As part of Privacy Awareness Week across Australia, Partner Sonja Read joined Philip Green (Queensland Privacy Commissioner, Office of the Information Commissioner Queensland) and David Lacey (Founder and Managing Director, IDCARE) for a panel session on Making privacy a priority. The event was run for Queensland Health.

Sonja spoke about the difference between privacy and security when developing a new IT program.

Cyber security is focused on protecting the data from malicious attacks and the exploitation of stolen data for profit.

Privacy is about the use and governance of personal data. It includes ensuring that personal information is collected, shared and used in appropriate ways.

They are related, but different – and both need to be factored into new projects.

Consider, for example, when an IT program is built with policy or business intent in mind. Cyber security may be a key consideration, with the program including encryption, multi factor authentication and other cyber security features. However, these features will not address whether the collection, use and disclosures are authorised, and whether the project is consistent with community expectations. Once the system is built, changes to data flows may involve significant costs. The project may suffer from privacy complaints, distrust of the project, and stakeholder disengagement. Ultimately the success of the project may be jeopardised.

Considering privacy early helps keep the client or customer's interests front of mind.

Although security is necessary for privacy, it's not sufficient. A focus on data security without embedding privacy in your project means that the broader privacy issues might be compromised as an add on.”

Sonja Read

How can you embed privacy into technology?

How do we prevent the scenario where privacy is compromised in favour of other priorities?

• Get involved in projects early, and become a team player with IT developers. We need to include privacy into the security conversation.
• Educate project teams about the importance of embedding privacy, the legal compliance and their relationship to project success.
• Make use of a privacy impact assessments as a required step to developing a new project. Ensure that it happens early in the project so that it can feed into the design rather than be tacked on to the end.

Watch the full presentation