privacy and information sharing
play

Privacy and Information Sharing Presentation to South Australian - PowerPoint PPT Presentation

Oct 15, 2022 •369 likes •768 views

Privacy and Information Sharing Presentation to South Australian Network of Drug and Alcohol Services Stephanie Otorepec, A/g Director, Regulation & Strategy Branch OAIC The role of the OAIC The Office of the Australian Information

  1. Privacy and Information Sharing Presentation to South Australian Network of Drug and Alcohol Services Stephanie Otorepec, A/g Director, Regulation & Strategy Branch OAIC

  2. The role of the OAIC The Office of the Australian Information Commissioner is: • the regulator of the Privacy Act 1988, and • the independent regulator of the privacy aspects of the Healthcare Identifiers service and the My Health Record system OAIC

  3. OAIC’s regulatory and enforcement powers Regulatory powers Enforcement powers • • Accept an enforceable Conciliate or determine complaints undertaking (with compensation) • • Make a determination following a Receive / investigate data complaint or CII breaches • • Bring proceedings to enforce a Conduct assessments of entities determination • Investigate on own initiative • Apply to the court for an • injunction Create enforceable codes • • Apply to the court for a civil Require Privacy Impact penalty Assessments OAIC

  4. The Australian Privacy Principles 13 principles that outline how personal information should be collected, used, disclosed and secured OAIC

  5. The Australian Privacy Principles (APPs) 13 APPs in total • Principles apply to Government agencies and private sector organisations (referred to as ‘APP entities’) • Structured to reflect the information life cycle — planning, collection, use and disclosure, quality and security, access and correction • OAIC’s APP guidelines OAIC

  6. The Australian Privacy Principles (APPs) • APP 1 – privacy policies • APP 8 – cross-border disclosure • APP 2 – anonymity • APP 9 – gov’t related identifiers • APP 3 – collection of information • APP 10 – quality of information • APP 4 – dealing with information • APP 11 – security of information • APP 5 – notification • APP 12 – access to information • APP 6 – use or disclosure • APP 13 – correction of • APP 7 – direct marketing information OAIC

  7. As healthcare providers, you will be subject to Privacy Act All healthcare organisations are required to comply with Australian Privacy Principles due to the nature of the information they handle – which is categorised as ‘sensitive information’. Health information is any information about a person’s health or disability, and any other personal information collected while receiving a health service. Sensitive information is generally afforded a higher level of privacy protections under the APPs. OAIC

  8. Relevant APPs in the context of health • Collection (including consent) (APP 3) • Notification (APP 5) • Use and disclosure (APP 6) • Security obligations (including destruction) (APP 11) • Access and correction (APPs 12 and 13) OAIC

  9. Consent to collect health/sensitive information APP 3 – collection • Outlines when an APP entity can collect personal information – higher standards apply to collection of sensitive information • 2 main elements to meet when collecting sensitive information: 1. the information is reasonably necessary and directly related to the entity’s function, and 2. the individual (in which the information relates to) must consent to the collection. OAIC

  10. Consent to provide data to the PHN The four key elements of consent are: • the individual is adequately informed before giving consent • the individual gives consent voluntarily • the consent is current and specific, and • the individual has the capacity to understand and communicate their consent . ! IMPORTANT that your client understands they're not under obligation to provide information – consent must be freely given OAIC

  11. When is consent voluntary? Factors relevant to deciding whether consent is voluntary include: • the alternatives open to the individual, if they choose not to consent • the seriousness of any consequences if an individual refuses to consent • any adverse consequences for family members or associates of the individual if the individual refuses to consent. OAIC

  12. Notification APP 1 – privacy policies • states that organisations must have a clearly expressed and up to date privacy policy about the management of personal information) APP 5 – notification • APP entities to take reasonable steps either to notify the individual of certain matters or to ensure the individual is aware of those matters OAIC

  13. Matters that you must notify about under APP 5 • The matters include : the APP entity’s identity and contact details; the fact and circumstances of collection; whether the collection is required or authorised by law; the purposes of collection; the consequences if personal information is not collected; the entity’s usual disclosures of personal information of the kind collected by the entity; information about the entity’s APP Privacy Policy; whether the entity is likely to disclose personal information to overseas recipients, and if practicable, the countries where they are located. OAIC

  14. Use and disclosure of information collected – APP 6 Sensitive information can generally only be used for the same purpose it was collected for, unless the person consents or an exception applies. Information can only be used for a secondary purpose, where it is directly related to the original purpose. OAIC

