Australia’s Consumer Data Right, NIST, Encryption
TLP White: Welcome back to Hacking Healthcare:
We start with a look at Australia and the development of a Consumer Data Right. We also discuss NIST’s plans to create a privacy framework. We conclude by shedding some light on what went down at the 2018 Five Country Ministerial.
Hot Links –
-
Australian Consumer Data Right.
The GDPR isn’t the only international privacy regime for organizations to consider. Australia’s proposed Consumer Data Right (“CDR”) is poised to come into effect on July 1, 2019, introducing an additional layer of international complexity to privacy compliance.
The CDR was created to establish greater data access rights for consumers, permitting consumers to obtain some of the data that is held about them by a third party as well as enabling some of that data to be shared with accredited parties for select purposes.[1] According to the Australian treasury website, the Australian government decided to create a CDR “to give Australians greater control over their data, empowering customers to choose to share their data with trusted recipients only for the purposes that they have authorized.”[2]
Initially, the CDR will be implemented in the banking, energy, and telecommunications sectors, with plans for it to be rolled out to the entire Australian economy on a sector-by-sector basis. Additional guidance will be needed to help flesh out the CDR, including providing clarity regarding a broad definition of personal information as well as guidance around providing consent, such as what would be required for a consumer to provide their consent to disclose their personal information.
The CDR was open for comment through September 7th, 2018. The Australian Competition & Consumer Commission (“ACCC”) is scheduled to release a Rules Framework this week, which is supposed to describe how the ACCC proposes to address particular issues in the CDR Rules.[3]
-
NIST Privacy Framework.
The National Institute of Standards and Technology (“NIST”) has started to assemble the troops for another round of framework creation. NIST announced that it is starting to gather public feedback to help create a voluntary privacy framework designed to help companies protect personal information. The U.S. Department of Commerce is leading the charge, with the goal of developing a voluntary privacy framework as an enterprise risk management tool.[4]
The privacy framework will focus on privacy risks that stem from how organizations collect, store, use, and share information to meet their mission or business goals. The privacy framework will also be designed to address information collected when customers interact with products and services and related concerns around internet connected devices. As explained by NIST Senior Privacy Policy Advisory Naomi Lefkovitz, the framework is envisioned to “provide a catalog of privacy outcomes and approaches for organizations of all kinds to: better identify, assess, manage, and communicate privacy risks; foster the development of innovative approaches to protecting individuals’ privacy; and increase trust in products and services.” To that end, businesses can discuss and resolve privacy issues using a common set of principles and understanding.
[1] https://www.lexology.com/library/detail.aspx?g=a958300f-6509-49a9-a833-2c93e401aa46
[2] https://treasury.gov.au/consumer-data-right/
[3] https://www.accc.gov.au/focus-areas/consumer-data-right/rules-framework
[4] https://www.nist.gov/sites/default/files/documents/2018/09/04/privacyframeworkfactsheet-sept2018.pdf
As a reminder, this is the public version of the Hacking Healthcare blog. For additional in-depth analysis and opinion, become a member of H-ISAC. Read full blog below: