Australians need to build businesses, cultures and leaders who are as dexterous with data as they are with operations, human resources or finance.
Disruption is coming every day to business from consumers, competitors and technology, so leaders need to be aware that this is now going to be the norm for the next 100 years or more and plan accordingly.
Data privacy, also termed information privacy, is concerned with the proper handling of data – consent, notice, and regulatory obligations. Practical data privacy concerns often revolve around:
- Whether or how data is shared with third parties.
- How data is legally collected or stored.
- Regulatory and legislative restrictions. Data privacy is linked to data security and governed by legislation that covers data privacy in several key countries and in several key industries.
Why is data privacy important?
Data is one of the most important assets owned by a company. With the rise of the data economy, companies find enormous value in collecting, sharing and using data. Companies such as Google, Facebook, and Amazon have all built empires atop the data economy.
Transparency in how businesses request consent, abide by their privacy policies and manage the data that they’ve collected is vital to building trust and accountability with customers and partners who expect privacy. But when data privacy fails, data privacy issues arise. The risks can be high and the negative consequences considerable. Many companies have learned the importance of privacy the hard way, through highly publicised privacy failures.
Personal data privacy also gives an individual the right to be free from uninvited surveillance. To safely exist in one’s space and freely express one’s opinions behind closed doors is a crucial part of living in a democratic society.
Evolving regulation and implications for boards
With increasing scrutiny on personal information, privacy and data security and changes and strengthening of privacy regulations on the rise across the world, organisations are becoming increasingly concerned about the burden of compliance and risk. This is largely because Europe’s General Data Protection Regulation (GDPR) is now in effect. But it is also exacerbated by other new global privacy regulations that are modelled around GDPR, such as changes to laws in Australia and Japan, and the new California Consumers Privacy Act (CCPA).
In Australia, the Privacy Act (Australia Data Privacy Law 2019) is the one existing law that broadly prescribes how data (specifically, personal information) is used and managed. It does this through the 13 Australian Privacy Principles (APPs).
Under the federal privacy legislation, these rules call on organisations to take reasonable steps to implement practices, procedures and systems to ensure compliance with the APPs. The Office of the Australian Information Commissioner (OAIC) has published a Privacy Management Framework (PMF), which sets out the steps that it expects organisations to take. Importantly for directors, the first step is for the organisation’s leadership and governance arrangements to create a culture of privacy that values personal information.
Good privacy culture
Directors’ responsibilities in promoting good privacy culture and practice is more important than ever, in light of government pledges to enhance the penalty regime under the Privacy Act (including fines of up to 10 per cent of a company’s annual domestic turnover) and to provide additional funding to the OAIC to conduct regulatory work.
Going beyond personal information, there have been several inquiries, reviews and reports in the mid-to-late 2010s examining the use and availability of data more generally. The most consequential has been the Productivity Commission’s Data Availability and Use Inquiry, which investigated ways to improve the availability and use of public and private sector data.
In response to the final report published in May 2017, the Australian Government has committed to two major legislative reforms with implications for data governance. Firstly, the Government is drafting a new Data Sharing and Release Act (DS&R Act) that will allow government agencies to share public sector data with trusted users in a controlled way, for non-commercial purposes.
Directors of organisations in the not-for profit and research sectors should ensure that their internal data governance measures align with the requirements for becoming a trusted user. More generally, directors should consider how their organisation is positioned to take advantage of the greater availability of open public sector data.
Secondly, the government is in the process of implementing a new data sharing regime that affects private sector data – the Consumer Data Right (CDR).
The CDR allows consumers to access certain data held about them by businesses and to transfer this to trusted third parties in order to obtain a benefit, such as receiving a better deal or a new service.
The CDR will be introduced on a sector by-sector basis, starting with banking and followed by energy and telecommunications, with the eventual goal of applying economywide. Directors should note that in the first phase, the CDR applies not just to banks, but also organisations who have been accredited to receive CDR data in order to provide a product or service, as well as to outsourced service providers that handle such data.
The Australian Competition and Consumer Commission (ACCC) is making rules on the rights and obligations of CDR participants that supplement the privacy safeguards introduced by the CDR Bill. Together they have strong implications for data governance:
- Consumers must expressly consent for the transfer and use of their data;
- The privacy safeguards mirror the structure of the APPs but are more stringent in some areas; and
- Schedule 1 to the CDR Rules prescribes specific steps to protect CDR data, including:
- Having a formal governance framework for managing information security risks;
- Documenting specific responsibilities of senior management (that is, directors) for the protection and management of CDR data.
These developments are an indicator of the regulatory landscape to come.
European Union General Data Protection Regulation
The European Union General Data Protection Regulation (the GDPR) took effect from 25 May 2018, to harmonise data protection laws across the EU and replace existing national data protection rules. The introduction of clear, uniform data protection laws is intended to build legal certainty for businesses and enhance consumer trust in online services.
The GDPR 7 principles set out a plan for the lawful processing of personal data. Processing includes the collection, organisation, structuring, storage, alteration, consultation, use, communication, combination, restriction, erasure or destruction of personal data.
Some Australian businesses covered by the Australian Privacy Act 1988 (Cth) (the Privacy Act) (known as APP entities), may need to comply with the GDPR if they:
- have an establishment in the EU (regardless of whether they process personal data in the EU); or
- do not have an establishment in the EU, but offer goods and services or monitor the behaviour of individuals in the EU.
These privacy laws include some similar requirements. Both laws foster transparent information handling practices and business accountability, to give individuals confidence that their privacy is being protected.
The GDPR and the Australian Privacy Act 1988 share many common requirements, including to:
- implement a privacy by design approach to compliance;
- be able to demonstrate compliance with privacy principles and obligations; and
- adopt transparent information handling practices.
More information on GDPR can be obtained from the Office of the Australian Information Commissioner.
AICD's Director Tool – Data and Privacy Governance
The AICD has joined forces with the Australian Information Security Association (AISA) to publish our latest director tool Data and Privacy Governance. The tool is designed to help directors shape their responsibilities in promoting a good privacy culture.
The 2020 Director Tool on Data Privacy and Governance highlights current privacy compliance obligations impacting boards in Australia, and outlines a performance framework for how an organisation might use and manage data as a key asset. The tool includes boardroom questions to assist directors understand and discharge their responsibilities in this critical and growing area of data governance.
Data governance refers to the processes, systems and frameworks for using and managing data to:
- improve an organisation’s internal functioning; and
- help an organisation pursue valued goals and objectives.
Data and privacy governance
Having a clear data and privacy governance framework allows the board to exercise oversight and control over how the organisation uses and manages data as a key asset. Without such a framework, organisations are more prone to mishandle their data, while simultaneously failing to leverage it for new opportunities.
There are three elements of the data governance framework with which directors should familiarise themselves:
- Strong organisational culture;
- Effective structures – board governance, executive leadership, privacy program and accountability; and
- Supporting infrastructure – people, processes, systems and communication.
At the heart of the framework is a strong organisational culture for respecting privacy and using data in a creative and trustworthy way. Such a culture requires an effective structure in order to embed privacy considerations into everyday practice and decision making. An effective structure starts with a board and good governance.
One way to conceptualise data and privacy governance is by using the data and privacy performance (DPP) framework, introduced in the publication The New Governance of Data and-Privacy, published by the AICD. While the framework focuses on personal information and compliance, it can readily apply to other valuable organisational data.
How does a board fulfil its role in data and privacy governance?
The time and focus a board dedicates to data and privacy governance will depend on such things as the organisation’s size, the quantity and quality of its data holdings, industry and strategic direction. The basic steps, however, are the same.
1. Foster a culture that values data and privacy
Have the values and risk appetite underpinning data handling been established and communicated throughout the organisation? Is the organisation appropriately equipped and resourced to embed the right culture into its people, systems and processes? What channels does the board use to ensure it knows how data handling is occurring ‘on the ground’?
2. Future-proof the board
How do new data-driven business models and value chains enhance, or threaten, what the organisation is doing? What new technologies can be deployed to enable the organisation to do more with, and to protect, its data assets? What new laws must the organisation adhere to, and what frameworks, standards and guidelines should the organisation take heed of? Amid all the change, what are the attitudes and mindsets of individuals, stakeholders, regulators and lawmakers?
3. Appoint key personnel and hold them accountable
Does the organisation have key data and privacy roles and responsibilities at the operational and leadership levels? How should resources and staff be allocated in terms of compliance (protecting data) and performance (leveraging data) functions? What are the reporting requirements and key performance indicators?
4. Enhance privacy and security resilience
How ready is the board and executive to deal with a data-related crisis? How can the board improve its resilience capabilities, such as change readiness and incident management? Are privacy and security risks accounted for throughout the organisation and in project development? How are third-party relationships managed, secured and assured?
5. Focus on your stakeholders
Does the board consider a wide range of stakeholder perspectives when making decisions about data? Is stakeholder-care a key value? Does this align with actual practice and is it communicated externally? What should the organisation do, or stop doing, to enhance stakeholder trust?