  15. Keeping information secure, and destruction obligations APP 11 • APP 11 provides that an APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure. APP 11 only applies to personal information that an APP entity holds. An entity holds personal information ‘if the entity has possession or control of a record that contains the personal information’. • There are also destruction obligations OAIC

  16. Access for your clients APP 12 • APP 12 requires an APP entity that holds personal information about an individual to give the individual access to that information on request, allowing a client to check and validate any data held about them OAIC

  17. Correction APP 13 • APP 13 requires an APP entity to take reasonable steps to correct personal information to ensure that, having regard to the purpose for which it is held, it is accurate, up-to-date, complete, relevant and not misleading OAIC

  18. What could happen if I breach the APPs? • Under the Privacy Act, it is considered an ‘interference with privacy’ • OAIC’s complaint -handling abilities OAIC

  19. The Notifiable Data Breaches scheme OAIC

  20. The Notifiable Data Breaches scheme • Commenced 22 February 2018. • Visit www.oaic.gov.au/ndb for the OAIC’s guidance on the scheme’s requirements. • Part IIIC of the Privacy Act 1988 — the scheme applies to businesses and government agencies with personal information security obligations. • These entities must notify individuals affected by an ‘eligible data breach ’, which is a breach that is likely to result in serious harm . The OAIC must also be notified. OAIC

  21. Identifying an eligible data breach • An eligible data breach occurs when three criteria are met: 1. There is a data breach – being unauthorised access to, or unauthorised disclosure of personal information, or a loss of personal information, that an entity holds 2. This is likely to result in serious harm to one or more individuals, and 3. The entity has not been able to prevent the likely risk of serious harm with remedial action. OAIC

  22. What is the harm threshold? • ‘Serious harm’ can be psychological, emotional, physical, reputational, or other forms of harm • Understanding whether serious harm is likely or not requires an evaluation of the context of the data breach. OAIC

  23. If you suspect a data breach which may meet the threshold of ‘likely to result in serious harm’, you must conduct an assessment • Generally, there is a maximum of 30 days to conduct this assessment. This begins from when you become aware of a potential breach. • It is not expected that every data breach will require an assessment that takes 30 days to complete before notification occurs. You must notify as soon as practicable when you believe an eligible data breach has occurred. • You can divide an assessment into three stages: (1) Initiate; (2) Investigate; (3) Evaluate. OAIC

  24. Notifying affected individuals – choose what is appropriate and practicable There are three options for notification: 1. Notify everyone 2. Notify only people who are at likely risk of serious harm. 3. Publish your notification, and publicise it with the aim of bringing it to the attention of all individuals at likely risk of serious harm. OAIC

  25. Notifying affected individuals Your notification must include: • The identity and contact details of you agency/organisation • A description of the eligible data breach • The kind or kinds of information involved in the eligible data breach • What steps your agency/organisation recommends that individuals take in response to the eligible data breach. OAIC

Recommend

Information Sharing: The Paradox Andrew Cormack Chief Regulatory Adviser, Janet Privacy needs

Information Sharing: The Paradox Andrew Cormack Chief Regulatory Adviser, Janet Privacy needs

Information Sharing: The Paradox Andrew Cormack Chief Regulatory Adviser, Janet Privacy needs help The information sharing paradox Sharing information protects privacy Prevents/mitigates privacy invasion by phishers, crackers,

362 views • 18 slides
Information Sharing and User Privacy in the Third-party Identity Management Landscape Anna

Information Sharing and User Privacy in the Third-party Identity Management Landscape Anna

Information Sharing and User Privacy in the Third-party Identity Management Landscape Anna Vapen, Niklas Carlsson, Anirban Mahanti, Nahid Shahmehri Linkping University, Sweden NICTA, Australia 2 Information Sharing and User

246 views • 24 slides
Privacy-preserving Information Sharing: Crypto Tools and Applications Emiliano De Cristofaro

Privacy-preserving Information Sharing: Crypto Tools and Applications Emiliano De Cristofaro

Privacy-preserving Information Sharing: Crypto Tools and Applications Emiliano De Cristofaro University College London (UCL) https://emilianodc.com Privacy-preserving what ? Parties with limited mutual trust willing or required to share

1.1k views • 66 slides
$ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that

$ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that

Presentation Slides $ Lesson Ten Consumer Privacy 04/09 privacy and information information privacy: privacy that involves the rights of individuals in relation to information about them that is circulating in society. why privacy is an

318 views • 13 slides
Information access and privacy, data protection and sharing: A new approach for modern government

Information access and privacy, data protection and sharing: A new approach for modern government

1300 00 6842 | ovic.vic.gov.au Information access and privacy, data protection and sharing: A new approach for modern government Speaker: Sven Bluemmel, Information Commissioner Date: Tuesday, 27 February 2018 Introduction On behalf of Sally,

247 views • 5 slides
$ Lesson Fourteen Consumer Privacy 04/09 privacy and information information privacy: privacy

$ Lesson Fourteen Consumer Privacy 04/09 privacy and information information privacy: privacy

Presentation Slides $ Lesson Fourteen Consumer Privacy 04/09 privacy and information information privacy: privacy that involves the rights of individuals in relation to information about them that is circulating in society. why privacy is an

429 views • 13 slides
Privacy-Preserving Distributed Information Sharing Lea Kissner leak@cs.cmu.edu Advisor: Dawn

Privacy-Preserving Distributed Information Sharing Lea Kissner leak@cs.cmu.edu Advisor: Dawn

Privacy-Preserving Distributed Information Sharing Lea Kissner leak@cs.cmu.edu Advisor: Dawn Song dawnsong@cmu.edu Why Share? Many applications require mutually distrustful parties to share information Many examples in two major

783 views • 39 slides
Understanding Privacy Laws for Physical and Behavioral Health Information Sharing September 29,

Understanding Privacy Laws for Physical and Behavioral Health Information Sharing September 29,

Understanding Privacy Laws for Physical and Behavioral Health Information Sharing September 29, 2015 11:00am-12:30pm For audio, please listen through your speakers or call: (631) 992-3221 Access Code: 453-672-361 Housekeeping Join audio

918 views • 59 slides
Information Sharing Protecting and using information responsibly to deliver better outcomes and

Information Sharing Protecting and using information responsibly to deliver better outcomes and

Privacy and Responsible Information Sharing Protecting and using information responsibly to deliver better outcomes and services to the community September 2019 Welcome to Country The Department of the Premier and Cabinet acknowledges the

565 views • 19 slides
CS525: Who s Your Best Friend? Targeted Privacy Attacks In Location sharing Social Networks

CS525: Who s Your Best Friend? Targeted Privacy Attacks In Location sharing Social Networks

CS525: Who s Your Best Friend? Targeted Privacy Attacks In Location sharing Social Networks Wei Wang ECE Dept. Worcester Polytechnic Institute (WPI) Security and Privacy Problems in the mobile and cloud computing Security and Privacy

608 views • 19 slides
Engineering privacy by design Privacy by Design Let's have it! Information and Privacy

Engineering privacy by design Privacy by Design Let's have it! Information and Privacy

Engineering privacy by design Privacy by Design Let's have it! Information and Privacy Commissioner of Ontario https://www.ipc.on.ca/images/resources/7foundationalprinciples.pdf Privacy by Design Let's have it! Article 25 European

1.32k views • 118 slides
ITS BILLIONS WITH A Rental & Car Sharing Privacy & Cybersecurity

ITS BILLIONS WITH A Rental & Car Sharing Privacy & Cybersecurity

ITS BILLIONS WITH A Rental & Car Sharing Privacy & Cybersecurity Considerations B Dr. Paul Kersey is a surgeon who often sees the consequences of the city's violence in the emergency room. When home intruders

438 views • 19 slides
Conclusion Announcements Society Privacy Policies and Laws 4 Privacy Policies and Laws Mark

Conclusion Announcements Society Privacy Policies and Laws 4 Privacy Policies and Laws Mark

Conclusion Announcements Society Privacy Policies and Laws 4 Privacy Policies and Laws Mark Zuckerberg in San Francisco, January 8, 2010 "People have really gotten comfortable not only sharing more information and different kinds, but

352 views • 21 slides
AML & Fraud Information Sharing Sean OMalley Money Laundering and Information Sharing

AML & Fraud Information Sharing Sean OMalley Money Laundering and Information Sharing

AML & Fraud Information Sharing Sean OMalley Money Laundering and Information Sharing Magnitude of Money Laundering Suspicious Activity Report (SAR) filings Information Sharing Mechanisms Challenges and Possible Solutions

518 views • 13 slides
Existing Legislations on Data Privacy: A Change to Data Sharing? National Statistics Conference 2

Existing Legislations on Data Privacy: A Change to Data Sharing? National Statistics Conference 2

Existing Legislations on Data Privacy: A Change to Data Sharing? National Statistics Conference 2 0 1 2 Professor Abu Bakar Munir Faculty of Law , University of Malaya 7 Novem ber 2 0 1 2 1 Some of my books on ICT Law In Print Privacy and

721 views • 24 slides
CS305 Topic Privacy Concept Evolution Rights to Privacy Privacy and Technologies

CS305 Topic Privacy Concept Evolution Rights to Privacy Privacy and Technologies

CS305 Topic Privacy Concept Evolution Rights to Privacy Privacy and Technologies US Privacy Laws Sources: Baase: A Gift of Fire and Quinn: Ethics for the Information Age Ethics Spring 2010 Privacy 1 Privacy The original

725 views • 45 slides
Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals,

Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals,

Introduction to Cybersecurity Database Privacy Review: Anonymity vs. Privacy Privacy - Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how, and to what extent information about them is

1.01k views • 76 slides
Government and Big Data: Privacy Risks and Solutions Ontarios Access and Privacy Laws The

Government and Big Data: Privacy Risks and Solutions Ontarios Access and Privacy Laws The

Brian Beamish Information and Privacy Commissioner of Ontario January 26, 2017 Government and Big Data: Privacy Risks and Solutions Ontarios Access and Privacy Laws The Freedom of Information and Protection of Privacy Act (FIPPA) o

356 views • 17 slides
UTSA Information Sharing and Coordination Initiatives collaboration and coordination to

UTSA Information Sharing and Coordination Initiatives collaboration and coordination to

Secure Information and Resource Sharing in Cloud Infrastructure as a Service Cyber Incident Response Models for Information and Resource Sharing Amy(Yun) Zhang, Ram Krishnan, Ravi Sandhu Institute for Cyber Security University of Texas at San

219 views • 17 slides
Guarding user Privacy with Federated Learning and Differential Privacy Brendan McMahan

Guarding user Privacy with Federated Learning and Differential Privacy Brendan McMahan

Guarding user Privacy with Federated Learning and Differential Privacy Brendan McMahan mcmahan@google.com DIMACS/Northeast Big Data Hub Workshop on Overcoming Barriers to Data Sharing including Privacy and Fairness 2017.10.24 Our Goal Imbue

956 views • 70 slides
Information Session Ag Agenda 1. SME information 2. Ministry Sharing Background Overview of

Information Session Ag Agenda 1. SME information 2. Ministry Sharing Background Overview of

Ministry Sharing Information Session Ag Agenda 1. SME information 2. Ministry Sharing Background Overview of Ministry Sharing Options Discussion Questions & Answers Mi Mini nistry Sha y Shari ring ng Why You Might Consider

324 views • 17 slides
Privacy-Enhanced Sharing of Personal Content on the Web Mohammad Mannan and P . C. van Oorschot

Privacy-Enhanced Sharing of Personal Content on the Web Mohammad Mannan and P . C. van Oorschot

IMPECS WWW Presentation- April 24, 2008 Privacy-Enhanced Sharing of Personal Content on the Web Mohammad Mannan and P . C. van Oorschot Carleton University, Canada M. Mannan April 24, 2008 1 IMPECS The need for sharing is real People

422 views • 19 slides
Building a Privacy Management Program February 26, 2013 Office of the Information and Privacy

Building a Privacy Management Program February 26, 2013 Office of the Information and Privacy

Building a Privacy Management Program February 26, 2013 Office of the Information and Privacy Commissioner of Alberta Session Overview Reasons for having a PMP Strategies to deal with current and future privacy challenges at your

469 views • 33 slides
THE EVOLVING ZONES OF PRIVACY: SAFEGUARDING THIRD PARTY INFORMATION AND MINIMIZING PRIVACY CLAIM

THE EVOLVING ZONES OF PRIVACY: SAFEGUARDING THIRD PARTY INFORMATION AND MINIMIZING PRIVACY CLAIM

THE EVOLVING ZONES OF PRIVACY: SAFEGUARDING THIRD PARTY INFORMATION AND MINIMIZING PRIVACY CLAIM EXPOSURE Presented By LAURA J. COE INTRODUCTION Why Privacy Law Issues Matter During 2017, over 1,500 data breaches resulted in:

586 views • 57 slides

More recommend