By Gehan Gunasekara

In an age where personal information is the new oil, chief privacy officers in companies should be as important as chief financial officers. Gehan Gunasekara explains the human dimension to cyber vulnerabilities – and how we can keep safe. 

Information professionals are critical to surviving in the digital age. For example, those such as privacy officers, information officers or data protection advisers in organisations are at the front lines in protecting society. The recent cyber attack on the Waikato District Health Board has, among other such recent incidents, highlighted the importance of such staff in preventing future attacks: the loss of personal information led in this instance to denial of access to life-saving treatment.

Personal information may be the new oil, and the increasing attacks targeting it signal its value. There is a human dimension that is often neglected here: vulnerabilities are more likely through human error than technical glitches in technology. However, this in turn necessitates investment in human resources and the associated costs. But, failure to do so may result in even greater costs with reputational damage and, with the new powers conferred on the Privacy Commissioner, regulatory scrutiny including fines.

Information professionals will assume ever-increasing prominence in the 21st Century. The chief privacy officer will be as important as chief financial officer. Even existing roles such as client relationship advisers, recruitment consultants, data analysts and people and culture managers require solid understanding of ethical and legal frameworks surrounding the use of personal information. Digital literacy is about more than technical skills such as, for instance, how to generate and use data analytics. It encompasses also being able to evaluate the legal and ethical limits to such techniques. Ethics alone is insufficient as understanding the legal frameworks surrounding data use and how these intersect with ethical as well as other standards governing data are required.

Privacy and information professionals require specialised skills. Understanding legal and regulatory frameworks is a starting point. But, where managing data is concerned, understanding the legal requirements is not enough: one must be versed in techniques of implementation at the organisational level. In turn this means engaging with the internal management dynamics of the organisation and being able to design accountability criteria and mechanisms. Soft skills are also desirable, and these include advocacy with stakeholders and knowing how to resolve conflicts before they escalate.

In a digital age, privacy and information-handling skills are as important as financial literacy or software creation. Organisations that make the necessary investment in staff and their upskilling inevitably reap the regards, while those that fail to do so learn the hard way. Testing is needed to see if staff know not to open a phishing attachment by deliberately sending a dummy one to test reaction. Likewise, knowing how to audit a service provider to check its adherence to commitments regarding use or storage of data requires systems and follow-up to see they are used.

Often, knowing when to delete data can forestall data breaches. Many famous data breaches have been enabled or made worse by organisations keeping personal information that was no longer needed or failing to check it was still needed. The Ashley Madison hack of 2015 revealed the company had held on to records of customers who had closed their accounts. Similarly, with the Equifax breach in 2017, retention of databases after migration to its subsidiary and failure to audit as per contract allowed the hack of the parent to obtain the data of millions of United Kingdom users. New Zealand does not have a “right to be forgotten” unlike the European General Data Protection Regulation (GDPR) but does have rules regarding how long data can be held and knowing how to navigate these – and differences with the GDPR – (in transacting business with Europe) is vital.


This article was originally published on Newsroom and was republished with permission. For the original, click here.

Gehan Gunasekara is an Associate Professor in Commercial Law at the University of Auckland. He is an expert in information privacy law. 

Disclaimer: The ideas expressed in this article reflect the author’s views and not necessarily the views of The Big Q.

You might also like:

Could New Zealand suffer an act of cyberwar?

What can we learn from Estonia’s cyber revolution?