Privacy tips for Commonwealth agencies

Introduction

If the reporting of data breaches in online news sources and Office of the Australian Information Commissioner quarterly reports during 2019 is anything to go by, Australian Government agencies continue to perform well relative to the private sector in terms of privacy compliance. However, as some of the data breach incidents which occurred in 2019 in other jurisdictions indicate, agencies must continue to be vigilant in their approach to ensuring compliance with privacy obligations and protecting against data breaches.

For example, in one of 2019’s particularly unsettling international cyber incidents, Ecuadorian authorities began an investigation in September into the leak of approximately 20 million citizens’ personal information – potentially Ecuador’s entire population, plus millions of deceased citizens. The data, exposed online via an unsecured database, reportedly included information that could enable the reconstruction of entire family trees, as well as personal information of millions of children.¹

The next month, a database up for auction on the dark web was reported to contain personal information relating to 92 million Brazilian citizens. Just in case navigating such a large database unaided proved challenging for potential purchasers, the business-savvy perpetrators even claimed to offer a “look-up” service upon request.²

These incidents share a particularly alarming characteristic, even against the backdrop of another bumper year for worldwide data breaches: in both cases, a significant portion of the compromised data, if not all of it, appears to have been gathered from government databases.

Just like the private sector, Australian Government agencies are subject to the Privacy Act 1988 (Cth) and Australian Privacy Principles. However, additional requirements bind Australian Government agencies under the Privacy (Australian Government Agencies – Governance) APP Code 2017 which are practical and tailored to the government context. The intention is that Australian Government agencies should be model organisations in terms of privacy compliance, reflecting the vast amounts of personal information held by agencies.

In this article, we consider three key ways in which agencies can make the most of existing privacy obligations to maximise protection of the personal information entrusted to them, namely privacy impact assessments, vendor security and staff training.

Maximising privacy impact assessments

The Australian Government Agencies Privacy Code requires agencies to conduct a Privacy Impact Assessment for all “high risk” projects, namely projects that the agency reasonably considers to involve any new or changed ways of handling personal information that are likely to have a significant impact on individuals’ privacy.³

During the latest 12 months, Australian Government agencies undertook PIAs in respect of a range of projects and issues. Although they are not required to publish the PIAs which they conduct, agencies must maintain a register of PIAs on their websites.⁴ Some common themes arise from a review of the PIA registers of Australian Government agencies. Agencies are conducting PIAs in connection with large IT projects (often involving the storage of information in the cloud), data sharing and data matching projects, the roll out of new HR, payroll and finance systems as well as customer / user surveys. This is in addition to privacy issues or projects that are unique to a particular agency.

Conducting a PIA in respect of a project that may have a significant impact on individuals’ privacy offers a vital means of embedding privacy considerations at the foundational stage of a new project. We recommend the following for agencies looking to get the most out of their PIAs:

• To avoid privacy issues arising at a stage that is too late to fix a fundamental problem, implement processes to ascertain whether a PIA is required at the early stages of your agency’s overall project planning framework.
• After identifying the need for a PIA, it is important to give careful thought as to who best should participate. To empower teams and help foster a privacy-conscious culture, key project team members should be involved in developing the PIA and the project’s owner should be ultimately responsible for implementing any recommendations. This should be the case even where a PIA is conducted externally.
• Don’t just list a PIA on your agency’s register and move on once the project is underway. PIAs can be valuable tools to help agencies refine their approach to privacy protection, and scope future projects, if they are reviewed and reassessed with the benefit of hindsight.

Know your vendors

Non-corporate Commonwealth entities and prescribed corporate Commonwealth entities must, under the Public Governance, Performance and Accountability Act 2013 (Cth), comply with the Commonwealth Procurement Rules when procuring goods and services. Paragraphs 8.2 and 8.3 of the CPRs require those entities to establish mechanisms for identifying and managing risk when conducting procurement, including through the application of the Australian Government’s Protective Security Policy Framework.⁵ Maintaining the confidentiality, integrity and availability of official information is one key outcome of that framework.⁶ The Privacy Act also requires that agencies entering into Commonwealth contracts take contractual measures to ensure that contracted service providers do not engage in acts or practices that would breach the APPs if done or engaged in by the agency.⁷

Undertaking advance due diligence in respect of prospective service providers’ security processes is, of course, crucial. However, regularly reviewing your agency’s relationship with service providers can also help to prevent minor issues escalating into serious incidents. To improve your agency’s position, you may wish to consider expanding contractual provisions to include:

• A right to annually review a service provider’s privacy and security procedures to ensure the service provider is maintaining compliance with all applicable privacy and security requirements as well as the underlying contract
• A requirement that the service provider takes steps to continuously improve its privacy and security procedures, and demonstrates its improvements on a regular basis, and
• A requirement that the service provider designate a specific individual as the security liaison with the agency. This individual should be appropriately trained and qualified to deal with technical queries and should be made available for periodic meetings with the agency’s technical teams, in addition to overseeing the service provider’s compliance with its security obligations under the contract.

Rethinking training

Agencies must conduct privacy education and training as part of new staff induction programs, and take reasonable steps to provide appropriate privacy education or training annually to all staff who have access to personal information in the course of their duties.⁸

According to the Office of the Australian Information Commissioner’s most recent report on the subject, human error accounted for approximately one-third of notifiable data breaches from 1 April to 30 June 2019.⁹ Building employee preparedness is, therefore, a key way to reduce the risk of data breaches occurring.

An effective training program involves different types of knowledge-building. For example:

• Data breaches don’t just arise because of cyber incidents, but may also arise through loss of hard copy files or sending an email to the wrong person. Training programs should motivate personnel to think broadly about data breaches and situate the care of personal information as a core agency value
• Given the particularly acute risk posed by phishing, which accounted for nearly half of all notifiable data breaches during 1 April to 30 June 2019 that were caused by malicious or criminal cyber incidents,¹⁰ consider “spoof” phishing campaigns and regularly circulate warnings in respect of common phishing emails. Remember that follow-up training for staff who fall for fake emails is crucial for any spoof email campaign
• A well-managed initial response is vital when a data breach occurs. Ensure that staff are adequately trained in the essential steps to take if there is an incident. For example, all staff should be aware of how to escalate an incident in an emergency. Data breach simulation exercises are also a practical way to ensure that your key response team is on the same page when it comes to response strategies, and that your agency’s data breach response plan can hold up under pressure.

The last decade has proven time and again that no organisation or agency is immune from data breach incidents. However, taking these measures will put your agency in a good position to not only ensure it complies with its obligations at law, but that, should a data breach occur, its response will be informed, timely and effective.