This briefing paper will discuss the subject of privacy. According to Cambridge University (c. 2020), privacy (in business) is “the right that someone has to keep their personal life or personal information secret or known only to a small group of people”. Personal information is “information or an opinion about an identified individual, or an individual who is reasonably identifiable” (Australian Government 2020).
Recently many companies such as Facebook, Google & Cambridge Analytica have come under pressure from their stakeholders in regard to the information they collect, who they disclose this information to and the security of this information.
The purpose of this is to provide information to help the organisation decide what information is stored, how the information is stored (particularly personally identifiable information), considerations when creating procedures around what needs to take place for it to be released (both internally & externally) and appropriate techniques to follow when a data breach occurs to minimise the impact to the organisation.
The material for this brief has primarily been sourced directly from the relevant legislation & government websites, but peer reviewed journal articles and other internet sources have also been used.
- Privacy is typically not seen as a high priority
- Knowledge of privacy-related laws in every country the entity operates in is essential (or alternatively seek legal advice from someone who does)
- Unethical behaviour, even if it is not illegal can be detrimental to an entity
- Risk can sometimes be transferred to another party, such as a cloud service provider using insurances & service level agreements
Regulations in Australia
- Covered by the Privacy Act 1988 which applies to APP Entities which includes most agencies & organisations (Australian Government 2020).
There are 13 principles that govern the way in which personal information is to be collected, used, disclosed and stored, which are:
- Open and transparent management of personal information (Australian Government 2020)
- Anonymity and pseudonymity, which entitles individuals to the option of anonymity in most cases (Australian Government 2020).
- Collection of solicited personal information, which only allows the collection of personal information where reasonably necessary (Australian Government 2020).
- Dealing with unsolicited personal information, which requires an APP entity to destroy or de-identify the personal information when it receives unsolicited personal information if it is not allowed to collect it under principle 3 (Australian Government 2020).
- Notification of the collection of personal information (Australian Government 2020).
- Use or disclosure of personal information, which prohibits the use or disclosure of personal information for a purpose other than the purpose for which it was collected in most cases (Australian Government 2020).
- Direct marketing (using personal information), which is generally prohibited (Australian Government 2020).
- Cross‑border disclosure of personal information, which is generally prohibited unless the entity ensures the overseas recipient complies with all these principles (Australian Government 2020).
- Adoption, use or disclosure of government related identifiers, which is generally prohibited (Australian Government 2020).
- Quality of personal information, which relates to ensuring the information is accurate and up to date (Australian Government 2020).
- Security of personal information (Australian Government 2020).
- Access to personal information, which usually requires the entity to provide an individual with access to their personal information upon request (Australian Government 2020).
- Correction of personal information (Australian Government 2020).
- If the personal information is stored in the cloud, the data must be deleted or de-identified if the data is no longer needed (Australian Government 2014)
- Australian consumer law can help protect the entity if a “cloud service provider claims that a certain level of protection will apply to the data, and fails to live up to its promise” (Australian Government 2014), so it may be beneficial to have a service level agreement with the cloud provider that transfers some of the risk of a data breach onto them as in addition to transferring some or all of the financial burden, it can also help transfer some of the negative publicity if an incident occurs.
In most cases, an Australian organisation that also operates in other counties is required to follow their Privacy & data collection laws. Some laws to note are presented in the infographic below:
Source: (Termly Legal Team 2019)
Impact of Data Breaches & Unethical Behaviour
Data breaches & unethical behaviour can have a large effect on an entity’s reputation. An infamous example of the unethical use of data is when Facebook provided data to Cambridge Analytica, a data mining company to process. Although this was not a data breach, this was widely viewed as being highly unethical and caused Facebook to publicly apologise and announce that they will begin focusing on privacy, although this claim was largely false (Wong 2019). The way they handled this incident minimized their reputational damage as since they publicly released the details of the incident shortly after receiving negative publicity for it, this helped ensure that although the response from the public was very negative at first, it meant the incident could blow over as there was nothing new for them to focus on. It also helped create the perception that at least Facebook was being honest.
However, the incident caused Cambridge Analytica & its parent company, SCL Group to declare bankruptcy in 2018 due to “the siege of media coverage” driving away “virtually all of the company’s customers and suppliers” because even though they believe its employees have acted ethically and lawfully, this is not the commonly accepted view (Cohen 2018).
Privacy-Preserving Data Mining
According to Banerjee, Chen & Gangopadhyay (2013), it is “often necessary for organizations to perform data mining tasks collaboratively” with other organisations. In order to help protect the personal information of users, they propose that any unnecessary information (particularly personal information) is removed first, then the data is shared with a third party which processes the data for all the participating organisations. This is advisable when doing any data mining (including if it is being done internally) as if a data leak does occur, it is less likely to impact the organisation or the users in a negative way if no personal information is exposed.
Privacy by design
An important way to help ensure that an entity prioritizes the implementation of privacy mechanisms when developing software is by using privacy by design. According to Hadar et al. (2017) privacy by design is “a policy measure that guides software developers to apply inherent solutions to achieve better privacy protection”. Unfortunately, their research found that from the point of view of software developers, in most cases they are “actively discouraged from making informational privacy a priority” and “many developers do not have sufficient knowledge and understanding of the concept of informational privacy (data protection), nor do they sufficiently know how to develop privacy-preserving technologies” (Hadar et al. 2017).
As the study also found that the “organizational privacy climate highly influences developers’ privacy interpretation and behaviour”, they suggest that “an effective mechanism to bring about the required change in the privacy mindset and practices as to informational privacy” is to start with the adaptation of organizational policy, to help encourage developers to prioritize privacy features when developing software, then to educate & motivate developers to help “create the mindset required for designing privacy-preserving solutions” (Hadar et al. 2017).
Conclusions & Recommended Actions
The research has shown that privacy is typically not a priority within organisations. To help protect users and minimise the legal & reputational impact that can occur if the organisation fails to keep its user’s data safe, collects this data in an illegal/unethical way or uses this data in an illegal/unethical way, it is recommended they consider the following:
- It is important for someone in the organisation to know the relevant privacy legislations in all countries the business operates in (or to seek legal advice from a trained professional that does).
- Data breaches can have a significant impact on the organisation, so consider outsourcing some of this risk (eg: business insurance, service level agreements that include the required security standards with cloud service providers etc.)
- If an incident such as a data breach occurs, it can often minimise the entity’s reputational damage if all the details of the incident are publicly released as soon as any of it leaks.
- Review stored data and decide whether the organisation has a legal right to keep it and whether it is still needed. If not, consider deleting or de-identifying the data.
- Review organisational policies & interview software developers to help understand their attitude towards privacy. If necessary, adapt these policies to help encourage developers to prioritize privacy & when recruiting software developers, attempt to get an understanding of their attitude towards privacy as this will be a good indication of whether they will prioritize it when developing software. These features are important as they can help stop unauthorized users from accessing the data without following the proper protocols, whether they are internal or external and whether it is accidental or deliberate.
Australian Government 2014, Cloud Computing and Privacy Consumer Fact Sheet, Australian Government, viewed 23 June 2020, <https://www.communications.gov.au/sites/default/files/2014-112101-CLOUD-Consumer-factsheet.pdf?acsf_files_redirect>
Australian Government 2020, Privacy Act 1988, Australian Government, viewed 23 June 2020, <https://www.legislation.gov.au/Details/C2020C00168>
Banerjee, M, Chen, Z & Gangopadhyay, A 2013, “A generic and distributed privacy preserving classification method with a worst-case privacy guarantee”, Distributed and Parallel Databases, vol. 32, no. 1, pp. 5-35
Cambridge University 2020, PRIVACY | meaning in the Cambridge English Dictionary, Cambridge, viewed 23 June 2020, <https://dictionary.cambridge.org/dictionary/english/privacy>
Cohen, K 2018, Cambridge Analytica declares bankruptcy, shuts down, Washington Examiner, viewed 28 June 2020, <https://www.washingtonexaminer.com/news/cambridge-analytica-declares-bankruptcy-shuts-down>
Hadar, I, Hasson, T, Ayalon, O, Toch, E, Birnhack, M, Sherman, S & Balissa, A 2017, “Privacy by designers: software developers’ privacy mindset”, Empirical Software Engineering, vol. 23, no. 1, pp. 259-289.
Termly Legal Team 2019, Privacy Laws Around the World, Termly, viewed 24 June 2020, <https://termly.io/resources/infographics/privacy-laws-around-the-world/> Wong, J 2019, The Cambridge Analytica scandal changed the world – but it didn’t change Facebook, The Guardian, viewed 28 June 2020, <https://www.theguardian.com/technology/2019/mar/17/the-cambridge-analytica-scandal-changed-the-world-but-it-didnt-change-facebook>