Dr Fabian Horton | Legal Operations - Cyber / IT Lawyer
Lextechia

Day 1 @ 15:40

Hidden Secrets in Derived Data

This presentation from a panel of legal practitioners, IT director and cyber risk expert will decipher the myriad of applicable IT security policies and technologies options to prepare for the foreshadowed changes to the Privacy Act in the backdrop of the Online Privacy Bill Exposure Draft[5].

 

 

 

 

 

OAIC has warned of the privacy risks with de-identified data[1]. Information is considered to be de-identified where there is no reasonable likelihood of re-identification occurring. De-identified data is not considered personal information and is therefore not subject to the Privacy Act 1988 (Cth) (Privacy Act).

 

 

 

 

 

The current review of the Privacy Act by the Attorney-General’s Department[2] explored the impact of technical or derived information in the definition of personal information (in chapter 2 /page 21 in the Discussion Paper[3]). The 2017 OAIC and CSIRO-Data61 ‘De-Identification Decision-Making Framework’[4] is a practitioner guide intended to eliminate the need to ‘call in the experts’.

 

 

 

 

 

 

 

 [1] https://www.oaic.gov.au/privacy/guidance-and-advice/de-identification-and-the-privacy-act

 

[2] https://www.ag.gov.au/integrity/consultations/review-privacy-act-1988

 

[3] https://consultations.ag.gov.au/rights-and-protections/privacy-act-review-discussion-paper/

 

[4] https://www.data61.csiro.au/en/Our-Research/Our-Work/Safety-and-Security/Privacy-Preservation/De-identification-Decision-Making-Framework

 

[5] https://consultations.ag.gov.au/rights-and-protections/online-privacy-bill-exposure-draft/

Day 2 @ 15:00

Reasonable Security - lessons learnt from ASIC prosecution

As the Australian Tertiary education sector reboots in 2022, it should take note of the lessons learnt from the recent landmark judgement against RI Advice (a wholly owned subsidiary of ANZ) . While the judgement did not impose a penalty and any prescriptive cybersecurity standard , it clarified the meaning of ‘efficiently, honestly and fairly’ under s 912A of the Corporations Act, in particular in the context of risk management of cybersecurity. Tertiary education IT policymakers are faced with the double whammy of constrained budget due to the prolonged subdue enrolment during the COVID lockdown while retooling to support a hybrid learning delivery model as students gradually return to campus-based engagement. The current review of the Australian Privacy Act (1998) by the Attorney General with a specific focus on derived data further amplifies the data privacy management challenge in a hybrid educational delivery model where complex derived data are captured as a natural by-product with little guidance on security protection measures. This presentation brings together these diverse, interconnected and fast-moving elements to help the delegates better prepare to navigate these immediate challenges to deliver “reasonable security”.