Australian Regulations Evolving to Boost Data Privacy

Australian data protection laws have evolved quickly to regulate business data, which was once hyped by The Economist as the ‘new oil’. The World Economic Forum delivered a reality check, pointing out data is more like gold than oil - it must be mined before it’s useful and is best kept away from criminals.

Australia’s regulators and legislators seem to agree with the World Economic Forum, creating a raft of legislation, new regulatory bodies and frameworks to deal with the fast-changing technology landscape. 

“Regulation is very much behind the art of the possible, when it comes to technology,” says NSW Government Chief Data Scientist Dr Ian Oppermann.

“We need to think carefully about the use of data, cybersecurity and privacy. The real question is what is the risk framework that needs to be in place so we can reach utopia rather than dystopia.”

The arrival of the Consumer Data Right (CDR) in Australia on July 1, 2020, is inextricably linked to privacy and cybercrime prevention regulation in Australia, prompting new government rules. Most of the rules and regulations rely on notifying regulators of breaches.  

The CDR allows consumers to share their personal banking data - which used to be seen as the property of the banks - to land a better loan or credit card deal, creating impetus for financial organisations to invest in data security and privacy practices. (Businesses now need to act as trusted custodians of people’s data, rather than exploiting the riches such data can bring).

Non-technical business stakeholders may once have been able to shut their eyes to the costs and complexity of data handling, but that is no longer an option as the consequences are now too high if privacy or security go wrong. Just ask Landmark White, who estimated they lost $50m after being crippled by a rogue software contractor’s misappropriation of property valuation data.

With Europe’s strict GDPR laws paving the way for Australia’s CDR, there’s no doubt that privacy, data security and rising cybercrime are firmly on boardroom - and government - agendas. Many large companies are investing to voluntarily comply with IT security standard ISO 27001, particularly since APRA has been clear that accountability extends directly to board members who can be held liable for security and privacy risks.

The worry is that small and medium-sized businesses could be left behind and become bigger targets for criminals because they don’t invest in the privacy protections and security they need. So where can we expect the data protection laws to head?

Data protection landscape will shift with privacy and security issues

The Federal Government has made it clear that protecting the economy from cybercrime is a priority, announcing more funding to invest in technical capabilities.

“The regulatory landscape for cybercrime and privacy will continue to evolve with encryption laws, privacy laws moving closer to Europe’s GDPR and the laws that apply to cybercrime continuing to evolve,” explains Dr Surya Nepal, CSIRO Data 61’s senior principal research scientist.

Cybersecurity experts like Blue Bricks CEO Vikram Sareen say Australia is still well behind other countries around the world, but believes there will be a big bubble of investment in security over the short term.

Privacy Impact Assessments are a business tool that’s fast becoming the new black as companies rush to protect themselves from growing crime and privacy risk exposure. CSIRO Data 61’s Dr Nepal says the most important thing is for businesses to invest in protecting their core data and intellectual property.

“Define your core data - this might be your business IP, your stakeholder information ... it’s not only customers but also suppliers and your financial information. Even big businesses have a lot of trouble managing this,” he says, arguing businesses must regularly attend to ‘cyber hygiene’ and check who has administrative access to what data.

Dr Nepal hopes AI developments help unleash an affordable “cybersecurity in a box” modem-stye solution that small to medium businesses can plug into their network to monitor threats and data leaks.

“At CSIRO, we think something like this could be a usable security solution that can analyze and alert you to threats in the same way a home security system can alert you to threats, but not necessarily protect you from them,” he says. It will also be more affordable than hiring six-figure security experts to consult for a business.

Government will try to stay ahead of the game

Governments keep trying to regulate at the speed technology shifts and evolves, they are however often held up by the time it takes to build consensus, write and review long reports and follow the process required before they can take action or commit funds.

When it comes to data handling and privacy issues, Dr Ian Oppermann says the Five Safes Framework developed by the privacy regulatory body – the OAIC - is helpful for handling data, and ultimately giving data back to the people who curate it. After all, the general public cannot walk down a city street or catch public transport without the government capturing this data on our behalf.

“Smart Cities” is the commonly used ‘buzzword’ which describes when governments and technology companies partner create new technologies across cities- all in the name of efficiencies. Governments are also likely to continue to create digital-centric brands like “Services Australia” as they attempt to streamline and scale services using digital technology.

Dr Nepal says regulation of the Internet of Things - smart TVs and driverless cars - will be the area to watch.

“The television you buy has energy ratings and the food we buy has health star ratings, but that Smart TV needs a security rating,” he says, pointing out that there is more regulation in buying a child’s toy than buying internet-connected devices.

“Security ratings would be a good direction to go in, but there is a risk it might stifle innovation.”

And there lies the challenge - to make sure regulatory developments protect its citizens without killing the many benefits that data and technology can bring.

ADMA Data Pass is a comprehensive online training program that ensures data handling staff in your business have a clear understanding of data collection, handling, privacy and consent issues. The trust mark can be used to demonstrate to your customers and business partners that you take privacy seriously. Find out more.