温馨提示:本站仅提供公开网络链接索引服务,不存储、不篡改任何第三方内容,所有内容版权归原作者所有
AI智能索引来源:http://www.linkedin.com/pulse/tackling-data-retention-dilemma-denny-wan
点击访问原文链接

Tackling Data Retention Dilemma

Tackling Data Retention Dilemma

同意并加入领英

点击“继续加入或登录”,即表示您同意遵守领英的《用户协议》《隐私政策》《Cookie 政策》

登录查看更多内容 邮箱或手机 密码 显示 忘记密码 登录 使用邮箱登录 跳到主要内容 领英 马上加入 登录
Credit: Inspired by "iapp and (ISC)2 White Paper, October 2022" Tackling Data Retention Dilemma 举报此文章 关闭菜单 Denny Wan Denny Wan 发布日期: 2022年11月14日 + 关注 Quantifying Privacy Risk to inform Data Retention Policy

 The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (the Bill) [1] was introduced to the Parliament on 26 October 2022 as part of the Australian Government's immediate response to the recent high-profile data breach disclosed by Optus and Medibank. It brings to head the contentious business policy of data retention, which I examined in my recent article "Data Retention Dilemma" [2]. The key proposed changes in the Bill include (thanks to the analysis from James Cole) [3]:

50 million dollars; 3 times the value of the benefit obtained through misuse of data; or 30% of a company’s annual turnover in the relevant period.

The second proposed change above is clearly designed to discourage the habit of data hoarding. Public consultation for the Bill was closed on 7th Nov 2022 [4], receiving 31 published submissions [5].

A number of these submissions expressed concern about the financial impact of the proposed maximum regulatory fine of up to $50M. However, some of the submissions examined the more complex question of the data retention policy. For example, the Business Council of Australia (BCA) 's submission [6] recommends applying Section 80U(1) 'tiering' of penalties where the courts are required to consider whether an organisation can show they were not negligent or reckless. Perhaps a business policy to retain data for future monetisation (beyond immediate business needs or regulatory compellation) might be considered to be a reckless act? The Tech Council of Australia 's submission [7] also recommends a tiered penalty regime to be proportionately applied.

The Australian Institute of Company Directors ' (AICD) submission [8] recommends the Bill be paused until the Privacy Act Review has made its recommendations and the Government has responded. 澳洲国民银行 's submission [9] drew attention to the current mandated regulatory data retention burden of seven years after the banking relationship had concluded. NAB asserts that this mandated retention period is much longer than it would otherwise require and significantly increases its risk profile.

Attorney-General Mark Dreyfus signalled that businesses could be forced to purge millions of Australians’ identification records and ordered to stop hoarding a treasure trove of customers’ personal data under an overhaul of privacy laws [10]. Mark is not questioning the regulatory burden on data retention. He is questioning the commercial motive behind the data retention policy.

The FAIR Institute community recommends quantifying Privacy Risk as a structured and scalable way to inform data retention policy. It might be an oversimplification to assert that the only data retention policy option is to delete the entire data set upon the expiry timeframe. NAB's submission might have alluded to the possibility of applying different data retention periods for different data elements, akin to the longer-term retention of metadata in telecommunications.

“... For too long we have had companies solely looking at data as an asset they can use commercially ... When that information is no longer required, they must take reasonable steps to destroy or de-identify the personal information they hold ...” Mark Dreyfus

I echo the caution from ACID in not jumping the gun and losing sight of the imminent conclusion of the review of the Australian Privacy Act by the Attorney General's Department [11]. My presentation, "Quantifying Privacy Risk of Technical Data" at the Australian Information Security Association (AISA) CyberCon Melbourne 2022 drew attention to the proposed inclusion of Technical Data in the definition of Privacy Data. This proposed change is foreshadowed in the Discussion Paper [12]. My recent article, "Privacy risks of technical data", published in the Cyber Today Magazine (Edition 2 2022) [13], provides some useful background information on this presentation.

