IIS Newsletter #11 2024 – IIS Celebrates 20th Anniversary; Privacy Reforms and Cyber Security Bill Passed; Presentations at IAPP and CyberCon

Welcome to Issue #11 of the IIS Partners Newsletter!

?

On 25 November this year, IIS celebrated its 20th anniversary serving Australian and global clients. Thank you for being part our journey.

We have reached a milestone in the life of IIS, making the firm one of the leading and longest operating Asia Pacific privacy consultancies celebrating two decades of continuous service.

In this time, we have grown an exceptional team based in Australia, with offices in New South Wales and Victoria, as well as professionals located in Japan, Malaysia, and Hong Kong to provide global expertise. We pride ourselves on helping clients move beyond compliance to performance by pragmatically combining individuals’ expectations, trust, laws and regulations, and privacy best practice, while aligning with organisational and strategic goals.

Thank you for trusting in us!

Sirius Matters and IIS become strategic partners!

IIS Partners and Sirius Matters Pty Ltd, a cyber security and AI risk and audit services firm based in Melbourne, have joined forces as strategic partners. This will enhance both firms’ consulting, advisory, audit, audit co-source, privacy and cyber security services to organisations across Australia, New Zealand, and the United States.

News and Notables

Privacy Update: Australia passes privacy law reform on Privacy Act

?On 29 November, the Privacy and Other Legislation Amendment Bill 2024 was passed by Parliament, introducing the first tranche of privacy law reform measures. Please read our Insights Post on key takeaways from the Bill here.

While the changes are relatively modest, the Privacy Act now provides a more flexible enforcement regime for the Office of the Australian Information Commissioner (OAIC). Therefore, it is more important than ever that organisations stick to the basics of understanding your personal information holdings, protecting them and ensuring good governance and compliance.

Please contact IIS to have a confidential chat on how we can support your organisation to become compliance ready.

Privacy Update: Australia passes privacy law reform on online safety

On 29 November, the Online Safety Amendment (Social Media Minimum Age) Bill 2024 was passed quickly after 24 hours of public submission. The Bill restricts the use of social media platforms by individuals under 16 years of age in an attempt to reduce risks of harm. The Bill places an onus on social media platforms to take ‘reasonable steps’ to prevent Australians under 16 years old from having social media accounts – the law doesn’t specify the means, although it provides that a government-issued identity document cannot be required as the only form of verification. The Bill is not intended to come into effect until late 2025.

Security Update: Australia passes Cyber Security Legislation in Parliament

On 25 November, the Cyber Security Bill 2024 that was introduced on 2 October has been passed in Parliament as the Cyber Security Act 2024[MT1]?, part of a package of reforms in critical infrastructure and national security to bring Australia in line with international best practice on new and emerging cyber security threats. This also includes amendments to the Services Act 2001 and the Security of Critical Infrastructure Act 2018 (SOCI Act).

IIS notes four key measures in our Insights Post, including compliance where businesses will need to adapt to stricter security standards for smart devices and embed their new reporting requirements into their incident response plans. These requirements are expected to commence within the next 6 to 12 months.

Read our Insights Post on the legislation here.

Please contact IIS to have a confidential chat on how we can support your business to become compliance ready.

ASD ACSC releases 2023-2024 Annual Cyber Threat Report?

On 20 November, the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) recently released its 2023-2024 Annual Cyber Threat report. The report outlines the cyber threat posed to Australian government, critical infrastructure, businesses, and households.

Some key findings include:

• 36,700 calls were made to the Australian Cyber Security Hotline – an increase of 12% from the previous year, comprising 87,400 cyber-crime reports.
• ASD notified entities more than 930 time of potential malicious activity on their networks.
• The Australian Protective Domain Name System blocked customer access to 82 million malicious domains, up 21%.

Over 11% of cyber security incidents ASD responded to related to critical infrastructure.

Compromised accounts or credentials identified as the leading cyber security incident type impacting critical infrastructure and government.

Reports of cybercrime?to national authorities fell for the first time last year, ending a half decade of surging known incidents. ASD is urging Australians to remain vigilant, warning cybersecurity can’t be ‘set and forget’ as criminals and state actors deploy sophisticated new tools and techniques like artificial intelligence.

OAIC finds Bunnings Warehouse in breach of customers privacy

On 19 November, the OAIC determined that Bunnings Warehouse breached customers’ privacy by using facial recognition technology in its stores. This technology captured the biometric data of hundreds of thousands of customers without their knowledge or consent between 2018 and 2021. The OAIC found that Bunnings collected sensitive information without consent and failed to provide adequate notification of such.

Commissioner Carly Kind made the following statement: “[J]ust because a technology may be helpful or convenient does not mean its use is justifiable. In this instance, deploying facial recognition technology was the most intrusive option, disproportionately interfering with the privacy of everyone who entered its stores, not just high-risk individuals.”

