Last week, OpenText had the opportunity to comment on and review the proposed changes to the Australian Privacy Act. As a result, I've invited two of our Data Security and Privacy subject matter experts at OpenText to share their thoughts on our new updated Privacy Principles. I am joined by Anna Russell, WW VP of Sales and GTM and Greg Clark, Director of Product Management from our Voltage Data Privacy and Protection business at OpenText Cybersecurity.
First off, Anna and Greg, thank you for joining us today. What were your initial thoughts when you reviewed the Attorney General Department's updates?
Greg: Wow, it sure was comprehensive and extensive. It was a privilege to get the opportunity to comment on such an important piece of policy – we don't get that chance very often. The main area that I thought was key was how the Attorney-General's Department embraces principles that align with Privacy by Design.
So much work has gone on globally in establishing core principles, which will help Australia and Australians have more confidence in how personal data is collected, used, and protected.
Anna: Building on that further, a core principle we see globally is how data minimization and protection techniques can build and establish trust. Data privacy is a human right – these practices help support the ethical handling of Australians' personal data – but if done correctly, they can also enable governments and businesses to deliver innovative, digital, and data-enabled services.
What were the most prominent highlights or areas you think our readers find most interesting?
Greg: As I mentioned, much of what the Paper describes aligns well with Privacy by Design. It puts privacy first in the design and implementation of privacy practices from day one. Then, combine that with data discovery and protection techniques - the result is organizations can improve their privacy posture around new information they consume and the legacy data in the applications and unstructured repositories running – and, most importantly, protect personal data from unauthorized use.
Anna: If you look at global privacy regulations, new standards are emerging to implement principles. ISO 27701 Privacy Information Management System (PIMS) framework and ISO 31700, which is specific to Privacy by Design, provides guidelines for governments and businesses to align with and help Australia with cross-jurisdiction information-sharing practices that are in line with other privacy regulations.
Greg: Back to data minimization for a moment. It is a crucial element that shows many benefits. First, data minimization can ensure that you're collecting, processing, storing, and protecting what matters most – the core privacy outcome. Beyond that, you can look at data minimization to contain costs and consolidate infrastructure, network, and compute resources.
Anna: There's the environmental, social, governance (ESG) story. By minimizing the data, applications, and infrastructure associated with managing your information – you are reducing your power consumption and energy use, including utility costs for cooling, ventilation etc. and reducing carbon emissions: these ESG benefits and the social benefits of data minimization and de-carbonization.
Anna, what did you think of the de-identification and anonymization proposals?
Anna: Protecting the personal data of individuals is critical. Protection doesn't have to conflict with the commercial activities of Australian businesses or delivering innovative services to Australians through government agencies. Protection can be a business driver, something that helps the business innovate and grow while promoting the fair use and ethical handling of personal data.
For example, using format-preserving encryption (FPE) to pseudonymize personal data removes the ability to identify individuals directly from data. It allows for secure data sharing and analytics. Longer term, privacy-preserving technologies, including differential privacy, can help eliminate the ability to re-identify someone by adding noise to the algorithm that preserves an individual's privacy before the data is processed. As a result, differential privacy can significantly minimize the risk of revealing sensitive information about an individual.
Greg, based on your background in information governance, what are your thoughts on erasure requests as a part of the Paper?
Greg: Consent and the right to request data to be deleted are part of those fundamentals Anna talked about, with privacy being a human right. If I am a government agency or business, however, these areas of privacy regulations mean that I need to be very aware of what data I am collecting, processing, or storing and have a defined policy and business purpose for its use by the business. In addition, discovering, classifying, and establishing retention policies for your data is essential to ensuring good data handling practices, data ethics and responding to erasure and other consumer requests.
Were there any other data security or governance aspects you each thought were worth mentioning that the audience may find interesting in the Paper?
Greg: As a follow-up to my last point, there's a proposed change to Privacy Principle 11 for organizations to establish their maximum and minimum retention periods for personal data they store. Data lifecycle management can help manage information over time by classifying data by type, sensitivity, and purpose and updating or preserving information to meet legal obligations. Privacy helps expand the scope of records management into a place where business information is being managed by policy.
Anna: Effective data lifecycle management includes data classification, retention, and disposition policies. It helps establish data trust between the consumer, governments, and businesses ensures legal and regulatory compliance and appropriate data protection measures are applied throughout the data lifecycle. With differential privacy, data minimization and data protection techniques and data lifecycle management can also help address future data sprawl with more aggressive retention policies for protected data sets and analytics workloads.
We're incredibly grateful for the opportunity to contribute to the future of the Australian Privacy Principles (APP), and we look forward to it coming online.
Those are some fascinating aspects to consider for our customers and partners in Australia. Thanks, Anna. Thanks, Greg. I hope you enjoyed this interview; please check out the links below and interact with us on social media.
Navigate the New Data Privacy Landscape with Voltage by OpenText
The privacy landscape is constantly evolving. At OpenText, we help customers stay ahead by delivering privacy-enhancing technology that supports improved privacy posture while supporting information management practices that drive innovation and uncover competitive advantage.
For more information on Voltage by OpenText, visit our Data Privacy Hub or our Voltage portfolio page. You can join our Voltage Data Privacy and Protection Community and keep up with the latest Tips & Info about Data Privacy and Protection. Feel free to contact us for more information, and we'd love to connect with you regarding your Privacy Compliance initiatives.