Why conduct a privacy audit of your organisation? –

Privacy and the use of private info have been points of
growing concern for many of the Australian inhabitants for a lot of
years now. With privacy issues changing into a higher precedence for
Australian customers, many companies are opting to conduct an
organisation-huge evaluation to make sure that their very own knowledge assortment,
use and disclosure practices, similar to their knowledge storage, retention
and destruction insurance policies, adjust to the Privacy Act 1988 (Cth)
(Privacy Act), together with the Australian Privacy
Principles (APPs).

Why is a privacy audit essential?

With companies going through growing compliance prices throughout the
board, many are asking whether or not an audit is definitely worthwhile. The
quick reply is sure. Non-compliance with the privacy regulation is a
legal responsibility for an organisation. The civil penalties payable for
critical or repeated interference with a person’s privacy
are usually not insignificant and might value an organisation as much as
$2,220,000. Those penalties nevertheless are dwarfed by the monetary
value of cleansing up after a knowledge breach and the direct and oblique
value of rebuilding belief with customers. This is to say nothing of
the danger that a class motion is instituted by the affected
people, which is an growing pattern each right here and

What is the pattern in penalties and why ought to this be

The present evaluation of the Privacy Act is contemplating varied
choices for growing penalties for breach of privacy. Two
proposals are to convey the penalties into line with these imposed
below the gold customary General Data Protection Regulation
(GDPR) within the European Union (EU)
– the GDPR imposes penalties of as much as 4 per cent of annual income
– or, alternatively, to convey the penalties into line with these
imposed by the Australian Competition and Consumer Commission
(ACCC) for breaches of client regulation.

In latest years, each the privacy regulator and the patron
safety regulator have taken motion to guard the privacy of
people in Australia. This convergence of regulatory exercise
implies that there’ll finally be extra alternatives for
companies to be topic to enforcement exercise. In the US, for a
quantity of years, the Federal Trade Commission has taken efficient
actions towards privacy breaches below their equal of the
“deceptive and misleading conduct” provisions of their
client regulation in relation to privacy breaches.

It could be unsurprising if that have been to occur right here,
significantly given the ACCC’s curiosity in digital platforms and
the increasing supply of client items and companies via these
platforms. Companies working outdoors of Australia are topic to
extra overseas rules and overseas regulators to conform
with. It wouldn’t be unheard of for GDPR regulators within the EU to
search to implement towards Australian firms. With higher world
cooperation on this house, it appears more and more possible that
failure to voluntarily adjust to mandated requirements will consequence
in some kind of penalty via a regulatory mechanism being
utilized by a number of regulators.

The Privacy Act evaluation can be contemplating easy methods to higher implement
privacy compliance domestically. For instance, whether or not people ought to
be given a direct proper of motion towards companies for breach of
privacy and whether or not there are extra and higher enforcement powers
and mechanisms obtainable. To date, there have been only a few claims
by people for breach of privacy. 

In 2018, a consultant motion on behalf of a number of thousand
superfund workers in relation to breaches of their privacy rights
in 2013 failed in an motion to acquire
compensation.[1]  However, that call was given
earlier than the newest amendments to the Privacy Act and it’s
possible that a class motion taken now would doubtlessly generate a
profit to claimants. A variety of related actions taken within the UK
and the US are such that privacy-related class motion claims will be
thought-about an rising danger space for companies.

It’s far much less damaging to an organisation’s status
to establish and rectify any non-compliance internally reasonably than
having it publicly uncovered by a knowledge breach or a regulator similar to
the Office of the Australian Information Commissioner

Historically, the OAIC has been a considerably underfunded
regulator. Since the primary enforceable endeavor was issued in
2015, there have solely been 10 such undertakings and the quantity of
choices can be comparatively small. While traditionally assessing
privacy as a low-danger space of the enterprise could have been justified,
for the explanations set out above in relation to rising regulation
that scenario is altering and the teachings from the case research
under are value studying and triggering the funding in a privacy

Will the time and price of an audit be well worth the

Two case research of an exterior audit present some classes for
companies. Multiple privacy and knowledge safety blunders inside
authorities companies have been uncovered in recent times in exterior
audits performed by the Audit Office of NSW. We take a take a look at the
two examples of Service NSW and Transport for NSW, unpack the
systemic contributing components recognized by the Audit Office and
break down the teachings for companies. While these are authorities
companies, a quantity of the themes and sensible points that arose
are simply as frequent for the personal sector.

