The Privacy Amendment (Notifiable Data Breaches) Act 2017 will come into force on the 24th of February 2018. It means that an Australian Privacy Principle (APP) entity with reasonable grounds to believe an “eligible data breach” has occurred needs to report it to both the Office of the Information Commissioner, and the affected individuals, and conduct an investigation within 30 days. Many organisations will fail to effectively service this requirement because their response will rely wholly on meta-data. Effective responses will be made possible via systems that automate the collection of both data and meta-data about content collaboration events involving external parties.
In the lead up to reporting an event, the difference between a notifiable event and the continuation of business as usual, is likely to come down to being able to answer a few specific questions –
- What information did we lose control of?
- To whom was it exposed?
- What is the level of certainty?
In an organisation with automated external governance capture, the answer can look like “we provided x content to y, here are the audit trails and here is the content in its original form”. This answer will likely have a high degree of stability over time.
Organisations with less mature governance frameworks will rely on machine meta-data and interview data. A response from this organisation will have a high degree of ambiguity – “we can see that x accessed y cloud service and uploaded some content that might contain z data”. Three months later, a response even at this level of certainty may be impossible as meta-data logs are routinely overwritten.
Organisations that effectively move towards maturity do it by enabling content-based processes, with tools that make process work more efficient, and capture data and meta-data as a by-product of usage. In the vast majority of cases that I have worked on, control was lost due to the lack of an approved tool rather than by accidental means or malicious attempts to circumvent controls. Once an approved tool is implemented, steps can be taken to reduce access to other tools over time – this will include putting barriers in front of physical media, internet sharing services and email.
Ultimately, good response under mandatory breach disclosure is going to come down to having both the data and the meta-data. If you’re struggling with how this will play out in your organization and you’d like to understand one approach, please reach out to me, particularly if you’re a HPE Content Manager, SharePoint or Objective ECM customer already.
If you’re looking for a good primer on notifiable data breaches, I found the link below from Clayton Utz extremely useful, you can also find lots of good information on the website for the Office of the Information Commissioner.