This article was first published in the LexisNexis Privacy Law Bulletin Vol 19 No 05. By Alec Christie, Partner, Digital Law, Clyde & Co.
Privacy and cyber security compliance in Australia is becoming increasingly more complicated by the day. There is already some 'natural' increase in practical complexity due to both the continuing move into digital eco systems and given the pace of innovations such as AI and facial recognition and their rapidly increasing uptake. However, this organic growth in complexity has been significantly exacerbated by an ad hoc and "on the run" legislative approach to issues in the privacy and cyber security space which has led to the exponential multiplication of overlapping regulations and regulators governing privacy and cyber security.
For example, at the extreme, an APRA regulated financial services organisation handling consumer data right information as well as personal information (but not considering the credit information regime) has overlapping and occasionally disjointed cyber security, surveillance, access and information integrity (ie privacy) related obligations in and under at least 10 disparate regulations/prudential requirements with up to 5 regulators competing to 'oversee' its compliance in these areas. To add to this, while well intentioned, the passing of the amendments to the Security of Critical Infrastructure Act late last year and early this year added yet more cyber security and privacy regulation to this very crowded space, as well as yet another ‘regulator’ - the CISC.
While there always have been (and will likely always be) complex aspects of privacy and cyber security, the regulation of this space surely doesn’t need to be this hard. It is no longer possible for "skilled amateurs" (ie those that do not practice in privacy/cyber security full time) to keep on top of the myriad of Byzantine overlapping regulations and regulators, all with slightly different demands and focuses vying for our attention.
It is in this context, a proliferation of regulation and regulators in the space, that AS 27701 “Security techniques – Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management –Requirements and guidelines” (also known ISO/IEC 27701 globally) will come into its own, helping businesses get on top of their increasingly complex, overlapping and often disjointed obligations in privacy (as ISO/IEC 27001 has done to a large extent in terms of cyber security).
However, in addition to this overarching benefit, the focus of this article is some of the specific and more immediate benefits the privacy information management system (PIMS) AS 27701 guides your business to implement can deliver. That is, the benefit of uplifting your organisation's general privacy compliance and the agility gained to (ie the relative ease and cost effective manner in which the organisation may now) meet the relevant new privacy regimes as and when the business expands operations beyond its borders.
What are AS 27701 and a PIMS?
AS 27701 adopts ISO/IEC 27701 which is a global privacy standard built on top of ISO/IEC 27001 and 27002, the most widely adopted and certified global cyber security standards. AS 27701 includes annexures mapping how the AS 27701 controls meet the requirements under the Australian and New Zealand privacy laws/principles, adding to the existing mapping to the GDPR.
AS 27701 specifies the requirements for and provides guidance to establishing, implementing, maintaining and continually improving a privacy information management system (or PIMS) in the form of an extension to AS ISO/IEC 27001 and27002 for the management of privacy information (ie personal information, referred to as "PII" in the Standard) by businesses.
AS 27701 provides controls and implementation guidance to ensure the privacy of personal information (at a minimum, in compliance with local legal requirements), including specifying what framework measures organisations should implement to manage personal information. As a result, AS27701 also assists organisations to demonstrate to regulators and third parties their compliance with privacy regulations both locally and internationally.
The ability to assist (and also "prove") compliance with relevant privacy regimes is evidenced by the significant mapping done in the open-source mapping program, first established by Microsoft, which can be found at https://www.dpmap.org. This mapping confirms the author’s experience with mapping the privacy laws of some 15jurisdictions against AS ISO/IEC 277701. That is, the PIMS and the specific controls established by organisations under AS 27701 do assist organisations to meet the specific requirements of the privacy laws of many countries, including the GDPR/UK GDPR.
While it has been known for some time that there are many common elements of privacy regimes around the globe, it has always been extremely difficult for an individual organisation to map those common concepts, extract and implement a set of 'controls' to address each in an appropriate manner and to systemise them into a PIMS which enables compliance across multiple countries and their privacy laws. That is, without falling into the trap of being specific and tied to one privacy law. It is hard enough designing a privacy system or framework to manage compliance with one's local privacy legislation, let alone also cover the privacy laws of all other jurisdictions in which one's business operates. This is, in part, why the 'information management system' concept so ingrained in the cyber security space for a number of years has not yet been widely adopted in relation to privacy compliance.
A PIMS is not widely known in privacy practice where the focus is usually on meeting the specific and immediate privacy requirements of the client's business or "just in time" privacy. As a result of this approach, in privacy the focus is usually far from a system of controls or PIMS, doing only what is specifically required to meet the immediate privacy requirements before one.
Now, with AS ISO/IEC 27701, the International Organisation for Standardisation(ISO) and International Electrotechnical Commission (IEC) have, with the help of an army of experts, created in ISO/IEC 27701 (adopted in Australia as AS 27701) such a common set of high level controls that enable organisations to address all of the common concepts underlining many privacy laws/principles around the globe, in a way that prompts them to also address the specific relevant local privacy requirements.
How a PIMS can assist your privacy compliance
For those more used to privacy rather than the cybersecurity, a “PIMS” is at first a strange concept especially, as noted above, compared to the way in which privacy is currently 'managed' by most organisations. Following the lead of our cyber security colleagues and, in particular, the information security management system (ISMS)established by the AS ISO/IEC 27001 and 27002 standards, AS 27701 requires the implementation of a set of controls and assists the building of a privacy information management system (or PIMS) rather than relying on an adhoc, localised and unstructured (and often reactive rather than proactive) privacy approach. That is, a PIMS that systemises and creates a formal structure to privacy compliance by implementing general controls (or requirements) and necessary measures to meet relevant privacy requirements.
In addition, the AS 27701 PIMS also greatly assists to ensure areas often missing from an ad hoc approach to privacy compliance are covered, including the clarification of roles and responsibilities, facilitating effective agreements with third parties and, building on top of ASISO/IEC 27001, ensuring reduced complexity and more consistency across the organisation's cyber security and infosec requirements by integrating with the ISMS/controls of ISO/IEC 27001 and 27002.
In addition to uplifting an organisation's privacy compliance by systemising it(taking it out of the realm of the purely reactive) and having in place a set of fundamental controls, a PIMS also assists organisations 'prove' to regulators and third parties alike the level of their privacy compliance and their “good privacy practices”.
While not yet formally recognised, there is an expectation that ISO/IEC 27701will soon be recognised as an acceptable certification mechanism to establish privacy compliance bona fides under Article 42 of the GDPR and UK GDPR and thus avoid a number of the current requirements for data transfers out of the EEA, for example. Of course, once ISO/IEC 27701 certification is recognised as a certification mechanism under Article 42 of the GDPR (and UKGDPR) then the expectation is, in addition to assisting in relation to cross-border data flows from Europe and the UK, that the regulators of our region will also accept AS ISO/IEC 27701 as an equivalent 'certification mechanism' under local and regional privacy laws.
Finally, and a very important benefit when dealing with regulators and third parties, is the requirement to be independently certified to AS 27701 and the reports that are provided as part of that audit/certification process. That is, it is not just the organisation telling a regulator or third party that they are a compliant privacy organisation and that personal information is safe with them. Certification under AS 27701 gives organisations a widely recognised and accepted audit/certification process whereby a respected independent third party certifies, after a rigorous assessment process, that the organisation is in fact compliant with AS 27701 and thus has 'good privacy practices'. This independent certification under the ISO/IEC (and thus AS) model has become an important and significant advantage of the ISO/IEC (and thus AS) Standards above and beyond other privacy and cyber security frameworks, such as NIST which, while equally valuable in content, do not have a widely accepted mechanism in place for independent verification/certification.
Also, given the increasing complexity and demands of regulators that organisations "assure" and be responsible for the level of privacy compliance (on top of cyber security levels) of their third-party providers, we expect to see more customers, by default, require vendors which handle personal information to independently prove their privacy bona fides by certification to AS 27701 (often as they do now for cyber security with ASISO/IEC 27001).
An example of an AS 27701 key control
The controls and obligations under AS 27701 are loosely divided into those which apply to all (ie clauses 5 and 6), those which specifically apply to “controllers” as understood under the GDPR (ie clause 7) and those which primarily apply to “processors” as understood under the GDPR (clause 8). However, for Australia and New Zealand (and other countries in our region) that do not have the split between controllers and processors, all of the controls in clause 7 will apply in addition to those in clause 8 (if not expressly covered in clause 7) where an organisation is undertaking a 'processor role'.
Given the theme of this article of assisting business to expand their business (digitally or traditionally) into new foreign markets, we briefly highlight the data sharing controls in clauses 7.5 and 8.5 of AS 27701. The controls to be met in relation to sharing, transfer and disclosure of personal information (referred to as PII in AS ISO/IEC 27701) include, most relevantly, the following:
7.5.1 Identify basis for PII transfer between jurisdictions
The organisation should identify and document the relevant basis for transfers of PII between the jurisdictions. (This is a similar obligation to that imposed on processors under clause 8.5.1 but the latter includes notification of the customer to allow the customer the ability to object to any changes with respect to jurisdictions to which the information will be disclosed.)
7.5.2 Countries and international organisations to which PII can be transferred
The organisation should specify and document the countries and international organisations to which PII can possibly be transferred.(Again, there is a similar obligation on the processor under clause 8.5.2.)
7.5.3 Records of transfer of PII
The organisation should record transfers of PII to or from third parties and ensure cooperation with those parties to support future requests related to obligations to the PII principals.
7.5.4 Records of PII disclosure to third parties
The organisation should record disclosures of PII to third parties, including what PII has been disclosed, to whom and at what time. (This will also cover transfers in the similar record keeping obligations of processors under clause 8.5.3.)
