There would be no Star Trek without Data

[Applause] hopefully this works because of course I like to make things complicated

[Music]

[Music] thank you [Music] [Music] I was really looking forward to this this presentation it's um as you know Financial Lieutenant Commander family have a good afternoon Enterprise

today we're going to be talking about the very important topic data but before I go on I'd like doctor to explain a few things

thank you brought me really quiet the other is not

thank you

my name is pronounced data hello what's the difference what is my name the other is not so the today's presentation we're not talking about data or data but before we move on I just need to go and do a little bit of housekeeping um I went all out [Applause] and I thought I couldn't stop here I always had to go here and I decided that I needed to reward all of you with something so I organized special Star Trek stickers for your computer a limited edition for the Enterprise and um if the college people can stand up Jillian Dr Michelle Ellis the back left [Music] they've got stickers so the rules of the game are

if you'd like a sticker you need to trade you need to trade something not something like a straw that's not going to work in this as a mean trade something with them and the whole goal of the exercise is one learn to network and two the talk that I wanted to talk a while back about contracts learn to negotiate so you're going to make an offer so you say I'm going to I'd like to trade for a limited edition Star Trek sticker and then they will give you a sticker of course I've got some as well so you can hand me down so the four of us have got stickers if you want a Star Trek sticker

which is limited edition there's only 100 of them and be a quickie um and and at the end I don't know if anyone's been watching my LinkedIn I said there'll be prizes so I decided I'll go out and get some limited edition comics so uh there's a question that's going to be Associated to the one video that was don't watch it now please watch me don't go there it was on LinkedIn there's a there's a question and of course the answer is a link to that but I'll make it easy and the other one is if that doesn't work other throughout the audience and ask questions from here so you guys ready to rock and roll all

right the first thing is we're talking about data so technically we'll have to learn out what is data and the reason I you know I come I come from a very um interesting background but I recently uh graduated with a law degree I just happened to have a brain that works in um sometimes Frameworks it's a bit like coding and laws like that you know if there's something then something else happens and the law I found really easy because we're not applied a coding methodology when I was learning it was really easy for me to apply everything else but then I thought how to apply that in my everyday life in it and so I took it all the way back to

data because why are we here you know we we are we are protecting our data but what sort of data is that is it sensitive you're labeling is it sensitive is it public is it confidential what is it but we need to actually understand that a little bit more but lo and behold data is actually divided into three sort of sections now the first person who enters into Data or the data realm can be a little bit overwhelmed because what the hell does that mean structured unstructured semi-structured and so I thought I'd make it a little easier for you that is structured nice and order for the Black Law if then you go to everything or everything is

structured most people who don't know this is where you can have a challenge when you're dealing with sea sweeters they don't understand this they say oh you know this is daughter yep that started too your passports your images but it's all unstructured there's no auditored it's not the same thing your field names are not the same every document that you get through your system may be physical that you've got a scan in or digital will have a different set of rules or Frameworks and of course most of you guys have been talking about that you also get semi-structured data which is used to pull data if you're a different type of code doesn't have sort of some

information in it but of course we're not just here about data because I gave you two elements in my my talk one is I.T other one is law and when I've been working with businesses one of the reasons I wanted to be here is like I hear the same things all the time the big word is data breach what is a data Bridge I'm sure all of you are going to find out we're going to go on this journey so hopefully you're going to enjoy it as we go along um but I'm also going to get some help that this is an Enterprise it's a very big ship there's a lot of you uh crew that are

experts in different areas but I'm gonna have to call in a little bit of help so what I've decided to do is um we need to figure out why we should protect data because obviously as you know the ball got hold of data and started making modifications under cybercrime Act should arrest them straight away um and so I've decided to get just a little bit of help but before we go there I put in my my help I like to actually just explain a little bit more about this journey we're going to go and unfortunately I've locked the doors doors locked yes no one's leaving we're going to learn about privacy and the reason we're going to learn

about privacy is because most of you in the it role and so you have it and you have privacy now I want you guys to get together and have a party you guys form a great team you guys got to come together you have one language privacy has another language let's get the language together so that you can actually form a big team and help protect data from the balls so um of course being the printer that I am I decided to write my own privacy policy for the staffing command um and we're going to look at seven sections but I wanted to make it a little bit more real and show you the Australian

privacy principles I'll be using ABP now AP P9 you can just look on there is the government identifiers I'm not going to be talking about it although I might have highlighted did I know I didn't um that is just a unique set of characters that your tax file number is a government identifier your Centrelink number is a common is a government identifier you cannot use or disclose a government identify yes we are doing it please give me your textile number okay okay that's how the business uses it that becomes a problem but we're not going to talk about that we're going to talk mostly about things my Bain Bearer when I work with businesses when I see them the one is transparent

management the privacy policy which is actually something I raised quite a bit if we are going to give consent to how we our businesses are going to collect and use our data don't you think we should go a little bit more granular with that than the general data protections are European cousins doing on the other side of the pond we're going to talk about the app3 which is a collection of personal identifiables but that acronym pi means personal identifiables or personal information apb-6 views and disclosure information and we're going to talk about cross-border disclosure when we transfer information or data from one country to another for one galactic environment to another the quality of personal identifiables

very important for the AI Realm if you don't have good quality you're going to get errors don't anybody who's going to be merging into the artificial intelligence world but errors are coming watch that headline and of course the most important security of this that's why you guys are here the security of information so what it looks like side by side very similar and this is really important because this is our Australian Australian privacy principles and on the left if you look at any other country in the world you will find similarities the gdpr general data protection regulations CCPA California consumer protection act every privacy that you can't go sorry

um and they are very similar and the reason I'm actually hoping to take you down this journey is because you guys are working you're in the it you're the front line and so when you see things happen you need to raise it through your team leaders or if you're an executive position you need to raise it higher because if this is happening guess what penalties 20 million dollars or loss of job under the cooperation Act depending which legislation need if I get involved will dump on you guys as a business so I've decided we need the computer so computer yeah policy we need the privacy policy please thank you Lieutenant Commander here is a list of

documents like to privacy the star police privacy policy is in rent well thank you computer you're welcome

and as you can see every time that you walk into a business you are going to be bombarded with procedures and policies processes every document you can think about whether it's applicable or not and the most important one forever isn't ready there's only one you care about in my books because that sets the Cornerstone that sets the foundation to how you're going to handle collect share data so of course I noticed that there was a gap in the staff leave command you guys didn't have in privacy policy so I wrote one for you um and is up on the website and it basically tells you how we are going to collect your personal information now it's very interesting

the Australian and Privacy Act talks about information and the general data protection regulations talks about data and I argue to this day there's a big difference between the two because you have personal information and you have sensitive information but you can also have personal data and sensitive data depending of how the data is collected because they consult identify that person so let's talk about the collection of data the one the one that early guy that can teach us a few things start if you're going to be collecting personal information sense information there really needs to be a reason for it so as app three states is that it has to be directed to a function or an activity of the business

so what's the purpose behind that collection so if you connect with collecting your life going hmm I want to do direct marketing oh I want to do some a few scams here and there I guarantee you that's what if your business is for scamming people which probably is unethical I'm not sure if it's actually not illegal probably is because you you've defaulting people um then you probably can get away with it but it really has to relate back to those activities or functions of their business um but if you don't if you're not Collective so I'll give you some quick examples let's say now you are collecting [Music] um authentication information your authentication information according to your police documentation

your 100 Point check is something like a driver's license passport who's um who's gone to University recently handed all this information yeah driver's license passport transcripted your personal information where you live all of that information is personal and sensitive information that's a collection and here that's collection form going into University or for authentication purposes now if I've collected something for authenticating my customers do I have the right to store it permanently no correct and so you guys are in that position to ask that question why are we collecting this information what is the purpose the purpose is for authentication purposes do we need to keep this permanently in our service you know you've got a lot

of storage so we shouldn't really be doing that and that's what the that's what you should be asking those questions what's the purpose behind it if it's a record you've got the records act you've got to keep that information for 25 years who works in government yep if you're collecting information or personal information or data that is put under the guise of a record even authentication material you're keeping it for 25 years how does everyone feel about that you're information your driver's license and your passport bank cards your credit cards everything on that list is kept in that system for 25 years that's a awful long time but um the reason we collect information is

also the one to use it and we'll disclose it I mean if I'm going to be giving my information I want to go I want that person to contact me I want the universe to call me back and go hey here's my telephone number call me back yes you're it yay no you're not please erase it um but if you look at the apb6 um you'll notice there that they cannot uh disclose it for outside of which it was collected you cannot use it outside of that purpose so if you if you collected a driver's license for the purpose of authentication you as a company cannot share that information or transfer it with any other company because it's

outside of the purpose of what you collected so in the it realm when you're collecting this when you're on because you deal with it every day you should be raising us why are we collecting it and then your argument will go all the way up to of legal for looking in to this whole issue of collection because it forms inside of the Privacy Act and inside the Privacy Act under this element if you're sharing a authentication document result on purpose and something happens we'll talk about data breach and the meaning of data breach that means that you've you could be hard liable not only can you be held live or the business be held liable but the

person in Authority position can be liable personally liable um depending on the amount of Damages under the corporation are competing on which legislation they want to throw it so let's talk about cross-galactic transfer of data what does this mean it means simply this if I'm going to have a backup of data or personal information in China that's what my backup is would that be off the top we had a safe place to place it no so you'd you'd have to you know start this conversation well I don't think China is a place to go is there other backup areas who are we going to we're going to take our Standalone system our on-site server and we want to transfer

it into a cloud storage solution where is that cloud storage solution is it in Australia or is it in another country because when you look at the the um appx X Australian privacy principle eight across the border transfer um you are going to be held reliable for companies when I say you the company is going to be held liable when information is breached by the third party oops third party was anything bit of a problem but now we come down to the last thing which is quality of the artists in my class thanks quality of data yes it's also on the Privacy principles and your quality of Dodge is incorrect and I'll give you example so what

happened was in a case there was a person that went to the medical doctor for information they'd had tests done and they gave them the email and they got the results adopted the medical practice got the information and then emailed the results back but they had the wrong email and inside of that email identified that the person had HIV it's a whole court case so everything's out there I'm allowed to public to talk about this the person went back to the medical practitioner and said you got the wrong email can you please send it back this is my email next thing you know they email the person again the wrong person they never corrected it so they broke the Privacy

Act they they were fined seventy five thousand dollars um which was a pretty uh good local event because their first year didn't have the quality of data they didn't the quality of the data that they collected wasn't correct and they didn't correct it when the person asked them to correct it so they breached two of the fundamental apps so when you're dealing with an autonomous system or when you're dealing with artificial intelligence but quality of data is going to impact your output so if you're going to put input you're going to use an algorithm and there have been quite a few cases where um your payment or your discount has been impacted so you have sent out a you promised your

customers a certain discount the quality of data has been pretty poor and as a result of that it's calculated an incorrect discount and you never got the discount so under a Triple C you got problems and they're just on and on and on and on and on and as a result of that you can find couple of million welcome to the land of law but according to the ADP this is basically what you need to do you make need to take reasonable steps to make sure that the quality of data is who's in the data governance Realm anyone know this will give you some support you are fighting about The Grieving the quality of data

um just bring up avpt in fact we're assigned go around work app 10 with better quality data you know that tool that I wanted yes the million dollar one to help me improve it yeah app 10. I did find it aptt um thank you and finally we got to the element that all of you love security of data

okay [Music] it doesn't make sense exactly you're not only Star Trek videos and episodes I had to go through all these jokes I'm an expert now um but yes you're going to take reasonable steps to protect your daughter and if you feel that you haven't done it from a security point of view I was can't recommend because that's probably the bad thing to do in my opinion I would take up the argument further up the chain to your leaders your your team leaders or management and just raise the areas that you need because we're going to also be talking about something else right now which is this well the word data breach is thrown around quite frequently I'm going to in

my opinion I can't give advice because if it's got advice it's legal advice it could come back with me I don't want to be reliable for any bad advice so it's in my opinion that you never talk data breach you never write down the bridge you never speak data breach ever and hold it an incident and so the legal team have identified the compliance team the legal team and privacy have identified that it is a data breach and I'll tell you why there's a new piece in the Privacy Act coming in where the commissioner can now investigate at all the beach they come can come into your business and start looking through all your emails and if somebody in the

low section maybe a graduate they say there's a data breach yes it just becomes a little bit of a nightmare so just my opinion call it an incident or an event and a limit to run you through this at God breaches happened that has taken out of legislation unauthorized access to unauthorized disclosure loss of personal information and the big word the big word you all need to remember and they're not separate they are together it's not or it's and and the access disclosure losses caused imminent harmful caused a serious harm other individuals are the information so you can have disclosure of information has it and this is where it all comes in so that's why you can't call it a

database and talk about dark reach because the lawyers have to come in and identify this then got determine is there a chance of harm so I'll give you an example in one of the cases a um there was a couple and they had divorced the wife was working in the business the husband was a strained he was a domestic violence person it could be another way we could make the mail was domestic violence because it can happen to men or women but what he was doing he was stalking her so he called the company and said it is so and so working today and a Frontline person had no knowledge about the event and said yes

he now knew that his ex-wife was working in that building that day the whole business knew what was going on so very helpful except the front line all of a sudden there was disclosure of disclosure loss of personal unauthorized disclosure of personal information which led to the result in serious heart because he ended up wanting to waiting outside of the building eminent Hall possible serious harm lawyers were brought in of course remedies were brought in and it was a big SOG about that's an example of when you connect the two together and that's why lawyers and the legal team the Privacy team have to come together that's why you need them on board you go hey I've got this

issue it's an incident it's an event what do you think should we raise the bar and then leave leave it for them to decide now the challenges with data is rank valuation when I was reading the paper I know boring I also don't have a social life financial review I just happened to read this UC is a problem with this I highlighted it according to our Super Chief Executive Paul Schroeder 9915 of them are named Chris I feel you who's Chris one are you do you have an Australian soup no I guess you're not one of those you know I can't look at Chris the same way anymore

I'm just wondering was that unauthorized disclosure let's put you to the test is that unauthorized disclosure yes but and is there a chance of imminent harm no so it failed in the second element good right

[Music]

[Music] oh yes computer surprises oh thanks so now for the big one for the the comic books that's a star trekking song which um I probably need some help here okay so I can't I'm going to be biased you know and I don't want to be biased I want to give everyone an opportunity for the purpose this person puts their hand up you'll have to you know pointed out yeah okay so which movie group or music group created the star trekking

[Applause] okay the last one is um I'm not going to actually ask you a question I'm going to ask does anyone have any questions

[Music]

he went through both corporations and departments very good uh in the now you guys can be shocked government agencies are not covered in the Privacy Act who thinks that's fair yes and so that means that means that they don't have to disclose a data Bridge

what they actually deserve it [Applause] any other questions about stickers okay [Music] thanks Brianna is actually a lawyer who's come into the dark side yeah all of those people that have been hacking into systems without permission [Music] yeah yeah I was listening I was like oh did you get consent yeah [Music] all right so questions update yes hi New Management servants or about when he's made up yeah now would you consider employees in authentication activities as you is part of work-based surveillance formatory once it is you know part of this we say our banks of America yeah you know and paying out what this employee will be able to move after environment okay these are my things that are out there

that are surfing you know all my stuff is not out there that you can see okay so it falls untaught and an element of tortoise causation so this is where the plaintiff you have to prove that the breach caused you harm and so then that way it falls because how do you know that that bridge this is where it fails and everything that bridge caused you off and not Optus or medibank or blah blah blah thank you another question

so I look at data as everything that you engage with the digital world so um everything that you like everything that you um I recognize your face just um you know I don't know if you know this but quite a few years ago I did a crazy Crusade I went around Western Australia trying to teach everybody Robotics and coding and I wanted to try and change the world in a way to help them give them skills so that when the future came AI they had a job you've got one of those places and I've got the top of one of the kids he was just amazing um did you pick up like engage with the

digital realm and you like something you commented um even if you were you had a pseudo name let's say that you had a techie for instance anything that you can collectively bring together to profile you and call data now in the Privacy Act they have personal information and sense information under Section 6 of the Privacy Act sends an information and things like Biometrics they don't talk about the game they don't provide shoe size it talks about um your your religious preference uh your sexual preference in the the personal information is anything you can identify you as a person which is the information you can do like your first name last name address so I think that

there's a big gap between information and data if we change that and go even like your IP address I think that's important because that if you put an IP address and you don't have a VPN you can actually identify where that computer comes from you can start narrowing it in and I just think that's something we need to raise a little bit more common 30 minutes behind so maybe one last question here's a quick one you know how you say the government are not under the Privacy aspect what about the essential regulatory levels so um it's a good question so under the essential age are they mandated that 98 years of power information for you 98

non-corporate government entities must not should must complete an internal essential age audit and to get to maturity level one I know it's a bit low but hey it's rather something or nothing and that includes government agencies

[Applause] [Music]