Defining and Managing Privacy Risks: Frameworks That Work

Australia’s privacy risk management landscape is being shaped by increasing visibility of data breaches, penalties, and customer awareness and sensitivity to data overcollection, decisional interference and online tracking.  

The average Australian now knows that even well-resourced and well-respected businesses are fallible, so trust and transparency have never been more important. With that, comes an increased pressure on organisations to appropriately define and manage privacy risks. Australians aren’t happy that businesses are overcollecting and/or inappropriately securing their personal information – and they’re increasingly willing to spend money elsewhere if their data is not properly protected.  

Privacy Accountability 

Privacy risk isn’t defined under Australian law.  However, the proper management of privacy risk is part of the accountability requirements of APP 1 in the Privacy Act.  

According to the OAIC,  

the declared object of APP 1 is ‘to ensure that APP entities manage personal information in an open and transparent way’ (APP 1.1). This enhances the accountability of APP entities for their personal information handling practices and can build community trust and confidence in those practices.

As well as specific obligations in relation to having a privacy policy APP 1 requires organisations to ‘take reasonable steps to implement practices, procedures and systems that will ensure the entity complies with the APPs.’  This means that organisations must take proactive steps to establish and maintain internal practices, procedures and systems that ensure compliance with the APPs. 

One of those proactive steps is implementing procedures for identifying and managing privacy risks at each stage of the information lifecycle, including collection, use, disclosure, storage, destruction or de-identification. 

Defining Privacy Risk 

When thinking about privacy risk it is important to think about the types of harm that might occur, and who might be impacted.   

Different privacy risks include:  

• that a customer will experience harm or loss (including distress and anxiety as well as embarrassment and financial loss) because of sharing their personal information with you.  
• For businesses, privacy risk translates into financial loss, brand damage, and a competitive disadvantage. 
• At a societal level, privacy risks can hinder innovation, erode public trust, and lead to discriminatory practices. 
• Finally, there’s legal or compliance risk, which encompasses the broad range of penalties and fines available to regulators in Australia and around the world. 

A Taxonomy of Privacy Harms 

Many legal scholars have considered what is meant by a privacy harm – which is the corollary of thinking about privacy risks i.e. a privacy risk is one that will result in some form of harm. 

One of the most prominent is Daniel Solove 

Daniel Solove’s Taxonomy of Privacy

Daniel Solove’s “A Taxonomy of Privacy“ is a major privacy work. Solove decided to put together a taxonomy of privacy to try and define what is meant by ‘privacy’ given that, particularly in the US, privacy is a right which is ill-defined and vague.  Solove’s taxonomy is split into four categories:  

• Information collection 
• Information processing 
• Information dissemination 
• Invasion 

Each of these four categories have further sub-categories as listed below: 

Information collection: 

• Surveillance: Refers to both overt and covert observation, using various modalities (e.g., audio, video, behavioral) 
• Interrogation: Questioning or probing individuals for personal information  

Information processing: 

• Aggregation: Combining data from multiple records, which may allow identification of individuals  
• Insecurity: Failure to design a process product or service with adequate access control measures  
• Identification: Linking several individual data elements together to be able to identify a specific individual 
• Secondary use: Using personal information provided for one purpose for a different purpose 
• Exclusion: Using personal information without the data subject’s knowledge or permission 

Invasion:  

• Intrusion: Acts which disturb an individual’s solitude or tranquility (e.g., junk mail, spam, telemarketing) 
• Decisional interference: An action by an external party, such as a government or commercial entity, that interferes with an individual’s decision-making regarding their personal affairs  

Information dissemination:  

• Breach of confidentiality: A betrayal of trust through the sharing of confidential personal information 
• Disclosure: Revealing information about an individual that may impact their security or affect how others view them 
• Exposure: Revealing another’s personal physical or emotional attributes to others 
• Increased accessibility: Making public information about a person easier to access 
• Blackmail: Threatening to disclose someone’s information against their will 
• Appropriation: Using someone’s identity for someone else’s purpose or to promote a party’s own interests 
• Distortion: The spreading of false or inaccurate information 

This may be a useful list when trying to cover all potential privacy harms and the associated risks. 

Organisations should consider risks through all the above lenses to appropriately manage privacy risk in the current environment. 

Managing Privacy Risk: Implementing a Privacy Risk Framework 

While there are a range of existing frameworks Australian organisations can use to manage privacy risk (more on these below), there are a few crucial elements that comprise any comprehensive privacy risk management program:  

• Purpose: Clearly define the specific business and privacy objectives for your organization. What business improvements do you want to achieve alongside compliance? Perhaps it’s building consumer trust, streamlining data handling, or preparing for innovation. Aligning privacy with these goals helps create beneficial scenarios for both the business and its customers. 
• Scope: Precisely outline the types of personal data your organization handles and the relevant internal policies for protecting them. This provides a clear reference point for the assessment. 
• Information Mapping: Start by cataloging the personal information collected, stored, used, and disclosed. Map the flow of this data throughout your organization and when it’s shared with third parties. Creating visual data flow diagrams brings added clarity to this complex process. 
• Risk Identification: This is the heart of any privacy risk management framework. Brainstorm a comprehensive list of potential risk factors, vulnerabilities, and threats related to your data processing. These might include data breaches, unauthorised access, accidental disclosure, and data loss. Examine weaknesses in your technical systems, physical security, and human factors (like inadequate staff training). Remember to consider both internal and external threats. 
• Analysis: Evaluate each identified risk, assigning a likelihood rating and assessing the potential consequences for individuals and your business. A risk scoring matrix helps you prioritise and focus your mitigation efforts. 
• Responsibilities: Any privacy risk management framework won’t succeed without establishing clear ownership. Form a privacy committee with representatives from relevant departments (e.g., IT, HR, legal). Define the specific responsibilities of each department, the role of a designated data protection officer (if applicable), and how employees will be held accountable for upholding privacy policies. 
• Processes: Implement ongoing privacy risk management processes. Immediately work on high-risk items by developing remediation plans. Involve stakeholders in identifying and implementing appropriate control measures, which could be technical, procedural, or related to staff training enhancements. 

Managing Privacy Risk: Established Frameworks  

There are different privacy frameworks that support the development of a program to manage privacy risks. 

The NIST Privacy Framework 

The National Institute of Standards and Technology (NIST) Privacy Framework was developed through a collaborative process involving privacy professionals, industry stakeholders, the public, and the US government. It’s technically rigorous, applies to a wide range of industries and organisations, and is one of the most widely recognised and adopted privacy frameworks that exist today. 

it is a voluntary framework designed to support the NIST Cybersecurity Framework and to manage privacy risk. Intended to assist organizations in communicating and organizing privacy risk, as well as rationalizing privacy to build or evaluate a privacy governance program.  

It is composed of three parts: Core, Profiles, and Implementation Tiers.  

The Core is a set of privacy protection activities and outcomes, divided into key Categories and Subcategories—which are discrete outcomes—for each of the five Functions: 

 Identify-P, Govern-P, Control-P, Communicate-P, and Protect-P. 

Like the NIST Cyber Security Framework, the Privacy Framework supports the development of a privacy program that fits the individual profile of different organisations, recognising that there is no ‘one size fits all’ approach to managing privcy or cyber security risk. 

Learn more about the NIST Framework 

 

The ISO 27701:2019 Standard 

ISO 27701 specifies the requirements for a personal information management system, leveraging the ISO 27001 information security management system. At its core, ISO/IEC 27701 facilitates a structured approach to identifying, analysing, evaluating, and treating privacy risks throughout data handling processes. This aligns with the fundamental steps of effective risk management. 

Learn more about the ISO 2771:2019 Standard in our earlier post. 

The COBIT 19 Framework 

COBIT (Control Objectives for Information and Related Technologies) is a globally recognized framework created by ISACA (Information Systems Audit and Control Association). It provides businesses and organizations with best practices and guidance for effectively governing and managing enterprise information and technology (IT). The 2019 update is the most recent iteration of the framework, emphasizing adaptability and flexibility to meet the changing needs of businesses in the digital age. 

Learn more about the COBIT 19 Framework 

 

Manage Your Privacy Risk with Privacy 108  

Our privacy management programs empower organisations to champion privacy through policies and processes, education, awareness, and accountability.  

We developed a series of questionnaires and templates to help organisations in building privacy programs. These resources incorporate guidance on privacy management and privacy program from a range of different sources including:  

• ISO 27701 requirements for a Personal Information Management System  
• NIST Privacy Framework  
• OAIC guidance on privacy management framework  
• UK ICO guidance on privacy governance and accountability  

Our team uses these resources to review your current privacy program, determine maturity levels, find gaps and develop a practical roadmap for improving the maturity of your privacy program.  

For more information: