1 December 2023

Privacy and information security: Just like salt and pepper

Melanie Marks

Privacy and information security are just like salt and pepper. Two unique flavours that are so much better together.

The role of security in a strong privacy program was one of the key messages from Australian Information Commissioner and Privacy Commissioner Angelene Falk in her keynote address to the IAPP conference in Sydney this week. Asked about the Office of the Australian Information Commissioner’s priorities for 2024, security got the first mention.

But why? Well, let’s start in the obvious place — data breaches. The significant breaches of the last 12 months involved theft of personal information at scale and as a result in this year’s ACAPs survey, the community said that privacy is a significant issue, particularly identity theft stemming from data breaches. It is in this sweet spot of breaches that operational privacy teams and cyber teams often collaborate.

But a strong message from the Commissioner was that the intersect is much greater.

This is because Australia has an ambition to be a world leader in cyber security by 2030 under its new Australian Cyber Security Strategy released on 22 November. To be successful, Commissioner Falk pointed out that we need Australia’s cyber measures to connect with anticipated privacy reforms.

There are several privacy reforms that will help reduce the impact of cyber threats — or at least make the attack surface shrink or the spoils smaller. For example, data minimisation — collect the bare minimum and expunge old records in a timely way. Fewer records held means fewer records exposed in the event of a breach. 

Another area of privacy reform needed to support the success of the Cyber Security Strategy is clarifying our security principle (APP 11) so that it compels entities to have both organisational and technical measures in place and sets out clear objectives. All I can say is ‘Yes Please — tell us what “reasonable steps” will help to make Australia the most secure nation by 2030!’

And that brings us to the proposed eradication of the small business exemption. We need our smallest players to do better to mitigate privacy risks in the supply chain and keep Australia robust. After all, we are only as strong as our weakest links. Gaps like overcollection, over retention, poor access controls, poor security patching, low awareness, and undetected human error (just a few which come to mind) require correction — and this is only likely to be achieved en masse through legal obligation.

Finally, additional resources for enforcement action have already flowed to the OAIC since the quantum of penalties was turbocharged last year — translating into more investigations and actions pursued. The OAIC has a seriously large number of investigations underway right now and Commissioner Falk was clear that when they come knocking, interviews reach right up to the echelons of the executive, and most certainly include the CISO.

So, if you’re a CISO and you’re wondering how privacy and security correlate — the answer goes well beyond data breach response. Your success depends in part on having a very strong privacy foundation with practices that offset and minimise breach risks. Instead of privacy and security operating as siloes, look for opportunities to integrate and collaborate. After all, the key to a good meal is simplicity and the right seasoning …

Contact us

If you’re interested in learning more about how to develop and implement a privacy program, contact us at hello@elevenM.com.au or on 1300 003 922.