Managing your data – a journey of continuous improvement and contractual vigilance

(Sponsored article)

Who is responsible for data security in your organisation – and who should be? 

Traditionally, the management of data and data security within organisations is spread across several executives. Unlike the well-defined role of the chief financial officer, who clearly oversees all things financial, the various elements that impact data and its management are often divided among legal, compliance, IT, and risk.

As a solution, an organisation could have a dedicated privacy officer who may be one of the executives mentioned above. This individual will then generally be the primary contact for privacy compliance. However, in organisations that are not consumer-facing nor require a large privacy department, this data management function may be under-resourced and driven only from a base compliance perspective, rather than a key strategic function.

In our view, data management is a shared responsibility among C-suite executives. This is a consequence of the myriad of stakeholders and systems using data. However, teams need clear mechanisms for assigning responsibility and accountability, as well as for sharing information in a timely and meaningful way. This ensures that data is not only handled in compliance with laws and regulations, but also leveraged strategically for greater organisational benefit, such as streamlining collection and retention processes, and thus managing updating and deletion in a simpler, more cost-effective way.

What is data?

Data is simply information that organisations collect and manage. This can include statistics such as the number of transactions for a specific product or service, the number of customers in a geographic location, and even confidential information the organisation obtains from its business partners, which comes with special obligations.

Data may also be in the form of personal information, which in Australia is regulated by the Privacy Act 1988 (Cth). This information may also be subject to additional obligations under the EU General Data Protection Regulation (GDPR) if the organisation has contractual relationships with multinationals.

Unlike general data, personal information is subject to tighter regulations, with various regulators seeking to regulate that data. Any data that holds value may cause harm if it is subject to unauthorised access and/or use by threat actors. However, when managed effectively, such data can provide valuable insights for the business.

Which regulators should I be worried about – isn’t it just the privacy regulator?

The Office of the Australian Information Commissioner (OAIC) is the main regulator of personal information. However, it is often viewed as underfunded with an Act undergoing a very slow yet essential reform process. As a result, many organisations may dismiss it as not being a real threat to their business, despite recent increases in penalties aimed at aligning them with those under the Australian Consumer Law.

The Australian Securities and Investments Commission (ASIC) is also interested in how organisations manage their data, particularly regarding cybersecurity. ASIC has taken action against a financial services

licensee for failing to meet its data security obligations and the Chair of ASIC, Joe Longo, has repeatedly emphasised that ASIC will hold directors accountable for their organisations’ cybersecurity practices, or lack thereof.

For entities regulated by the Australian Prudential Regulation Authority (APRA), there are numerous regulatory guides, standards and practices that address the practical issues of keeping data secure in outsourcing agreements and the matters that need to be considered when handling data with third parties. Given that APRA-regulated entities such as banks, insurers and superannuation entities hold significant sensitive information, this high level of regulation is warranted.

Other regulators concerned with your data include the Australian Communications and Media Authority (ACMA), particularly regarding spam and marketing practices. If your organisation is subject to the Security of Critical Infrastructure Act, the Department of Home Affairs will also have an interest in your data.

Organisations regulated by one or more of these regulators should be vigilant about the growing convergence and use of information-sharing agreements among the regulators. This, inevitably, will mean that if a regulator finds an organisation failing to meet its data management obligations, they are likely to share this information with other regulators. As a result, organisations may face scrutiny from several regulators or from the one best placed to take action and succeed.

What does this mean at a practical, contractual level?

Fundamentally, any contracts dealing with data rights or data usage need to be viewed through a broader lens.

Many contracts we see have a privacy compliance clause, a confidential information clause and an intellectual property rights clause and nothing further to deal with data rights, as if this covers the field. However, since data does not inherently carry intellectual property rights and data that is subject to services under the contract may not fall into confidential information or personal information, it is important to consider those data rights and to clearly define the obligations of all parties in relation to the use and security of that data.

In the same way that organisations seek to bind third parties to comply with the Privacy Act and other regulations, the question around the use of data needs careful attention. This is increasingly the case with the rise of artificial intelligence (AI) as parties seek to monetise data by training AI on datasets for profit. Major publishing houses are currently taking significant international legal actions for copyright infringement against large language models like ChatGPT, which have trained on novels and other content without adequate or any payment.

While it is clear authors have copyright and a claim to royalties for breach of that copyright, it is likely that cases where there is no copyright but where owners/custodians of data sets find they have been used by third parties – such as to train AI and no right has been provided to third party to use that data – will emerge. Data which has no other obvious inherent value may have value as an AI training dataset.

This issue also applies to customer data that an organisation may use to improve its existing services or to develop new services. Have they obtained consent from the individual whose data is being used for that purpose? Would an individual be aggrieved if they found their data was being used in that way? Recent media reports on the sharing of radiology images with an AI firm indicated individuals were less than impressed.

What are the practical steps for 2024 and beyond?

The likely increase in requirements under the Privacy Act from 2025, as well as the potential new powers of the OAIC to impose fines and the likely introduction of statutory tort for a serious interference with privacy should put all senior leadership teams on notice. Uplifting your data management is a project that needs to start now, as the risk of inaction is likely a costly one. 

The allocation of roles and responsibilities to ensure no “gaps” in the approach is a starting point. This may involve reviewing existing organisational policies, reporting on data and changing governance practices within the organisation.  

The old “data is the new oil” is being replaced with “data is the new uranium” – potentially powerful but also inherently risky and in need of adequate protection. 

Once a team is assembled and a data audit undertaken, the likely next steps will emerge from that process. Where data is duplicated or over collected, this can be remedied. Additionally, the common mistake of over-retention can be identified, allowing old, out-of-date data to be deleted – possibly prompting a review of retention periods and implementing automated deletion or automated prompts for deletion. 

Finally, and this suggestion never goes astray, consider your various complaint channels – are they sending you any messages you can action on the data front? In employee exit interviews, are there any systems, processes or even people they complain of that could be creating data risk? 

If you need assistance with templates, approaches or advice, we have helped a range of organisations improve their data handling practices and can bring that experience to help you with this project. To get started, please get in touch with Holding Redlich General Counsel Lyn Nicholson. 

Author

Lyn Nicholson, General Counsel, Holding Redlich
Email: lyn.nicholson@holdingredlich | Phone: +61 2 8083 0463
Profile: https://www.holdingredlich.com/lyn-nicholson