Case examine one: The Service NSW audit following a very public
knowledge breach

In March 2020, Service NSW skilled two cybersecurity assaults
which resulted in third events getting access to the e-mail
accounts of 47 workers members, inflicting a important breach of
private buyer info contained in these e mail accounts. In
December 2020, the Audit Office launched a report on Service
NSW’s dealing with of private info and recognized poor knowledge
practices, ineffective privacy mitigation, IT weaknesses and use of
legacy methods and processes as the first components contributing to
the info breach. Rectifying and responding to the breach was
extremely pricey for Service NSW and was, on the time of the
audit, anticipated to exceed $30 million. This included spending on
authorized and investigative sources and exterior consultants and did
not prolong to the prices of compensation to affected people
(similar to the fee of changing licences or passports of affected

Audit findings

The Audit Office made six key findings as to the trigger of the
knowledge breaches.

1. Rapid development had exacerbated Service NSW’s danger

Service NSW had skilled important development main as much as the
2020 knowledge breach, each naturally and because of elevated calls for on
the company to facilitate the federal government’s bushfire and pandemic
responses. By 2020, Service NSW was dealing with the private
info, together with some delicate knowledge, of greater than 4
million people.

The Audit Office thought-about that the company’s
“important and fast development” had “outpaced the
institution of a strong management atmosphere” succesful of
responding to privacy dangers.

It is significant, as an organisation experiences fast development, that
it ensures its privacy plans and responses are constantly
reviewed and re-developed to maintain up with the organisation’s
altering danger profile.

The Audit Office discovered that, as Service NSW grew, it confronted
growing calls for on its sources which restricted its capability for
revisiting and redesigning enterprise practices. The failure or
lack of ability to take the time and use the sources to make sure privacy
controls have been match for objective was a theme of the Audit Office’s

2. Service NSW’s privacy controls and responses have been

The Audit Office additionally discovered that when privacy dangers have been
recognized, the controls applied to deal with them had been
insufficient. For instance, to mitigate the dangers related to
emailing private info, workers have been required to manually
delete emails on a common foundation. The Audit Office thought-about this
response was ineffective and that it will have been preferable to
implement technical options, similar to a safe mechanism for
transferring private info, reasonably than counting on guide
processes and workers coaching.

3. IT methods suffered from systemic weaknesses

The Audit Office decided that, as Service NSW grew, the cloud
software program it used to handle consumer relationships, Salesforce, ought to
have been upgraded or changed to go well with the amount and delicate
nature of buyer info more and more dealt with by Service NSW.
The report discovered that the software program, whereas applicable for Service
NSW’s danger profile when it was first acquired, was not designed
for storing delicate info or the amount and selection of
transactions that Service NSW more and more undertook because it

Other IT weaknesses included poor protocols for managing
consumer entry ranges. This uncovered the company to a higher danger of
unauthorised entry to clients’ private info. The
lack of multi-issue authentication for accessing Service NSW’s
e mail system was additionally thought-about to have been a key contributing
issue to the breach as a result of the third celebration hackers had been in a position
to entry the e-mail server extra simply. The danger related to a
lack of multi-issue authentication had beforehand been recognized
however not addressed.

4. Insufficient element in third celebration agreements

Service NSW’s agreements with different companies handled
privacy in a very excessive-degree sense and didn’t assign
obligations between the events. For instance, they didn’t set
out which celebration would subject a assortment discover to clients, how
lengthy Service NSW would retain info, planning for knowledge breach
responses or how knowledge could be saved securely. Assigning
obligations forward of a breach incident ensures each events
can reply rapidly and successfully.

5. The privacy administration plan didn’t mirror the present danger
profile or governance construction

Service NSW had didn’t replace its privacy administration plan to
mirror the variability of transactions and private info it
more and more dealt with. For instance, the plan didn’t embrace
processes for dealing with delicate well being info and had not
been up to date to mirror governance adjustments related to the
incorporation of Service NSW inside the Department of Customer
Service (DCS).

6. Service NSW didn’t often evaluation its legacy methods and

While Service NSW adopted a privacy protecting strategy to
designing new tasks, for instance, by routinely endeavor
privacy affect assessments, there had been no complete or
common evaluation of whether or not the company’s present 
processes posed any dangers to the safety of private info.
This meant that processes such because the scanning of emailing of
private info have been allowed to persist as frequent follow
regardless of an consciousness that they have been dangerous.

What points recognized right here would possibly apply to your enterprise?

Two standout points are the results of fast development, which
for enterprise may be natural or by acquisition, and the use of
legacy methods. If via development legacy methods are requested to do
greater than initially deliberate, they could nicely not be match for objective.
In a privacy context, the safety and accessibility of private
info could fall quick of present requirements. Stepping again and
interrogating or auditing the system can convey these issues to
gentle in order that they are often managed internally earlier than a downside
arises. However, as the subsequent case examine reveals, merely figuring out
a difficulty isn’t sufficient.

Case examine two: Transport for NSW

Public transportation methods, similar to these operated by Sydney
Trains and Transport for NSW, are half of the nation’s
important infrastructure and as such face particular dangers of
cyberattack. In 2020, the Audit Office undertook an evaluation of
the companies’ preparedness for a cyberattack and their
compliance with the NSW Cyber Security Policy, together with the
high quality of their cybersecurity danger identification and administration
capabilities. The report discovered that cybersecurity dangers weren’t
being successfully managed by Transport for NSW and Sydney Trains.
In a self-evaluation, the companies had didn’t establish all
related dangers and each companies have been discovered to have low maturity in
relation to danger administration.

Audit findings

1. Agencies had didn’t establish their “crown

Under the NSW Cyber Security Policy, companies are required to
establish their “crown jewels” being probably the most invaluable or
operationally important methods or info inside the organisation.
The Audit Office discovered that Transport for NSW had not maintained a
complete report of their IT methods nor had they assigned any
classification to methods primarily based on their worth to the organisation.
While that is a public sector idea, personal sector entities
also needs to think about what the important “crown jewel”
methods of their organisation are and allocate applicable
sources to their safety.

2. Agency workers wouldn’t have adequate cybersecurity

The Audit Office discovered that workers at each Transport for NSW and
Sydney Trains had low cyber consciousness. In testing of company workers
through a “rip-off simulation”, 24 per cent of Transport for NSW
workers and 32 per cent of Sydney Trains workers had clicked on a hyperlink
from a simulated rip-off e mail. The low cybersecurity consciousness
displays low coaching ranges throughout each companies. For instance,
solely 4.2 per cent of Sydney Trains workers assigned the Cyber
Security Safety for New Starters coaching program had accomplished

3. Poor communication of danger info to executives

Agency executives weren’t sufficiently concerned in
cybersecurity danger identification and administration. For instance, the
Audit Office discovered there have been no procedures for often updating
company executives as to potential cyber dangers. Without such
reporting mechanisms, there was no complete response to or
administration of cybersecurity dangers.

4. Implementation of cybersecurity plans was considerably

Sydney Trains had developed a cybersecurity plan however, one 12 months
on, had not applied any of the privacy regulation bulletin related
processes. Despite public transportation methods being recognized
as half of Australia’s important 
infrastructure and in danger of cyberattack, the Audit
Office  decided the companies had a low
degree of maturity in  their compliance with
cybersecurity requirements set by the 
Australian Cyber Security Centre.

5. Funding for cybersecurity danger mitigation was
inappropriately allotted

The companies had not allotted cybersecurity-particular funding in
a manner that prioritised points of biggest danger to the

6. Failure to audit third celebration contractors

The companies had not exercised their contractual rights to
routinely audit third celebration contractors in respect of their
cybersecurity obligations.

What points recognized right here would possibly apply to your enterprise?

Not that we thought a privacy article would ever discuss
“crown jewels” however have you learnt your key methods that want
probably the most safety, after which, have you ever applied that degree of
safety? If you may’t reply this basic threshold
query, then your complete enterprise is doubtlessly in danger. This
case examine additionally highlights the problems round coaching and human
error, the dearth of coaching for employees typically to remember of
phishing and different scams was compounded by executives not having a
deep understanding of the danger and consequent want for coaching and
different controls. Finally, implementing plans had been delayed. There
is all the time one thing pressing, however cybersecurity is essential and
cannot be pushed again for any prolonged interval.

Lessons from the case research as to why it is best to do your personal

1. It’s extra value-efficient to conform prematurely than to
undergo a breach or regulatory motion

Conducting an inside audit offers your organisation the
alternative to establish systemic privacy and cybersecurity points
earlier than they play out within the public area, for instance, within the
occasion of a knowledge breach or investigation by a regulator. The value of
endeavor an audit is comparatively insignificant in contrast with the
potential value of rectifying a knowledge breach, paying pecuniary
penalties and rebuilding belief amongst the shopper base. Recall
that Service NSW’s value of remedying its 2020 knowledge breach was
anticipated to value greater than $30 million.

2. Governance and accountability drive motion

It’s essential to make sure your organisation’s privacy
plans and controls are up to date to mirror adjustments to the governance
construction. When Service NSW was subsumed into the DCS, its privacy
administration plan was not up to date to mirror related adjustments similar to
the truth that its audit features have been moved to the DCS. The consequence
being that its inside accountability framework misplaced integrity.
While this sort of restructure could not happen in a enterprise
atmosphere, often checking reporting strains and coordination on
privacy issues is crucial. Do you might have a senior government with
accountability and a reporting line to make sure points are reported
and handled?

3. Business development needs to be a set off for privacy critiques, not
a distraction

As a enterprise grows, it is vital that the elevated calls for
on the enterprise don’t distract from the necessity to make sure that
privacy practices, methods and procedures are match for objective.
Periods of development ought to set off a evaluation of present software program,
private info dealing with processes and privacy controls.

4. When investing in a pro-privacy future, do not forget to
look again

Businesses are more and more taking a “privacy by
design” strategy to future tasks. However, it’s equally
essential to look at present processes which can undermine that
strategy and current a hidden legal responsibility for the enterprise. Does your
enterprise have any “legacy methods” or procedures for
dealing with private info? If so, think about a privacy affect
evaluation to find out the danger of persevering with “as is”.
For instance, the use of emails to transmit private info and
storage of delicate info in unencrypted plain textual content fields
are frequent causes of knowledge breaches and prices.

Where to begin?

Organisations trying to interrogate their very own cybersecurity and
knowledge safety maturity ought to ask themselves the next:

  • have you ever finished an organisation-huge knowledge mapping train?
    Understanding when, the place and the way private knowledge is collected,
    saved, used and disclosed via-out your organisation will inform
    you the place your danger lies and the place to begin.
  • has your board and/or senior management assessed its “danger
    urge for food” and allotted applicable sources for mitigating
    privacy danger?
  • have you learnt what your “crown jewels” are and the way they
    are protected?
  • do your contracts clearly allocate danger and accountability for
    info safety? If you share private info with third
    events, together with your suppliers and contractors, allocating roles
    and obligations for privacy compliance in a contract can assist
    keep away from a larger headache within the occasion of a breach.
  • do you embed “privacy by design” in methods and
    processes as a lot as potential, so “human error” will be


See “PB” and United
Super Pty Ltd as Trustee for Cbus (Privacy) 
[2018] AICmr
51 (23 March 2018).

This publication doesn’t take care of each essential subject or
change in regulation and isn’t supposed to be relied upon as a substitute
for authorized or different recommendation which may be related to the reader’s
particular circumstances. If you might have discovered this publication of
curiosity and wish to know extra or want to acquire authorized recommendation
related to your circumstances please contact one of the named
people listed.


Related Posts