Australian Information Industry Association

  

Privacy and Security Policy Position Statement


Update - 24 September 2018: AIIA has now released our Privacy and Security Policy Position Statement.

Download the PDF version


AIIA statement of the issue

The global economy is entering what has been termed the Fourth Industrial Revolution or fourth wave of industrialisation. At the heart of this new “revolution” are technologies such as the Internet of Things (IoT), advanced robotics, automated vehicles, artificial intelligence / machine learning, nanotechnology, cloud computing, blockchain and data analytics that are driving automated decision-making.  In the context of this cyber-physical revolution, privacy and security issues will become increasingly important and more complex and must be the following:

  1. Socioeconomic concerns, and not just simply technical or compliance issues;
  2. Shared responsibilities with individuals, businesses and government each having a role to play; and
  3. Dynamic concepts that require agile management and governance.

Through the implementation of the Australian Government’s Cyber Security Strategy, Australia has risen from fourth to equal second ranking with Japan in the 2017 Cyber Maturity rankings in the Asia Pacific Region.  However, Australia has fallen to seventh spot in the United Nations International Telecommunications Union's (ITU) list of countries most committed to cyber security for 2017.  To ensure Australia’s global competitiveness, its cyber security strategy and privacy framework must support innovation and not impose unnecessary or costly burdens on business or individuals.

The key privacy and security challenges in Australia are:
  1. The current assessment and compliance landscape remain stuck in traditional models and approaches. Traditional threat assessments continue to target known and generally well understood cyber threats such as phishing and ransomware.  Equally, conventional privacy impact assessments tend to focus on legislative compliance;
  2. Striking a balance between effective governance, protective frameworks and a legal and policy environment that fosters business innovation for Australia to remain globally competitive in the 4th industrial revolution;
  3. The assumption that responsibility for governance for both cyber security and privacy lies purely with the public sector;
  4. Educating individuals, industry and governments to support behaviours that protect their privacy and security online and share responsibility for privacy and security; and
  5. The absence of a cross jurisdictional mature security information-sharing mechanisms with common standards and protocols.

AIIA recommendations

The AIIA recommends Government, industry and research institutes collaborate to develop and implement:

  1. Agile and responsive security and privacy policies to deal with new types of cyber security threats against the backdrop of new and emerging technologies.  Privacy and security laws, policies and practices need to keep pace with evolving technology, cyber practices and increasingly sophisticated cyber-attacks;
  2. A consultation framework which “crowd sources” the identification of issues, priorities and options which disrupts the idea that governance lies with the public sector;
  3. Effective cyber defences should be based on cross-disciplinary collaboration and cannot be limited to silo professions. Rather, cyber defence is a human behaviour and cultural issue that needs to be understood by all disciplines and sectors of the community;
  4. Legislation that strikes a balance between security and privacy on the one hand and considers the cost implication for business in complying with new legislation and the effect it has on innovation on the other;
  5. Strategies and road maps with KPIs for educating all sectors of the community on the privacy and security implications of these new technologies;
  6. An information sharing framework that identifies: what information would be shared i.e. what would constitute an incident; who would share it (government, industry, individuals); how the information would be used; and whether reporting is mandatory, and if so, the regulatory cost of reporting and appropriately supportive incentives and penalties;
  7. Strategies for the development of local cyber security and privacy skills to ensure resilience against the backdrop of rapid technological changes and corresponding threats; and
  8. Develop frameworks, rules, principles, legislation and common standards for data collection and to promote open data flow and data use for better government and business service delivery.

The AIIA will…
  1. Provide thought leadership and assistance in developing policy frameworks to mitigate new cyber security risks;
  2. Proactively contribute to the Working Groups that have been established by Government in support of the findings of the National Cyber Security Strategy;
  3. Work collaboratively with other associations, government and research institutes to contribute to the development of governance frameworks appropriate for emerging cyber-physical technologies and risk-based security and privacy policy and legislative frameworks that strike a balance between innovation and cost of compliance;
  4. Work with relevant organisations and Government to develop programs to support education and behaviours that protect privacy and security online of individuals and government and industry organisations; and
  5. Contribute to Government reviews of privacy and security laws, policies and standards to ensure that they keep pace with evolving technology and cyber practices while ensuring innovation in Australia.


References
  • The Australian Privacy Principles (APPs), outline how most Australian and Norfolk Island Government agencies, all private sector and not-for-profit organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses (collectively called ‘APP entities’) must collect, use and manage personal information.
  • The Australian Government’s Cyber Security Strategy sets out the Government’s philosophy and program for meeting the dual challenges of the digital age—advancing and protecting our interests online.
  • The Protective Security Policy Framework (PSPF) articulates the Government’s expectation for protective security as a business enabler that allows entities to work together securely in an environment of trust and confidence.
  • The Australian Signals Directorate (ASD) publishes the Australian Government Information Security Manual (ISM). The manual is the standard which governs the security of government ICT systems. It complements the Protective Security Policy Framework.
  • The Office of the National Data Commissioner will be responsible for implementing a simpler data sharing and release framework. The new framework will break down the barriers which prevent efficient use and reuse of public data, while maintaining the strong security and privacy protections that the community expects.