NZ privacy workshop

The Office of the Privacy Commissioner here in New Zealand ran a half-day privacy workshop in Wellington yesterday, ably compered by Malcolm Crompton, former Australian Privacy Commissioner and co-author of the official independent report into ACC's privacy breach.  We heard from several government departments and Telecom about their recent high-profile privacy breaches, a couple of lawyers specialising in privacy and employment laws and a PR consultant, plus the Privacy Commissioner and the government's Chief Information Officer.

Most of the breaches discussed were caused by simple human error, although we did hear about a couple of malicious incidents too.

A few themes came up repeatedly, including:

• Compliance, specifically compliance with the Privacy Act;
  
  
• The importance of having a strong corporate culture and policy towards privacy - most organizations claimed to have both, implying that they lack the associated awareness/training and/or oversight and compliance activities although enforcement seems well in hand;
  
  
• The need for a slick incident response process that could deal effectively with the inevitable media scrum when such incidents are disclosed (more on this below);
  
  
• The value of clarifying ownership of personal information i.e. not simply nominating a "Privacy Officer" but one or more Information Asset Owners who are personally accountable for protecting the information, and can therefore be held to account if the protection fails (otherwise the buck stops with the CEO or Minister!);
  
  
• Governance, described in terms of management putting in place the mechanisms needed to stay informed about the state of privacy risks and controls, coupled with the mechanisms necessary for them to act on the information, making improvements where necessary;
  
  
• Social media rapidly spreads information and rumour about breaches, supplementing if not supplanting the news media;
  
  
• Portable IT, BYOD and homeworking - there are many temptations for employees to move personal data from the relative security of the corporate IT infrastructure to the relative insecurity of their own devices;
  
  
• The need to support rather than punish employees who unwittingly cause privacy breaches.  The embarrassment and anguish these incidents create is considered more effective as both punishment and deterrent than  disciplinary action.

The PR guy, Mike Munro, briefly outlined what makes a breach or incident newsworthy (e.g. the combination of an obvious victim, a security lapse, a witch-hunt to find the guilty party who in turn becomes another victim if prosecuted/disciplined, and a sense of outrage - interesting that since he implied that the journalists feed off the public outrage, whereas it appears to me to be mostly the other way around i.e. outrage is created or at least pumped up by the reporting, or 'it takes two to tango').  He also described how the organization can manage a breaking story, emphasizing the speed of response, clarity and openness (e.g. nominating a single spokesman or point of contact for the media, someone who understands the organization's objectives and purpose in discussing the news and who 'feeds the sharks' with newsbytes through press releases, press conferences and interviews, all the while being careful of the tone of what is said as much as the literal content.  If the organization comes across as transparent, sincere and contrite, this should defuse the most intrusive and negative reporting that tends to occur if the journalists smell a rat or are not getting the basic information they need (he mentioned that if the official source of information doesn't come up with the goods, the media will find their own sources and write their own copy, which takes control away from the organization).  The news feed needs to continue until the story fades out. 

Drawing on that advice, I will write a generic "media plan" to incorporate in our awareness module on incident management.  Thanks for the inspiration, Mike!

Largely absent from the day's proceedings were:

• Strategy - the higher-level corporate objectives that provide the strategic framework, direction and mandate for the privacy policies, accountability and various other lower-level controls (e.g. explicitly linking the organization's approach towards customer and employee privacy with its business objectives and values);
  
  
• Metrics - the idea that organizations should not just be operating and auditing their privacy controls but should be routinely measuring and reporting the associated risks to management, such that they are motivated and in fact able to adjust the approach as necessary (this is, of course, an integral part of governance, so I find it strange that metrics weren't raised as such);
  
  
• How to make security awareness effective including management-level awareness/training such that managers appreciate their role in guiding/driving and funding the investments necessary to implement and maintain all those controls properly, and IT awareness/training enabling the IT pros to appreciate and fulfill their roles in designing, implementing, testing, operating and maintaining all manner of technical privacy controls, encryption and data access controls being classic examples albeit barely mentioned; 
  
  
• Technical security measures - other than brief mentions of DLP/Data Leakage Prevention, using tools to search audit logs, and an intriguing comment about a 'break glass' function for a medic to bypass access controls if there was a legitimate need to access confidential patient data.  As far as I recall, nobody mentioned the value of MDM or honeytokens as privacy controls, for example.  Most speakers apologised for not being technologists implying that privacy and/pr information security is still considered an IT issue in NZ, despite several speakers stating that it is primarily a business or organizational issue (strange, then, how many privacy and information security people and functions languish within the IT department under the CIO or CTO!);
  
  
• Standards - such as ISO27k and other privacy and information security standards.  I get the impression that NZ is either busily inventing its own privacy approaches and occasionally adopting those brought in by immigrants, while seemingly ignoring the wealth of published standards and so forth laying out good privacy practices that the rest of the world finds useful ('not invented here syndrome' I guess);
  
  
• Broad privacy concepts - such as the meaning of 'private and personal' and a person's right to maintain control over the accuracy and use of their personal information, not just its disclosure (one speaker mentioned that privacy is about control but there wasn't time to elaborate on that - most speakers were clearly rushed);
  
  
• Privacy principles - such as informed consent and stated purposes - I didn't notice a single mention of those important controls that precede the gathering of personal information;
  
  
• Information security in the broad - for example nobody explicitly mentioned the integrity and availability aspects that are often just as applicable to personal data as is confidentiality.

There was a Twitter feed for the event, although it was somewhat dominated by the compere's rolling summary and was not an effective mechanism for audience participation, contribution or feedback.  Despite the excellent turnout (250 people!) and obvious interest in sharing information about privacy, I am not aware of any plans to keep the initiative going.  I have suggested on the Twitter feed that an email forum for attendees and other interested parties would be a good way for us to carry on discussing privacy for a while at least.  I can easily set one up but I doubt the organizers would disclose to me attendees' email addresses on privacy grounds!  Unless we can persuade them to email attendees with an invitation to the forum, it is unlikely to work.