Overview of privacy by design
Whether it is customer lists, customer preferences, patient medical records or customer financials, personal information and data are the all-important “DNA” of many organisations.
As data volumes increase at an exponential rate and the landscape becomes increasingly complex with the use of the third-party service providers, cloud enabled technology, personal profiling, sophisticated analytics and multijurisdictional data flows, tackling questions regarding privacy can be daunting.
Certain organisations are required to comply (APP entities) with the Privacy Act 1988 (Cth). Key obligations include that such organisations:
- manage personal information in an open and transparent way (APP 1 - Open and transparent management of personal information) (see Understanding the relationship between privacy, cybersecurity and data resilience);
- take reasonable steps to implement practices, procedures and systems that will ensure they comply with the Australian Privacy Principles (APPs) and are able to deal with related inquiries and complaints (APP 1 - Open and transparent management of personal information) (see Implementing a privacy by design approach); and
- take reasonable steps to protect personal information they hold from misuse, interference and loss, as well as unauthorised access, modification or disclosure (APP 11 - Security of personal information) (see Securing personal information across the information life cycle).
Privacy by design is a “whole of business” approach which provides a practical framework for dealing with privacy. It aims to ensure that privacy is considered before, at the start of, and throughout the development and implementation of initiatives, projects, and products or services that involve the collection and handling of personal information.
The concept of privacy by design is not new. However, the requirement for APP entities to take reasonable steps to implement practices, procedures and systems that will ensure they comply with the APPs effectively enshrines in Australian law the principle of “privacy by design”.
The concept of privacy by design is also enshrined in the new European Union (EU) General Data Protection Regulation (GDPR). If these laws apply to your organisation, you will also be required to take privacy by design approach to compliance. You can read more about the GDPR here as well as our Practical Guidance on the GDPR available here.
In addition, in the context of the mandatory data breach notification scheme which requires an “eligible data breach” to be notified to the Information Commissioner and affected individuals, a privacy by design approach is an essential risk mitigation strategy for organisations to implement. See Identifying whether the data breach notification regime applies to you.
Whether your client or organisation is launching an online payment system, transitioning to a cloud service provider or activating a marketing campaign, privacy by design demands that you consider privacy at the forefront, and not merely as an afterthought.
In this subtopic you will learn:
- the key elements of a privacy by design approach (see Implementing a privacy by design approach);
- how to implement a privacy by design approach (see Implementing a privacy by design approach);
- issues to consider when assessing whether ‘reasonable steps’ have been taken to protect personal information from misuse, interference and loss, as well as unauthorised access, modification or disclosure (see Securing personal information across the information life cycle); and
- an overview of the approach of the Office of the Australian Information Commissioner (OAIC) and key considerations when dealing with the OAIC.
This subtopic will be useful for in-house and external advisers:
- wanting to obtain an understanding of the relationship between privacy, cybersecurity and what is meant by “cyber or data resilience”;
- advising on general privacy issues of an organisation and whether they satisfy the openness and transparency requirements of APP 1;
- applying a privacy by design approach to initiatives, projects, products or services that involve the collection and handling of personal information; and
- advising on what constitutes “reasonable steps” for the purpose of APP 11 .