Five-article series
Big data
privacy in
Australia
Three actions you can take
towards compliance
Article 5
Big data
and privacy
Three actions you
can take towards
compliance
There are three actions that organizations can take to help manage big data
& privacy. Big data fundamentally changes the way information is gathered,
stored, used, altered and managed and it is vital to consider these differences
to effectively protect against breach or regulatory issues in the future.
Big data privacy impact assessment
A big data privacy impact assessment (PIA) will help
you identify the privacy related considerations for
your proposed use of big data and what is required
to mitigate those risks.
It can highlight how personal information flows
through a project/organization, the possible impacts
on privacy that may exist and how to avoid, minimize
or mitigate these, as well as how to include “privacy
by design” into projects to ensure compliance.
2
| Big data privacy in Australia Three actions you can take towards compliance
From a regulatory point of view, performing a PIA
is critical to demonstrating that organizations have
considered all of the risks associated with big data,
and how these risks will be mitigated, prior to the
initiative being implemented.
Beyond compliance, from an operational risk
perspective, performing a big data PIA over the big
data can avoid any “nasty surprises” and ensure that
the appropriate controls and processes have been
considered up front.
Big data privacy
management
framework;
Privacy by design
An effective privacy governance perspective
provides the “top down” guidance around privacy
management, including for big data initiatives. The
PIA provides the “bottom up” view of where the data
is and what it is being used for, as well as the process
and technology controls in place to ensure privacy
compliance including security.
Other important considerations for any big data
initiative include staff culture, training and awareness
(people are usually the weakest link), as well as your
reliance on third parties (particularly if your big data
initiative involves vendors or cloud technologies) as
well as incident management. What would you do if
something went wrong? How would you deal with the
inevitable media and customer fall out?
Finally, how would you ensure on a regular basis that
these controls are all operating effectively such as
through the use of your internal risk management
teams or internal audit.
The aim of a privacy management framework is to
help organisations develop good privacy governance
which can lead to improved business productivity,
more effective business processes, better risk
mitigation and management of privacy breaches and
how you respond should one occur.
Personal information is a valuable asset in many
organizations and embedding a respectful culture
around privacy will help you build a reputation that
inspires trust and confidence, in addition to meeting
your legal obligations.
There are four main steps to develop a privacy
management framework as outlined by the OAIC.
How and who undertakes each step will depend on
your specific environment. Broadly, the steps are:
• Embed a culture of privacy that supports
compliance.
• Establish robust, effective practices, procedures,
systems. Up to date, clear policies around personal
information management.
• Evaluate your systems, procedures, processes
and practices to enable ongoing effectiveness and
compliance.
• Enhance your response to privacy issues.
The OAIC outlines each step in detail and what
should be done to develop this framework
Big data privacy in Australia Three actions you can take towards compliance |
3
Information
security
risk assessment
Data breach in some form is now inevitable for organizations today.
A successful hack or an unwitting data leak is now a matter of when, not if.
Advanced organisations are building on preventative controls (e.g. access
controls) to detect and respond controls, such as holistic security monitoring
and incident response procedures.
The more personal information you collect and
aggregate as an organization, the greater your
security obligation is under APP II.
An information security risk assessment can
help identify potential problem areas within your
organization and allows you to address and secure
these before a breach occurs. An information
security risk assessment is more specific than a PIA
because it covers identifying and evaluating risks,
threats and problem areas relating to information.
Selecting a framework that works for you and
developing the right methodology is based on your
environment.
The elements to consider no matter what the
framework or method include:
• Data quality, information security and data accuracy.
• Can the data be effectively anonymised/
depersonalised, negating the need for ongoing
privacy compliance?
• Assess third parties that you share information with
or source information from.
• Know your requirements, especially around
personal information ‘via creation’ or reidentification with analytics.
• Use encryption to mask personal identities.
• Ensure reasonable steps are taken to destroy and/
or de-identify personal information once it has
been used for the notified purpose for which it was
collected.
4
| Big data privacy in Australia Three actions you can take towards compliance
• Access and prevention
• Limit internal access to personal information
to those who require access to do their job (i.e.
providing access on a ‘need to know’ basis).
• Maintain a chronological and detailed audit trail of
all users.
• Install network security intrusion prevention and
detection systems.
• Run regular penetration testing on the enterprise
data warehouses to identify vulnerabilities.
• Response planning
• Effective security monitoring procedures to identify
unusual behaviours on your network that could be
indicative of a breach.
• Develop a clear response plan in case of data
breach (and train staff on it).
• Review your information security controls once
risks have been uncovered to protect against
further exposure.
The OAIC also provides a detailed guide on securing
personal information which may be helpful in your
organization.
Additional articles
in this series
Big data and privacy is a serious
organizational consideration for
anyone using big data analytics.
This five-article series will help you
understand some of the risks, technical
considerations, actions to take
and assessments to consider when
addressing big data and privacy.
The series includes:
• Big data and privacy: an overview
• Big data and privacy: know the risks
and be in a position to respond fast
• Big data and privacy: tips to help shape
your future capability
• Big data and privacy: assessment areas
to protect personal information
Big data privacy in Australia Three actions you can take towards compliance |
5
EY | Assurance | Tax | Transactions | Advisory
EY’s holistic approach
to big data and privacy
This series of articles provides a holistic view of the big data and
privacy, information security and data sovereignty issues facing global
organizations today. It requires both strategic thinking and tactical
action across multiple business dominions including data and analytics,
law and risk.
In response, we have combined the expertise of partners from these
three competencies within EY to provide this rounded, whole-ofbusiness view. For more information on big data and privacy, contact
the following contributing partners:
About EY
EY is a global leader in assurance, tax, transaction and
advisory services. The insights and quality services we
deliver help build trust and confidence in the capital
markets and in economies the world over. We develop
outstanding leaders who team to deliver on our promises
to all of our stakeholders. In so doing, we play a critical
role in building a better working world for our people, for
our clients and for our communities.
EY refers to the global organisation, and may refer to
one or more, of the member firms of Ernst & Young
Global Limited, each of which is a separate legal entity.
Ernst & Young Global Limited, a UK company limited by
guarantee, does not provide services to clients. For more
information about our organisation, please visit ey.com.
About EYC3
eyc3.com | ey.com/analytics
Conrad Bates
[email protected]
Managing Partner
EYC3, data and advanced analytics.
[email protected]
C3 Business Solutions Pty Ltd
Alec Christie
EYC3 creates intelligent client organizations using
data & advanced analytics. Our team of data scientists,
analysts, developers, business consultants and industry
professionals work with clients at all stages of their
information evolution. We implement information-driven
strategies and systems that help grow, optimize and
protect client organizations, and create a lasting culture
that encourages people to use information creatively and
intelligently to improve business outcomes
Partner EY Digital Law, privacy law.
[email protected]
Ernst & Young Law Pty Limited
© 2016 Ernst & Young, Australia.
All Rights Reserved.
ED None.
M1629993.
Charlie Offer
Partner EY
CyberSecurity, advisory and risk.
[email protected]
Ernst & Young Services Pty Ltd
This communication provides general information which is current at the
time of production. The information contained in this communication does
not constitute advice and should not be relied on as such. Professional
advice should be sought prior to any action being taken in reliance on any
of the information. Ernst & Young disclaims all responsibility and liability
(including, without limitation, for any direct or indirect or consequential
costs, loss or damage or loss of profits) arising from anything done or
omitted to be done by any party in reliance, whether wholly or partially, on
any of the information. Any party that relies on the information does so
at its own risk. Liability limited by a scheme approved under Professional
Standards Legislation.
eyc3.com
ey.com/analytics