8.5.7 Engagement of sub-contractors to process PII
The organisation should only engage a sub-contractor to process PII according to the customer contract. (This is an additional obligation imposed on processors to require them to obtain approval for sub-processing/sub- contracting of obligations and thus further sharing of PII.)
These data sharing controls clearly focus on transfers and disclosures, noting that in some jurisdictions that disclosure alone of personal information to a person outside of that jurisdiction by accessing the relevant personal information from outside the jurisdiction is caught, even if that information does not physically leave that jurisdiction.
Together clauses 7.5 and 8.5 (ie as detailed above) provide the framework to facilitate compliance with relevant local privacy laws relating to transfer/disclosure of personal information. In respect of Australian and New Zealand privacy laws relating to overseas disclosures, clauses 7.5 and 8.5 map to (in other words, provide the mechanism to comply with) APPs 6 (in particular6.1) and 8 (8.1 and 8.2) and IPPs 10 and 12.
These specific controls may be challenged, at least by some, as not in their terms specifically addressing compliance with local privacy laws or assisting with the requirement to assess what local rules apply. However, clauses 7.6 and8.5 exist within the wider PIMS established by the entirety of AS 27701 and must be read together with the other clauses of AS 27701, including:
1. clause 5.2.1 "Understanding the organisation and its context" under which the organisation must determine external and internal factors that are relevant to its context and that effect its ability to achieve the intended outcomes of its PIMS, including applicable privacy legislation, regulations, judicial decisions, contractual requirements and the governance policies and procedures of the organisation;
2. clause6.10.2 "Information transfer" which requires, among other things, the implementation of guidance, other information as stated in AS ISO/IEC 27002 and procedures for ensuring that the rules relating to processing of PII are enforced throughout and outside of the system, where applicable, and that guidance for agreements for information transfers be adopted by the organisation; and
3. clause6.15 "Compliance" which seeks to ensure compliance with general legal and contractual requirements regarding, among other things, transfer/disclosure of personal information cross-border is considered and measures implemented. In this context the specific data sharing controls act, with the other controls (and the PIMS as a whole), to ensure that all relevant legal requirements are considered and addressed as part of the implementation to ensure compliance with all applicable data transfer/disclosure obligations. Therefore, irrespective of the specific local privacy law, the controls and PIMS as a whole as regard data sharing will direct and guide the organisation to ensure compliance with the local data sharing requirements, having already in place key controls reflecting and incorporating the common elements. Also, any certification of AS 27701 with respect to a particular country will be heavily influenced by the requirements of that local privacy regulation in the implementation of the relevant controls/PIMS.
How AS 27701 can assist the expansion of your business into (or from) other markets
As you can see from the above discussion, the controls established under clauses 7.5 and 8.5 of AS 27701 clearly provide the framework to meet most, if not all, GDPR and other countries' requirements for the transferring/disclosing (ie sharing) of personal information across borders.
In addition, certification to AS 27701 will assist organisations to more easily respond to a transfer impact assessments (or TIAs) now required for transfers of personal data from the EU and UK to a country without an adequacy decision(eg Australia). This will assist a business's current processes and requirements and, once ISO/IEC 27701 is accepted as a certification mechanism under Article 42 of GDPR (UK GDPR), as the organisation equivalent of an adequacy decision. We expect that these controls, among others in AS ISO/IEC27701, will ease both the requirements to be met and the information to be gathered from potential offshore recipients of personal data in non-adequate countries in order to better enable the free flow of 'personal data' from the EU/UK.
The controls and the PIMS implemented as a result of AS 27701 will assist businesses to more easily (and in a much more agile and cost effective manner) uplift specific aspects of their privacy in order to meet the relevant local privacy requirements of new markets. That is, without “reinventing” their privacy framework, documentation or the like. Certainly, work will need to be done on the content of the relevant documentation and there may also be one or two specific local requirements that need to be separately addressed. However ,the framework of controls and PIMS established under AS 27701 will enable organisations to quickly and cost effectively address those matters without having to establish a wholly new set of privacy documentation and/or framework for each new country their business expands into.
Certification to AS 27701 will also assist with establishing your privacy credentials and bona fides with privacy regulators and third parties in those new countries, especially once ISO/IEC 27701 has been accepted as a certification mechanism under Article 42 of the GDPR/UK GDPR.
Can your business really afford not to consider AS 27701 and the benefits it can deliver?
If not to better manage and stay on top of the increasing complexity of privacy regulations, meet the requirements of customers and/or to generally uplift your privacy compliance, AS 27701 will greatly ease (a) the requirements imposed in your dealings with EU/UK organisations and (b) the effort to meet privacy requirements in the expansion of your business into other countries and the resulting cross-border transfers of personal information.
Finally, for those organisations already AS ISO/IEC 27001 compliant, all these benefits are yours for a relatively small incremental cost on top of th existing work already done to become certified to AS ISO/IEC 27701.