The Australian government is set to introduce new privacy legislation in August based on recommendations from the recent Privacy Act Review.
For CISOs, these changes will require adopting significant strategies to enhance data protection and build trust through transparent automated decision-making practices.
Adopting Stronger Data Security and Destruction Obligations
Under the new laws, CISOs will need to fortify their organisation's data security posture. One approach is implementing a data governance framework that prioritises information based on sensitivity levels and outlines appropriate mitigation controls.
Key security measures to consider include:
- Using access controls to enforce strong access controls like multi-factor authentication and least privilege access, and regularly review and remove unnecessary data access
- Reinforcing vulnerability management strategies by conducting regular penetration testing and vulnerability assessments, and promptly patch identified vulnerabilities
- Investing in the implementation of data encryption for sensitive information, both at rest and in transit
- Prioritising employee awareness by providing ongoing training on cybersecurity best practices like identifying phishing scams and using strong passwords
In addition to prevention, CISOs must ensure proper data destruction when personal information is no longer required. This involves developing a clear data destruction policy covering what data will be destroyed, approved destruction methods (e.g. disk wiping, shredding), and schedules for secure disposal. Automating destruction processes and maintaining audit logs can streamline compliance.
Increasing Transparency on Automated Decision-Making (ADM)
To improve transparency and fairness around automated decision-making systems, the new laws will require organisations to:
- Clearly explain the types of decisions made using ADM, what data is used, the reasoning behind algorithms, and potential biases or risks along with mitigation strategies
- Give individuals the right to opt-out of solely automated decisions that significantly impact them, as well as a way to request human review and explanation of decisions
- Detail data security measures, data quality assurance processes, and regular auditing/monitoring to ensure fair, accurate and reliable ADM outcomes
- Conduct privacy impact assessments to proactively identify and mitigate risks around ADM systems
- Use plain language in ADM policies and provide accessible channels for user inquiries to build trust and allow people to raise concerns
By adopting a robust data security posture and promoting transparency around automated decision-making, CISOs can position their organisations for compliance while fostering trust with customers, employees and regulators. The new Australian privacy laws aim to give people more control over their personal data in our increasingly digital world.
Join CISO Melbourne 2024, taking place at Crown Promenade on the 16 & 17 July, and explore data security and many other topics. Check out the agenda and register to attend by clicking this link.