OAIC publishes guidance on tracking pixels and privacy obligations

On 4 November, the OAIC published guidance for private sector organisations to ensure they meet their obligations under the Privacy Act when using third-party tracking pixels on their website. Publication of the guidance responds to industry demand for greater detail on the application of the Privacy Act to tracking technologies, as well as interest in the topic across government, media and the community. Failing to conduct appropriate due diligence can create a range of privacy compliance and other legal risks.

OAIC releases its annual digital health report

On 24 September, the OAIC released its annual digital health report. The annual report sets out the OAIC’s compliance and regulatory activity in accordance with the My Health Records Act 2012 (MHR Act) and the Healthcare Identifiers Act 2010 (HI).

Some key findings include:

• The OAIC received 13 privacy complaints relating to the My Health Record system in 2023-24.
• The OAIC received 39 data breach notifications relating to the My Health Record – an increase of 18% from the previous year.
• The Commissioner made 4 determinations following investigations into healthcare provider organisations’ compliance with the MHR Act.

OVIC opens public consultation on outsourcing in the Victorian public sector

The Office of the Victorian Information Commissioner (OVIC) has opened public consultation on updating its guidance on outsourcing in the Victorian public sector. The resource discusses the privacy, information security, and legal considerations Victorian public sector organisations should take into account when outsourcing a program or a service.

The updated resource, in draft, is available to download here.

The consultation will close on Friday 13 December. For more information, click here.

IIS Community Contributions

Australian Bureau of Statistics 2026 Census of Population and Housing PIA (Phase 2)

On 3 December, ABS announced it has published IIS’s independent findings and its response on the second phase of the 2026 Census PIA. The ABS has agreed with all the recommendations in the second phase.

The ABS is taking a ‘privacy by design’ and ‘security by design’ approach to the 2026 Census. IIS was engaged by the ABS to conduct PIAs for the different phases of the Census to help ensure that the privacy considerations are taken into account, which are central to ABS decisions on the design of the Census and the use of Census data.

IIS is pleased to have worked with the ABS on the 2026 Census, and welcomes the publication of both the Phase 1 and Phase 2 PIAs on their website.

Webinar on managing and protecting unstructured data

On 19 November, IIS Partners and its subsidiary Trustworks360, non-profit organisation Surf Life Saving NSW, and software company Securiti.ai, delivered a webinar on managing and protecting an organisation's growing volume of unstructured data.

Through a real case study on Surf Life Saving NSW using the Sensitive Data Intelligence platform, the participants discussed how to:

• Identify and classify sensitive data
• Implement effective data governance policies
• Mitigate security risks and ensure compliance.

Malcolm Crompton AM as keynote speaker on privacy law reform at the IAPP ANZ Summit 2024 in Melbourne

On 28 November, IIS Partner Malcolm Crompton AM joined a panel of privacy experts at this year’s IAPP ANZ Summit in Melbourne to discuss the recent changes to the Australian privacy law. The panel will explore the introduction of the initial amendments package to the Parliament of Australia, as well as the ongoing privacy law reform and the government’s intentions for further updates to the Privacy Act. More information on the panel and the IAPP ANZ Summit is available here. The Act was passed later that week!

Jacky Zeng as co-presenter on privacy and AI at CyberCon in Melbourne with Professor Kimberlee Weatherall

On 28 November, IIS Consultant Jacky Zeng co-presented with Professor Kimberlee Weatherall, Professor of Law at the University of Sydney, at this year’s AISA MELBOURNE CyberCon. The presentation explored the nuanced intersection between privacy and AI, and touched on key areas of conflict from both theory and practice. It leveraged Professor Weatherall’s extensive experience as a leading expert in the field of AI regulation, policy, and academia as well as Jacky’s practical experience delivering privacy and AI work to IIS clients.

Joseph Dalessandro speaks at CyberCon on Autonomous Intelligence Systems (AIS)

On 28 November, IIS Principal Consultant and Founder (Chief Information Security Officer) at Sirius Matters presented on the criteria to assess the security and ethical dimensions in the development and deployment of Autonomous Intelligent Systems (AIS). These emerging technologies have unprecedented risks and potential human harms.

Joe spoke about the assessments of AI and how the IEEE CertifAIEd mark could be mechanisms with which organisations demonstrate a commitment and capability for the continuous assessment of transparency, accountability, algorithmic bias, and privacy to build public trust in their AIS.

Upcoming Events and Appearances

Sarah Bakar to speak at Indonesia’s 2nd Annual Data Protection Summit hosted by the APPDI

IIS Consultant Sarah Bakar will be speaking at the 2nd Indonesia Annual Data Protection Summit in Jakarta on 18 December 2024. The presentation will be on the essentials of Data Protection Impact Assessments (DPIAs also known as PIAs). The session will cover what DPIAs are, why they are critical, and how organisations can effectively conduct them.

?

?

?

?

????????????????????????????????????????????????????????????????????