer personal information they hold, where it is and why it was collected. It expects businesses to have processes in place to ensure data is used in a way aligned with what consumers consented to, reasonably expected to have consented to, and deleted when it is no longer required.

This is simply not the case in many of Australia’s financial services institutions – and especially not in our insurers and superannuation funds. These are complex organisations, with thousands of systems in hundreds of locations. Thanks to the proliferation of applications and data access methods, such as APIs, where previously data might have been located in a small number of core databases, customer information is spread across the organisation in different applications and platforms.

New executives inheriting large-scale environments may be well aware of the issue but unsure of what questions to ask, or where to start to establish their data liability.

Change the data rhetoric

To date, Australian businesses have seen data as the ‘new oil’ with only upside, so an institution’s default position has been to retain data rather than delete it. Keen to extract value from data, concerned about seven years of record retention and without modern privacy laws to force them to think otherwise, institutions have erred on the side of collecting more rather than less information.

This is in direct contradiction of the existing Australian Privacy Principles now being more assertively enforced by the OAIC: if you don’t need it, don’t collect it; if you don’t have an obligation to retain it, delete it. The culture is to collect at the front end, but no one is jettisoning or de-risking data at the back end. It’s time to realise that some data sits on the other side of the balance sheet – some data is more of a liability than an asset.

Currently, boards and executives are asking: “Do we have the protections in place to stop a major data leak via a cyber-attack through our data sharing platform and methods, such as APIs?” This is the wrong question. Leaders should be asking: “How much customer personal information do we hold, where is it, and why are we keeping it?”

Anticipate tougher privacy regulations

The Australian Government is all too aware that, when it comes to controlling and deleting customers’ data, we are behind other countries, in particular the European Union. Attorney-General, Mark Dreyfus, has already flagged introducing ‘better’ laws to regulate how companies manage the huge amount of data they collect, including significantly greater penalties to incentivise better behaviour, new OAIC powers to resolve privacy breaches and the strengthening of the Notifiable Data Breaches Scheme. This is alongside the comprehensive review of the Privacy Act announced in 2019, paused during the pandemic and now fast gaining pace. From the scope of the review, it seems likely that Australia could soon have a GDPR-like regime giving individuals direct rights of action to enforce their privacy rights and, requiring institutions to transform their approach to data, including building strong links between collection, consent and retention.

This is neither an easy nor simple task in an organisation with thousands of systems like the major banks.

Prepare now to get ahead of the game

Institutions do not want to wait until the regulator forces them to do something about their data liability issues. The process of transforming how data is collected (including targeted consents which drive the whole information storage journey), stored, permissioned, used and deleted is not going to happen overnight.

It’s time to start working to:

• Understand your potential exposure – Find out what customer personal information (including sensitive information) you have and where it’s stored. Don’t be surprised at the scale and difficulty of this task given that this information may be in structured, unstructured and co-mingled form.
• Decide how to manage or mitigate it – Beyond record retention obligations, update your retention policies and processes so you only keep data where value of the information contemplates retention and privacy requirements and trumps the risk of a breach.
• Purge all non-essential data – Go back into the archives and apply your new policies to existing data.
• Prioritise putting in specific controls around sensitive systems – controls are often put in place at a macro level. This is the equivalent of building big walls around the city. Now it’s time to put locks on the doors of the most valuable houses, in other words, implement specific controls to protect the customer personal information you hold. You cannot rely on general controls, and the OAIC will expect you to be able to demonstrate traceability between controls and stores of customer personal information.
• Rethink your collection process – Stop data collection by default. Where data is to be kept, assess how you are getting consent and when, and under what circumstances, data will be used, and deleted. Communicate this to your customers in an easily understandable way.

Review roles and responsibilities

Currently, privacy is managed through compliance teams, even though most data protection and security controls fall under the cyber organisation. This has created a situation where responsibility for privacy can fall through a crack between the two teams reducing accountability for the protection of the data.

You need to define an operating model for Privacy with clear roles and responsibilities to ensure all stakeholders understand their contribution to privacy and protecting customer data. Then identify who will head up your privacy transformation and give them the power and resources to bring the institution with them.