My presentation also walkthrough of two examples of quantifying Privacy Risk from the recently published Open Group article "Calculating Reserves for Cyber Risk Vetting Cyber Risk Models" [14]. The paper is co-authored by Mike Jerbic and Bob Mark. These examples use the "OPEN GROUP OPEN FAIR™ RISK ANALYSIS TOOL" [15] to perform the calculation.

My presentation deck is available for download here:

https://www.securityexpress.com.au/wp-content/uploads/2022/10/Quantifying-Privacy-Risk-of-Technical-Data.pdf


Introduction to the proposed inclusion of Technical Data in the definition of Privacy Data

I want to thank Dennis R. for assisting me with running the OPEN GROUP OPEN FAIR™ RISK ANALYSIS TOOL during the presentation.

Walk through the Privacy Risk Quantification examples using the OPEN GROUP OPEN FAIR™ RISK ANALYSIS TOOL

We also want to thank the delegates for the great turnout and many excellent follow-up discussions:

领英推荐 The EU-US Data Privacy Framework: ALL YOU NEED TO KNOW Paakhhi G. 2 年前 Privacy vs. Data Protection - What Do They Really Mean? Luka Shakhkulashvili 8 个月前 👀 Privacy from the US Gov? Osano 1 年前

Thanks to Craig Ford as the room monitor and for taking these photos.

[1]https://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/Bills_Search_Results/Result?bId=r6940

[2]http://linkedin.zhutiblog.com/com/pulse/data-retention-dilemma-denny-wan/

[3]http://linkedin.zhutiblog.com/com/posts/jamesacole_fines-for-massive-data-breaches-to-increase-activity-6989367762863230976-VGXv

[4]https://www.aph.gov.au/Parliamentary_Business/Committees/Senate/Legal_and_Constitutional_Affairs/PrivacyEnforcement2022

[5]https://www.aph.gov.au/Parliamentary_Business/Committees/Senate/Legal_and_Constitutional_Affairs/PrivacyEnforcement2022/Submissions

[6]https://www.aph.gov.au/DocumentStore.ashx?id=6ea85962-12b7-40a6-bbcc-a43e9c05085d&subId=725158

[7]https://www.aph.gov.au/DocumentStore.ashx?id=59579211-b271-4401-8064-b3d94ab2355e&subId=725156

[8]https://www.aph.gov.au/DocumentStore.ashx?id=77773af8-3e4f-4f2c-9ee8-11449efd0b2b&subId=725154

[9]https://www.aph.gov.au/DocumentStore.ashx?id=93faed62-0d6b-439c-8a13-61fa77e3247a&subId=725329

[10]https://www.afr.com/politics/federal/customer-data-should-not-be-a-corporate-asset-dreyfus-20220929-p5blvy

[11]https://www.ag.gov.au/integrity/consultations/review-privacy-act-1988

[12]https://consultations.ag.gov.au/rights-and-protections/privacy-act-review-discussion-paper/

[13]https://cybertoday.partica.online/cyber-today/edition-1-2022/flipbook

[14]https://publications.opengroup.org/w221

[15]https://blog.opengroup.org/2018/03/29/introducing-the-open-group-open-fair-risk-analysis-tool/

28 2 条评论 赞 祝贺 支持 比心 有见地 有趣 评论 复制 LinkedIn Facebook X 关闭菜单 分享 查看更多评论

要查看或添加评论,请登录

Denny Wan的更多文章 New Year Resolution - The Only Constant… 2025年1月2日 New Year Resolution - The Only Constant… 7 Best Boxing Day gift for 2025 -… 2024年12月27日 Best Boxing Day gift for 2025 -… 18 The Art of Breaking Bad News 2023年11月17日 The Art of Breaking Bad News 9 2 条评论 Can, shouldn't, but MUST 2023年11月9日 Can, shouldn't, but MUST 7 FAIR Institute Sydney Chapter EYO… 2023年11月8日 FAIR Institute Sydney Chapter EYO… 14 Attacking Cost of Living Pressure… 2023年7月26日 Attacking Cost of Living Pressure… 5 Patch Priortisation - Defeating the… 2023年7月23日 Patch Priortisation - Defeating the… 9 Hearing is not the same as Listening 2023年1月29日 Hearing is not the same as Listening 19 1 条评论 FAIR Institute Sydney Chapter Hybrid… 2023年1月12日 FAIR Institute Sydney Chapter Hybrid… 48 1 条评论 Master Class - Quantifying Privacy Risks 2022年11月18日 Master Class - Quantifying Privacy Risks 21 Show more See all articles 其他会员也浏览了 India’s Data Privacy Law Explained: What the Digital Personal Data Protection Act Means for You Compliance Calendar LLP 5 个月 Safeguarding Data Privacy in India: Challenges, Reforms, and the Imperative for Stronger Laws Dr.Aneish Kumar 2 年 High Level Overview of Data Privacy Updates for 2026 Shahed Kader 5 个月 Understanding the Shift from SPDI to DPDP Act Concur - Consent Manager 1 年 When in Mexico, do as the Data Protection Laws Say! Arunima Jha CIPP(E) 🇮🇳 1 年 Right to be forgotten – An India Data Privacy Perspective Sayantan Dey 1 年 July 1st Amendments to the Connecticut Data Privacy Act: New Impact Assessment Requirements Sherwin Yoder 2 个月 A Right Rooted In Fear: The Story Behind Data Privacy Laws Gayathri Madhusoodanan 12 个月 Navigating Privacy: A Comparative Analysis of Privacy Laws in the ASEAN Region (Part V) Lexplosion Solutions - Innovating Legally 1 年 Is Privacy Dead? A Personal Journey into the Paradox of Data in the Digital Age Ephraim Akuetteh Mensah 1 年 展开 收起 相似领域 Legal Risks of New Privacy Amendment 5 个动态 394 Data Privacy Risks for Legal Professionals 8 个动态 801 Consequences of Ignoring Privacy Regulations 10 个动态 783 Business Considerations in Data Privacy Cases 10 个动态 1,132 Legal Considerations for Data Protection Compliance 9 个动态 1,188 Data Privacy Risk Management Tactics 10 个动态 2,168 Legal Implications of Health Data Privacy 7 个动态 425 展开 收起 浏览内容分类 Career Productivity Finance Soft Skills & Emotional Intelligence Project Management Education Technology Leadership Ecommerce User Experience Recruitment & HR Customer Experience Real Estate Marketing Sales Retail & Merchandising Science Supply Chain Management Future Of Work Consulting Writing Economics Artificial Intelligence Employee Experience Workplace Trends Fundraising Networking Corporate Social Responsibility Negotiation Communication Engineering Hospitality & Tourism Business Strategy Change Management Organizational Culture Design Innovation Event Planning Training & Development 展开 收起 领英 © 2026 关于 无障碍模式 用户协议 隐私政策 Cookie 政策 版权政策 品牌政策 访客设置 社区准则 العربية (阿拉伯语) বাংলা (孟加拉语) Čeština (捷克语) Dansk (丹麦语) Deutsch (德语) Ελληνικά (希腊语) English (英语) Español (西班牙语) فارسی (波斯语) Suomi (芬兰语) Français (法语) हिंदी (印地语) Magyar (匈牙利语) Bahasa Indonesia (印尼语) Italiano (意大利语) עברית (希伯来语) 日本語 (日语) 한국어 (韩语) मराठी (马拉地语) Bahasa Malaysia (马来语) Nederlands (荷兰语) Norsk (挪威语) ਪੰਜਾਬੀ (旁遮普语) Polski (波兰语) Português (葡萄牙语) Română (罗马尼亚语) Русский (俄语) Svenska (瑞典语) తెలుగు (泰卢固语) ภาษาไทย (泰语) Tagalog (他加禄语) Türkçe (土耳其语) Українська (乌克兰语) Tiếng Việt (越南语) 简体中文 (简体中文) 正體中文 (繁体中文) 关闭菜单 语言

Tackling Data Retention Dilemma,AI智能索引,全网链接索引,智能导航,网页索引

    Quantifying Privacy Risk to inform Data Retention Policy The Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (the Bill) [1] was introduced to the Parliament on 26 October 2022 as part of the Australian Government