NSW Privacy Commissioner Sheds Light on Data Privacy Risk

Corinium’s Vanessa Jalleh had the opportunity to speak to the NSW Privacy Commissioner, Samantha Gavel, ahead of CDAO Sydney 2023

Living in an increasingly digital world has numerous benefits, as digital technology can be used to provide better and more intuitive services, gain insights to inform policy development and improve outcomes and improve efficiency and workflows.  However, these benefits also come with risks, particularly around our privacy, because digital technology can collect, use and share significant amounts of personal information.

Speaking ahead of CDAO Sydney, 2023, NSW Privacy Commissioner Samantha Gavel says privacy considerations have become more important than ever, given the increase in risk that citizens are exposed to in the modern, digital world.

“These risks include over-collection of personal information, retention of personal information when it is no longer needed, and data breaches which can lead to significant harm to individuals whose personal information is breached,” she says.

“It is therefore critical that personal information held in digital systems is kept safe and secure from loss, unauthorised access and misuse. Recent data breaches have alerted the public to the substantial risks that digital technology poses to their privacy.”

Gavel also emphasised that organisations must recognise the importance of privacy and ensure they implement good privacy practices to promote trust in their services.

Data Breaches

Speaking on recent, high-profile breaches, Gavel raises the point that the Optus and Medibank incidents have brought data security to the forefront, focusing the public’s attention on risks to personal information. These breaches also focussed attention on important privacy concepts, including minimising the collection of personal information and retaining it only as long as necessary, and ensuring it is kept secure in digital systems.

“In November last year in the wake of the Optus and Medibank data breaches, the Commonwealth Government introduced legislation to provide for greater penalties for a serious or repeated interference with privacy. The NSW Government introduced legislation last year to strengthen privacy protection in NSW through the introduction of a Mandatory Notification of Data Breach (MNDB) Scheme and extension of NSW privacy law to State-Owned Corporations not covered by the Commonwealth Privacy Act,” Gavel says.

“The NSW amendments will take effect on 28 November this year. Governments and privacy regulators are keen to strengthen privacy protection for the public and the recent legislative amendments by the NSW and Commonwealth Governments highlight the increasing importance that governments are placing on privacy protection.”

Privacy Changes

When asked how we should expect data privacy imperatives to change over the next two years, based on current dialogue and trends, Gavel says there will be a continued focus on developments in digital technology and the privacy risks associated with these trends.

“For example, in late 2022, we saw the release of ChatGPT and other generative AI technologies, which have significant implications for privacy due to the very large data sets required to power these forms of AI,” she says.  

“The Commonwealth Government recently released the Privacy Act Review report, containing 116 proposals to strengthen Australian privacy law. A consultation process on the report is currently underway and the Government is expected to finalise its response to the report once the consultation process has been completed.

“These developments are likely to inform further amendments to the Commonwealth Privacy Act, as well as consideration of amendments to privacy legislation in State and Territory jurisdictions in the future.”

Successful Strategies

A critical component of delivering a successful privacy strategy is to integrate it within a holistic data governance framework for the organisation, which includes processes to cover every stage of the data lifecycle, from initial collection of information through to secure disposal when personal information is no longer needed.

“An organisation also needs to ensure there is a privacy protective culture throughout the organisation, led from the top down, as well as appropriate privacy capability within the organisation and regular privacy training for staff. It is also important to use a privacy-by-design approach to initiatives and projects with significant privacy risk and particularly those involving the use of digital technology,” Gavel says.

“Privacy-by-design ensures that privacy is considered and privacy risk mitigations built in to every stage of a project, including development and implementation. An important component of privacy-by-design is to conduct a Privacy Impact Assessment, to map the information flows and identify risk, as well as risk mitigations.”

When it comes to plans for strengthening privacy practices over the next year, Gavel again highlights the legislative amendments that were made to NSW privacy legislation late last year.

“The Information and Privacy Commission (IPC) is currently preparing for the introduction of the MNDB Scheme, to ensure the agency is ready to regulate and report on the Scheme when it commences. The IPC is also working on guidelines and other resources for agencies to assist them to prepare for and comply with the Scheme, as well as information for the public about the Scheme,” she says.

In May this year, the IPC will be celebrating Privacy Awareness Week (PAW).

“This year’s theme is “Back to Basics – Privacy foundations in NSW” and will focus on reminding agencies and citizens of the fundamentals of privacy, and highlight basic steps we can all take to keep personal information secure,” Gavel says.

Samantha Gavel will be speaking at CDAO Sydney 2023 this May. Check out the agenda and register to attend by clicking here!