A Privacy Authority Perspective

Similar documents
A Homeopath Registered Homeopath

HEALTH INFORMATION INFRASTRUCTURE PROJECT: PROGRESS REPORT

APF!submission!!draft!Mandatory!data!breach!notification! in!the!ehealth!record!system!guide.!

Government data matching and the Privacy Act 1988 (Cth)

Data Protection System of Georgia. Nina Sarishvili Head of International Relations Department

Cyber Risks in the Boardroom Conference

HEALTH INFORMATION INFRASTRUCTURE PROJECT: PROGRESS REPORT

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

Data Protection Authorities and new information technology

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

Upcoming PIPEDA Changes What is changing and what to do about it

ENFORCEMENT POWERS. The EU Perspective. Olivier Proust. Associate Hunton & Williams LLP

How to work your cloud around the UK ICO s Data Protection Act

GDPR: A QUICK OVERVIEW

Special Action Plan on Countermeasures to Cyber-terrorism of Critical Infrastructure (Provisional Translation)

Cyber Security in Europe and CEER s new PEER initiative

PRIVACY POLICY Last Updated May, 2018

Cyber Security Beyond 2020

Stopsley Community Primary School. Data Breach Policy

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

GDPR: An Opportunity to Transform Your Security Operations

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

NATIONAL STRATEGY:- MALAYSIAN EXPERIENCE

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

FIRESOFT CONSULTING Privacy Policy

Exploring the European Commission s Network and Information Security Directive (NIS) What every CISO should know

The NIS Directive and Cybersecurity in

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Computer Security Incident Response Plan. Date of Approval: 23-FEB-2014

LCU Privacy Breach Response Plan

ENISA s Position on the NIS Directive

COMMISSION IMPLEMENTING DECISION (EU)

General Data Protection Regulation Frequently Asked Questions (FAQ) General Questions

General Data Protection Regulation (GDPR) The impact of doing business in Asia

Cybersecurity Considerations for GDPR

Data Protection. Code of Conduct for Cloud Infrastructure Service Providers

Privacy. November 2017

Directive on security of network and information systems (NIS): State of Play

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

Generic Statistical Business Process Model

Department of Veterans Affairs VA DIRECTIVE April 17, 2006 WEB PAGE PRIVACY POLICY

DS MEDIA & EVENTS LTD PRIVACY POLICY

Information Technology Branch Organization of Cyber Security Technical Standard

Privacy Policy May 2018

Privacy Breach Response and Reporting

DATA PROTECTION LAWS OF THE WORLD. Bahrain

New Zealand Telecommunications Forum. Code for Vulnerable End Users of Telecommunication Services. ( Vulnerable End User Code )

Blue Alligator Company Privacy Notice (Last updated 21 May 2018)

UNCLASSIFIED. National and Cyber Security Branch. Presentation for Gridseccon. Quebec City, October 18-21

Data Breach Notification: what EU law means for your information security strategy

2018 Summary Report into the cyber security preparedness of the National and WA Wholesale Electricity Markets. AEMO report to market participants

Robert Bond. Respecting Privacy, Securing Data and Enabling Trust a view from Europe

Breach Notification Form

COUNCIL OF THE EUROPEAN UNION. Brussels, 24 May /13. Interinstitutional File: 2013/0027 (COD)

An Overview of ISO/IEC family of Information Security Management System Standards

Architecture and Standards Development Lifecycle

THE NEW GENERAL DATA PROTECTION REGULATION IMPLICATIONS FOR ENTERPRISES. Forum financier du Brabant wallon

GDPR Controls and Netwrix Auditor Mapping

TECHLAW AUSTRALIA. Update on cyber security and data protection. Thursday, 22 June Thursday, 22 June

The GDPR and NIS Directive: Risk-based security measures and incident notification requirements

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Network and Information Security Directive

General Data. Protection Regulations MAY Martin Chapman Head of Ops & Sales Microminder. Presentation Micro Minder Ltd 2017

Legal and Regulatory Developments for Privacy and Security

Cyber Security Law --- Are you ready?

Building a Privacy Management Program

DISCLOSURE STATEMENT PREPARED BY

Implementing the new GDPR: what does it mean for Universities?

Managing Jurisdictional Risks for Public Cloud Services

Update on the Key Initiatives Recommended by NTT Data regarding the Agency Cyber Security Framework

Hundred and seventy-fifth session REPORT BY THE DIRECTOR-GENERAL ON THE IMPLICATIONS OF THE PROCLAMATION OF A WORLD DAY FOR AUDIOVISUAL HERITAGE

Directive on Security of Network and Information Systems

Data Protection Policy

The Role of the Data Protection Officer

STATEMENT OF STRATEGY

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

Contributed by Djingov, Gouginski, Kyutchukov & Velichkov

ISACA National Cyber Security Conference 8 December 2017, National Bank of Romania

Adtech and GDPR What to consider when choosing your partner

DFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions

Cybersecurity and the Board of Directors

EU DATA PRIVACY COMPLIANCE FOR US DRIVEN PROJECTS

Accelerate GDPR compliance with the Microsoft Cloud

Data Security Standards

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

DIPLOMA COURSE IN INTERNAL AUDIT

SCCE ECEI 2014 EU DATA PRIVACY COMPLIANCE FOR US DRIVEN PROJECTS. Monica Salgado JANINE REGAN CIPP/E

Polemic is a business involved in the collection of personal data in the course of its business activities and on behalf of its clients.

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

FIRE REDUCTION STRATEGY. Fire & Emergency Services Authority GOVERNMENT OF SAMOA April 2017

The prospects of data breach laws in 18 European countries

Review of the Canadian Anti-Spam Legislation

Site Builder Privacy and Data Protection Policy

KIN GROUP PTY LTD PRIVACY POLICY

POWER AND WATER CORPORATION POLICY MANAGEMENT OF EXTERNAL SERVICE PROVIDERS

DEPARTMENT OF JUSTICE AND EQUALITY. Data Protection Policy

BISHOP GROSSETESTE UNIVERSITY. Document Administration. This policy applies to staff, students, and relevant data subjects

Commission Action Plan on Environmental Compliance and Governance

Privacy Policy Wealth Elements Pty Ltd

Transcription:

OECD EXPERT WORKSHOP ON IMPROVING THE MEASUREMENT OF DIGITAL SECURITY INCIDENTS AND RISK MANAGEMENT TAKING STOCK OF PROGRESS AND PRIORITIES FOR INTERNATIONAL ACTIONS Zurich, 12-13 May, 2017 Panel II: Challenges and Opportunities of incident disclosure obligations A Privacy Authority Perspective Blair Stewart, Assistant Privacy Commissioner, New Zealand Also presenting as convenor of: ICDPPC Data Protection Metrics Working Group APPA Forum Comparative Privacy Statistics Working Group

Back to basics: Roles of a Data Protection Authority Data protectors as 1 Ombudsmen 2 Auditors 3 Consultants 4 Educators 5 Negotiators 6 Policy advisers 7 Enforcers Source: C Bennett & C Raab, The Governance of Privacy: Policy Instruments in a Global Perspective, 2003 DPAs are statutory bodies so need to link activities (like gathering or publishing statistics) to their official functions. DPAs intrinsic multi-faceted regulator nature should lend itself to applying the insights gained from statistics generated in one capacity to other roles. DPAs should be a prime producer and consumer of good statistical information on security incidents and risks affecting personal data.

Recent breach notification data from DPA community: ICDPPC Census (1/3) ICDPPC Census 1st survey of 115 DPAs currently under way, results should be available in June 5 questions (+ supplementary clarification) on breach notification Results in from 71 DPAs so far, not analysed

Some interim results from ICDPPC Census (2/3) Two thirds of respondents authorities (47/71) have mandatory breach notification laws in their jurisdiction 76% of those mandatory breach notification laws require notification to both the data subject and the DPA (19.5% only to the DPA with the remaining 4.5% only to the individual concerned) The majority of respondent DPAs (56%) had a role in enforcing data breach regulations

Selected interim breach notification results from ICDPPC Census: cross-border notification (3/3) Do [your mandatory breach notification] requirements provide any explicit direction on notification to individuals living in other jurisdictions? SEM to OECD Privacy Guidelines 2013 suggest that when designing breach notification requirements, special consideration be given to the interests of affected individuals who may live outside the jurisdiction

Recent breach notification data from DPA community: WG survey (1/6) In March/April 2017 a survey undertaken with cooperation of: ICDPPC Data Protection Metrics Working Group APPA Comparative Privacy Statistics Working Group To explore how statistics relating to breaches notified to DPAs are kept, used and disseminated Full results available at: https://icdppc.org/wpcontent/uploads/2017/04/breach-notification-statisticssurvey-report-18-april-2017.pdf

Selected findings of survey of DPA breach notification statistical practices (2/6) Results principally based on reported practices of 8 DPAs: Separate systems not generally created for breach notification statistics often grafted onto existing complaints and investigations case management systems Several DPAs solicit notifications with online templates which are well suited to standardising statistics The statistics kept generally fall into 3 categories: 1. The report and breach (numbers, type of breach, dates, size, etc.). 2. The reporter (e.g. industry or sector). 3. Processing (actions taken, entry into statutory channels such as formal complaint, outcomes, whether guidelines have been followed, etc.).

Selected findings of survey of DPA breach notification statistical practices (3/6) Statistical reporting evolving e.g. with experience or on transition from voluntary to mandatory reporting Suggested uses of the statistics: 1. Aid understanding of data protection problems ( to analyse trends, threat pattern identification ). 2. Use in public messaging ( public education and advocacy ). 3. To guide privacy authority action ( use in enforcing data protection principles, help to implement corrective measures, develop policy positions, inform audits ). 4. To help assess effectiveness of law or privacy authority s actions ( to evaluate the office s success in sensitising data controllers and the public, to provide a review of the effectiveness of privacy laws ).

Selected findings of survey of DPA breach notification statistical practices (4/6) Privacy authorities periodically provide statistical reports to relevant governance bodies (e.g. responsible government Minister, legislature). Some post dashboard type reports to their website.

Selected findings of survey of DPA breach notification statistical practices (5/6) DPA Purposes suggested for statistical repositories: Archival responsibilities To directly support breach management To provide a broader or longer term view Classification of breach type: High level generic classifications Concrete down to earth classifications drawn from the examples Classification based upon privacy principles

Selected findings of survey of DPA breach notification statistical practices (6/6) Areas identified for supplementary research: How closely tied to complaints functions is a role of receiving breach notifications? What non-statistical information is kept and released about breach notification? Are there concrete examples of the use of the statistics generated? Which other regulatory/oversight bodies are involved with breach notification and what are their statistical practices? Is the data shared with researchers or other regulators and, if so, what has been revealed?

Challenges/opportunities from a DPA POV in achieving internationally comparable metrics in breach notification Opportunities Majority of DPA jurisdictions now have breach notification laws and DPA has role in receiving notices and enforcing requirements Many are in implementation mode 2017/18 will see many new laws commence DPAs as both source and user of comparative statistics and can apply insights across a range of enforcement, policy advice & public education roles ICDPPC could assist in promulgating approaches recommended by OECD

Challenges/opportunities from a DPA POV in achieving internationally comparable metrics in breach notification Two challenges Variances in laws Interconnections with statutory functions, esp. complaints handling

Blair Stewart Assistant Commissioner (Auckland) Office of the Privacy Commissioner, New Zealand Blair.Stewart@privacy.org.nz ICDPPC Secretariat ExCoSecretariat@icdppc.org

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback