New AICD Director Tool: Data and Privacy Governance

The AICD has joined forces with the Australian Information Security Association (AISA) to publish our latest director tool Data and Privacy Governance. The tool is designed to help directors shape their responsibilities in promoting a good privacy culture.

Technology has supercharged the collection of data. Directors and boards are responsible for directing their organisations to leverage data-driven opportunities, while ensuring appropriate governance of their data and their stakeholders’ privacy.

To this end, the new tool highlights current privacy compliance obligations impacting boards in Australia, and outlineS a performance framework for how an organisation might use and manage data as a key asset. The tool includes boardroom questions to assist directors understand and discharge their responsibilities in this critical and growing area of governance.

Data governance refers to the processes, systems and frameworks for using and managing data to:

• improve an organisation’s internal functioning; and
• help an organisation pursue valued goals and objectives.

How does a board fulfil its role in data and privacy governance?

The time and focus a board dedicates to data and privacy governance will depend on such things as the organisation’s size, the quantity and quality of its data holdings, industry and strategic direction. The basic steps, however, are the same.

1. Foster a culture that values data and privacy

Have the values and risk appetite underpinning data handling been established and communicated throughout the organisation? Is the organisation appropriately equipped and resourced to embed the right culture into its people, systems and processes? What channels does the board use to ensure it knows how data handling is occurring ‘on the ground’?

2. Future-proof the board

How do new data-driven business models and value chains enhance, or threaten, what the organisation is doing? What new technologies can be deployed to enable the organisation to do more with, and to protect, its data assets? What new laws must the organisation adhere to, and what frameworks, standards and guidelines should the organisation take heed of? Amid all the change, what are the attitudes and mindsets of individuals, stakeholders, regulators and lawmakers?

3. Appoint key personnel and hold them accountable

Does the organisation have key data and privacy roles and responsibilities at the operational and leadership levels? How should resources and staff be allocated in terms of compliance (protecting data) and performance (leveraging data) functions? What are the reporting requirements and key performance indicators?

4. Enhance privacy and security resilience

How ready is the board and executive to deal with a data-related crisis? How can the board improve its resilience capabilities, such as change readiness and incident management? Are privacy and security risks accounted for throughout the organisation and in project development? How are third-party relationships managed, secured and assured?

5. Focus on your stakeholders

Does the board consider a wide range of stakeholder perspectives when making decisions about data? Is stakeholder-care a key value? Does this align with actual practice and is it communicated externally? What should the organisation do, or stop doing, to enhance stakeholder trust?

Law reforms

The Productivity Commission’s Data Availability and Use Inquiry investigated ways to improve the availability and use of public and private sector data.

In response to the final report published in May 2017, the Australian Government has committed to two major legislative reforms with implications for data governance. Firstly, the Government is drafting a new Data Sharing and Release Act (DS&R Act) that will allow government agencies to share public sector data with trusted users in a controlled way, for non-commercial purposes.

Directors of organisations in the not-for profit and research sectors should ensure that their internal data governance measures align with the requirements for becoming a trusted user. More generally, directors should consider how their organisation is positioned to take advantage of the greater availability of open public sector data.

Secondly, the Government is in the process of implementing a new data sharing regime that affects private sector data – the Consumer Data Right (CDR)4. The CDR allows consumers to access certain data held about them by businesses and to transfer this to trusted third parties in order to obtain a benefit, such as receiving a better deal or a new service.

The CDR will be introduced on a sector by-sector basis, starting with banking and followed by energy and telecommunications, with the eventual goal of applying economywide.

Directors should note that in the first phase, the CDR applies not just to banks but also organisations which have been accredited to receive CDR data in order to provide a product or service, as well as to outsourced service providers that handle such data.

The Australian Competition and Consumer Commission (ACCC) is making rules on the rights and obligations of CDR participants that supplement the privacy safeguards introduced by the CDR Bill. Together they have strong implications for data governance:

• Consumers must expressly consent for the transfer and use of their data;
• The privacy safeguards mirror the structure of the APPs but are more stringent in some areas; and 
• Schedule 1 to the CDR Rules prescribes specific steps to protect CDR data, including: - having a formal governance framework for managing information security risks;
• And - documenting specific responsibilities of senior management (that is, directors) for the protection and management of CDR data.

These developments are an indicator of the regulatory landscape to come.

Framework for data and privacy

One way to conceptualise data and privacy governance is by using the data and privacy performance (DPP) framework, introduced in the publication The New Governance of Data and Privacy 5, published by the AICD. While the framework focuses on personal information and compliance, it can readily apply to other valuable organisational data.

Data and privacy governance

Having a clear DPP framework allows the board to exercise oversight and control over how the organisation uses and manages data as a key asset. Without such a framework, organisations are more prone to mishandle their data while simultaneously failing to leverage it for new opportunities.

There are three elements of the DPP framework with which directors should familiarise themselves:

• strong organisational culture;
• effective structures – board governance, executive leadership, privacy program and accountability; and
• supporting infrastructure – people, processes, systems and communication.

At the heart of the framework is a strong organisational culture for respecting privacy and using data in a creative and trustworthy way. Such a culture requires an effective structure in order to embed privacy considerations into everyday practice and decision making. An effective structure starts with board governance.