Privacy Controls for your Risk Assessment
Information to help you deal with Privacy risk, When to assess Privacy, Breach Notification, Recommended Controls, and Resources.
With GDPR (General Data Protection Regulation) making waves, countries around the world have started changing their Privacy laws.
Being Australian, most businesses I work with mainly operate within Australia and New Zealand before GDPR they were either not subject to or not overly concerned with International laws.
Start here to learn how GDPR reaches far beyond Europe
Australia amended the Privacy Act which mainly included compulsory breach notification requirements, this was applied in 2017 and the grace period for enforcement ends 22nd February 2018.
Prior to this (2014) 13 Privacy Principles were established in Australia and similarly New Zealand law lays out 12 Information Privacy Principles.
When to assess Privacy
It is different for each country so always consult a professional (shameless pitch for my services).
The primary indicators for knowing if you should do an assessment would be any one of;
- Data is collected directly from the individual
- The data can be used as is or in combination with other data to identify the individual
- The individual is a natural living person
- Data is not just text it can be audio, image, and video too
These are guidelines, not inclusive, and only 1 indicator would mean you should complete your assessment.
It is also important to realize that in most cases Privacy law may be superseded by other laws, for instance in health care across the globe you will encounter laws that are more stringent and apply to the same data so make sure you treat Privacy as a starting point.
Breach Notification
New Zealand are currently in the process of passing new law that proposes compulsory breach notification but at the time of writing there are no current requirements to do so, but it is highly encouraged. However if you collect data of citizens of other countries and operate in New Zealand there may still be a requirement for you to notify someone.
In Australia where breach notifications are now compulsory, and due to GDPR, my advice is to create a process around breach notifications and practice it regularly so you are prepared to carry out your obligations when required.
Establish a process for breach notification drills, and practice it. by doing this you are going to ensure that you're up to date and fully grasp all obligations you must fulfill prior to a breach event occurring.
Recommended Controls
The main concerns you will have is how to protect the data and show an auditor evidence of your diligence.
Encrypt encrypt encrypt
Consider both at rest and in-transit encryption. There is no better advice.
If you take only one thing away let it be this, because it may negate the need to perform a compulsory breach notification altogether
For specifics here, it is important to understand that the use
and disclosure
of data have unique definitions. For instance a system that securely transfers data to another company (entity, agency, etc) such as marketing might be considered a use
whereas an employee that emails that same data to the same recipient might be considered a disclosure
.
This is due to the nature of email being inherently insecure and unable to be secured. DKIM only goes so far as to try to assure the identity of senders, it does not provide security over the transmission or the data and emails are open to interceptions and MIIM (man in the middle) attacks.
To prevent accidental disclosure during operations (people are flawed) encourage the use of tools that encrypt data, and for emails always send as encrypted attachments which might mean asking the recipient for a public key so they can decrypt the message at their end.
If your company is in the business of handling private or restricted data and rely on humans to do any task that involves access to that data it is going to be key to your success to educate everyone at all levels about encryption. Find the right tools and make it habit that your employees ask for public keys to securely transmit encrypted data, and are empowered to confidentially issue public keys themselves when requesting data from outside or trusted third parties.
Just make sure keys are confidentially exchanged using a different channel to where the data exchange will be done.
Write up your analysis
Auditors use evidence based process to be deterministic in their approach, so it is important to have a paper trail to prove you were diligent from planning, to implementation, and finally during BAU (business as usual).
You may wish to consider documenting a simple privacy impact assessment if not only to show you fulfilled the planning diligence but it is a great internal reference for you when you start a new project, it can be a repeatable process and promote agility.
There is no "right" way of writing a privacy impact assessment.
Make your privacy impact assessment as detailed as it needs to be to help you make the right decisions. Frequently refer back to it during breach drills and such to make sure you're up to date.
It is possible to arrange an independent AoC (Attestation of Compliance) so that you are sure where you stand. The measurable benefit to attaining an AoC is with it you can promptly supply customers assurance that you've been independently assessed and meet the requirements which is a huge time saver when normally you would be conducting unique risk assessments with each customer.
Information Accuracy
In terms of Australia and GDPR there are some serious concerns around accuracy due to how broad Privacy extends (banking, credit, claims, etc), so I encourage seeking professional advice once again.
It may be surprising to some that New Zealand has consequences that may be faced when dealing with accuracy of Privacy data. IPP 8 talks to the need of accuracy to be checked before use.
The more likely it is that the information is inaccurate, out of date, or incomplete, the more reasonable it is for validation at time of use.
- Things such as birth place or dates do not become out of date or incomplete
- Citizenship, occupation, addresses, and marital status or surname may be inaccurate and can easily become out of date
- More complex data like a criminal history or medical report can be inaccurate, out of date, and incomplete
Depending on the seriousness of the consequences it may be best to check with the original source before use.
For the technical people data sanity checking can be hard, but it is my experience that if you build verification into the collection phase it is a matter of automating the same technique at a later time to reduce the effort of manual checking in the future.
Data retention
Simply due to the New Zealand IPP 9 requirement that personal information must not be kept longer than necessary, you might want to determine a retention period for all of the Privacy information you store.
In almost all cases retention will be dictated by the terms for which the data was collected, so as part of the data collection process it is important that you obtain permission from individuals of how their data may be used.
For GDPR and New Zealand it is not reasonable to simply gather data with an all encompassing privacy statement that allows you to retain data indefinitely or without being specific in how it will be used.
For example, if you harvest email addresses at a trade show or event for the purposes of marketing into the future you will have a tough time being compliant, however if the individual was providing their data to you as an expression of interest to be converted to a customer you have the ability to stipulate wording in the agreement for this use case and an expected period for retention. This provides the individual expectation that data will be deleted by the agreed date if they chose not to convert to being a customer and your business the right to contact them reasonably.
The take away here for the technically minded is that you should ensure data has been classified and that whatever classification model you chose you ensure that you place a definitive retention date for all Privacy data.
Resources
International Privacy Law Library
http://www.worldlii.org/int/special/privacy/
The Privacy Commissioner's Office of New Zealand
https://www.privacy.org.nz/privacy-for-agencies/getting-started/
General Data Protection Regulation (GDPR)
https://gdpr-info.eu
Notifiable Data Breaches scheme of Australian Privacy Act 1988
https://www.oaic.gov.au/privacy-law/privacy-act/notifiable-data-breaches-scheme