This week is Privacy Awareness Week, an annual initiative run by the Office of the Australian Information Commissioner (OAIC). The theme, "Reboot Your Privacy", challenges organisations to "Ctrl+Alt+Delete" their approach to privacy. The timing is apt given the heightened data risk associated with businesses operating online due to COVID-19.
In this article, we explore how organisations can manage privacy, data security and regulatory risk in respect of their email data handling practices – which is high on the OAIC's regulatory enforcement agenda.
Privacy Awareness Week (PAW) runs from 4-10 May 2020, and is an opportunity for the Office of the Australian Information Commissioner (OAIC) to raise awareness of current privacy and cybersecurity issues amongst the community. It is also an opportunity for the OAIC to emphasise best practice data handling requirements to meet community expectations about respecting and protecting personal information.
This year, the OAIC is challenging organisations to implement strategies to respond to the current COVID-19 situation, by implementing key principles of good privacy practice as follows:
Above all, the OAIC is warning organisations to be transparent in how personal information is handled and give people choice wherever possible about the collection and use of their data.
More information about PAW including OAIC resources is available here. Resources are also available to individuals and families to allow them to take their own action to protect their online data interactions during the current environment.
In practice, the OAIC is tasking organisations to take stock of and strengthen their information handling practices, especially as organisations continue to operate in an increasingly digital environment post-pandemic.
We discuss below the OAIC's current approach to email data handling practices (which is high on the agenda), and set out how organisations can 'reboot their privacy' to reduce their overall risk in respect of email usage.
In line with this year's PAW theme, we have recently observed the OAIC's regulatory activity focus on organisations' data governance practices, particularly in respect of the use of email applications and services to store and transmit significant quantities of data.
On Friday 28 February 2020, the OAIC released its latest biannual Notifiable Data Breaches Report, in which the OAIC provided statistical information on the Eligible Data Breaches reported during the period July to December 2019.
In the report, notably, the OAIC zoned in on business email compromise incidents (i.e. mailbox breaches) and entities using mailboxes for primary storage of information. Relevantly, the OAIC noted that:
Separately, in the report the OAIC took aim at the means by which entities transmit personal information, with a particular focus on email transmission of personal information. Relevantly, the OAIC made the following observations:
As evident from the above, the OAIC is now firmly focussing its attention on business email compromise incidents in particular. This is because of the sheer frequency with which these incidents are impacting Australian businesses and the significant impact that such incidents can have on individuals whose personal information is contained within mailboxes.
Against this background, we set out below a roadmap for how organisations can improve email data handling practices.
In an ever increasingly digitally connected world, and with the growing trend of agile and remote working, over the past 15 years there has been a significant increase in use of email services to transmit and store data in the course of doing business.
This increase has been facilitated by the trend over the past 5-10 years to outsource data handling to third party cloud service providers, the increased use of smart phones and other BYOD devices by employees to remotely access workplace assets, and the reduction in data storage costs on cloud based email services.
While there are many benefits to this way of working, there are also increased data security, privacy and cyber-crime risks to manage through the use of email services. Relevant to email data handling practices, under the Privacy Act 1988 (Cth) (Privacy Act), organisations have two key obligations:
While the term 'reasonable' is undefined in the Privacy Act, practically speaking, as part of taking 'reasonable steps' to protect personal information, the OAIC requires entities to consider how personal information will be protected at all stages of the information lifecycle. This should be considered before an entity collects personal information (including asking whether it should collect the information at all), as well as when the information is collected and held, and when it is destroyed or de‑identified when no longer needed.
In line with privacy best practice requirements under Australian Privacy Principles 11.1 and 11.2, the OAIC's firm expectation is that organisations are considering what 'best practice' looks like relevant to their circumstances, to:
When reporting an Eligible Data Breach through to the OAIC arising out of a business email compromise incident, although the OAIC will typically be interested in understanding how the incident occur (to assess any noncompliance with APP11.1), the OAIC will typically focus on the underlying data handling practices of the impacted entity relating to the use and storage of emails (to assess any noncompliance with APP11.2).
Organisations will need to be prepared to justify their positon to the OAIC by demonstrating that they have proactively taken steps to address these requirements in advance of an incident occurring to mitigate the overall data risk exposure.
As organisations adapt to operating in an increasingly digital business environment post-pandemic, when addressing data governance requirements relating to email usage they must ensure that data minimisation and security is a central part of 'the new normal'.
Given that PAW 2020 is about 'rebooting privacy', we encourage all organisations to challenge the myth that all email data is required for all time, and delete data that is no longer required. After all, if data does not exist, it cannot be misused.
To achieve this, organisations should engage in a data mapping exercise, identifying the types of data that they hold, what the statutory retention requirements are in respect of the types of data, and where applicable, take steps to delete or de-identify data no longer in use.
Where data remains in use, organisations should ensure that appropriate steps are being taken to securely share and store sensitive personal information, including through secure file sharing applications (as opposed to emails) which can limit risk if secure access controls are properly implemented and data is encrypted.
In terms of email usage specifically, organisations should consider adopting journaling and archiving strategies as a way of tracking and then removing emails from mailboxes to limit the potential for misuse should that mailbox be compromised. Care should also be taken to ensure that email security controls are properly implemented by external IT / managed service providers responsible for establishing email environments.
Talk to us if you would like to discuss our Data Governance and Retention Readiness package to help address the above concerns, as well as our Vendor Compliance package to ensure that appropriate data security and privacy terms are in place with third party providers.
Clyde & Co has the largest dedicated and rapidly expanding cyber incident response practice in Australia and New Zealand. Our experienced team have dealt with over 700 data breach and technology related disputes in recent times, including a number of the largest and most complex incidents in Asia Pacific to date.
From pre-incident readiness, breach response, through to defence of regulatory investigations and proceedings, as well as recovery actions against wrongdoers, we assist clients in Asia Pacific across the full cyber lifecycle. Our team is also highly regarded for their expertise and experience in managing all forms of disputes across sectors including advising on some of the most newsworthy class actions commenced in Australia.
Our 24 hour cyber incident response hotline or email allows you to access our team directly around the clock. For more information, contact us on: