BUSL315 Privacy Impact Assessment Sample Answers for Deltex Ltd

Looking for BUSL315 Privacy Impact Assessment Sample Question to Answers? (Get Answers) BUSL315 Privacy Impact Assessment Sample with us.

We offer Privacy Impact Assessment, case study analysis, IT Management Assignment Solution from our PhD/MBA Subject matter experts at cost-effective rates?

Acquire high-quality case study research work with 0% Plagiarism-free content – Get related Privacy Impact Assessment Help & Topics written by native Expert writers in Australia.

BUSL315 Privacy Impact Assessment – Deltex

Executive Summary

This Privacy Impact Assessment will discuss the risks associated with the development of Kartman, a new project by Deltex.

Included is a methodology, the stakeholders engaged in developing this report, a project description, a map of information flows, and how to minimise or avoid each project-specific risk with a focus on compliance, extending to ethical and social license implications.

This PIA has found that Deltex would be vulnerable to many privacy risks, may be legally liable for planned conduct, and requires strategies for mitigating or removing privacy risks. Deltex must also place a greater focus on ethical considerations.

Recommendations:

  • Deltex must understand current Australian privacy law so that compliance can be assured.
  • Strategies for minimising or eliminating privacy risks need to be implemented.
  • These strategies should extend beyond compliance to ensure social licence and ethics are more than satisfied.

This report’s limitations include restricted information on Kartman, no knowledge of current privacy risk-management strategies, and little information on planned overseas partners.

Privacy Impact Assessment Methodology and Plan

The Information and Privacy Commission (IPC) note, “Privacy Impact Assessments (PIA) assist public and private sector organisations identify and minimise the privacy risks of changes to services or policies and new projects”.

To successfully achieve this objective, elements from the NSW Information and Privacy Commission’s guidance on PIAs, and the Office of Australian Information Commissioner’s (OAIC) guide to undertaking PIAs will be incorporated to ensure a broad scope of PIA components are considered, and the most relevant are included.

Firstly, a threshold analysis of Deltex’s new project determined that a PIA is necessary as although they may fall under the $3 million Privacy Act threshold, Deltex will be selling personal information, which makes them covered by the act.

See the Project description for details on the information that will be collected, disclosed, where it will be held, and how it will be collected.

Secondly, the Chief Privacy Officer (CPO) conducted the PIA with assistance from the project team and external consultants and completed it before the design process began so that the recommended changes could be implemented prior to production.

Although the Australian Privacy Foundation recommends interweaving this process throughout design and employment,5 many changes will need to be made, and all should be apparent before design begins.

This will limit the amount of costly modifications that the project may require, however, another PIA will be completed at the time of deployment to assess the finished product.

A strong focus of this PIA was to ensure Deltex transcends compliance by undertaking ethical analyses to protect stakeholders’ interests, improve Deltex’s reputation (especially after the cybersecurity debacle), and mitigate social and environmental harm.

This is extremely important as the likely target market and users of this project will be children and teenagers, whose privacy should not be put at risk in exchange for greater profitability.

After the PIA has been reviewed, the CPO recommends the changes to Deltex’s proposed new project are analysed and incorporated into the design and implementation of the project.

Stakeholder Engagement

Throughout this PIA’s development, Deltex has been consulting with various parties that It plans to partner with to develop and operate Kartman.

These parties included advertising agencies in Asia, direct marketers, data hosts in Libya and Russia, and a call centre in Syria.6 The purpose of this study was to assess these stakeholders’ privacy practices and advise on changes, improvements, and standards that must be met for further operations to progress.

Additionally, Deltex collaborated with and sought advice from the Office of the Australian Information and Privacy Commissioner and other external agencies to identify what data should be protected, effective risk management strategies to protect personal data, and the steps required to protect sensitive information from misuse.

This will help Deltex satisfy, and move towards exceeding, the Australian Privacy Principles (APPs).

Communication with the community and public was required, specifically prospective users of Kartman, so as to gauge their expectations and attitudes regarding the privacy of their personal information.

These collaborations were conducted throughout the PIA process through written communications, interactive and engaging information sessions, focus groups, and surveys.

This is so that outcomes and recommendations from these events can be incorporated into the design of both the PIA and product.

Finally, when the PIA is completed, all stakeholders and members of the public will have access to it through its publication on Deltex’s website, hard-copy guides, and specific disability-friendly versions.

Project Description: Kartman

Kartman is a new cloud-based game that will be available for play on smartphones and PCs. It aims to integrate characters from different games, and develop an ebay-like marketplace for in-game items selling across multiple games.

Deltex will earn revenue through commissions on marketplace sales, in-game advertising, which Chang et al. notes can be very effective,9, and selling player information to third parties, such as game developers, advertisers, and direct marketers.

This information will be collected using machine learning and deep neural networks and includes keystrokes, mouse movements, voice and video chat, names, dates of birth, addresses, and credit card details.

Marketing will emphasise Kartman’s ‘privacy-focused’ approach, although, after 3-6 months monitoring services will be secretly introduced and data disclosed to the 3rd parties once terms and conditions have been slowly altered. An opt-out option will be offered, but user’s information will still be collected and disclosed.

Data will be hosted in Libya and Russia, where there are no privacy laws, and encrypted with the ROT-13 system. Syria will provide help-desk services for Kartman.

Mapping Information Flows

The IPC stipulates that explanations of what personal information will be collected, how it will be collected, and for what purpose are essential in mapping information flows.

Additionally, conveying the processes for ensuring information quality, security safeguards for protecting data, and individuals’ ability to access and correct personal information is important.

These, and other privacy risks identified when mapping information flows, will mainly be addressed in later sections.

This section will employ the use of diagrams, compiled with the help of the OAIC, to clearly and visually display current information flows.12 To do this, Deltex has communicated with stakeholders involved in the collection, transfer and holding of data sourced from Kartman.

Information Mapping Key

  1. Customer, or gamer, data is disclosed to Deltex while users play Kartman. Information such as keystrokes, mouse-movements, in-game chats, voice and video from webcams is collected. In addition, real information from customers such as names, dates of birth, addresses and credit card details are disclosed.
  2. Deltex then uses this data to offer tips to improve performance and makes suggestions to users on purchasing upgrades through the marketplace.
  3. Deltex discloses real data to data hosts in Libya, where there are no privacy laws, and Russia, where there are inadequate privacy laws.
  4. Data hosts collect this real data.
  5. Data is disclosed from data hosts to a call-centre/customer help-desk in Syria.
  6. Customer help-desk uses data to answer customer inquiries and complaints.
  7. Customer help-desk discloses relevant information to customers to provide this assistance.
  8. Data is also disclosed from data hosts to advertisers in Asia, and direct marketers in Australia.
  9. Advertisers and Direct Marketers purchase, collect, and use the data sold by Deltex for advertising purposes, and possible re-sale.
  10. Advertisers can now disclose data to numerous unknown parties.
  11. Unknown parties can use, collect and disclose this data.
  12. Game-information centres provide the required data that Deltex needs to transfer account profiles and character configurations from other games and platforms. Game servers also pass through Deltex’s system and connects with game- information centres to disclose gaming data.
  13. Game servers located in Asia provide internal data so that players can connect to the game online.

Information Mapping Key

Compliance, Ethics, and Minimising Risks

This section of the PIA will identify many project-specific privacy risks and provide explicit recommendations. Each risk will be assigned a subheading, under which an explanation of the risk and strategies to mitigate or eliminate the issues will be provided.

Each subheading will also include a specific focus on compliance and then extend beyond this to satisfy ethical considerations and social licence.

Privacy Policy:

Currently, Deltex has a privacy policy that is only published in the Tedaga language.

This is inadequate. Under APP 1.3, APP entities require clearly expressed and up to date policies about personal information management, and should include the range of detailed information listed under APP 1.4. Furthermore, APP 1.5 stipulates that this privacy policy must be reasonably available and free of charge.

To remedy this, Deltex should make the privacy policy translatable to any language so that it is available to all cultures equally.

Bowker and Pastor examine a range of technologies that can execute this process. This will not only ensure compliance but also be ethically correct.

The policy should be available on Deltex’s website, in hard-copy forms, and communicable to disabled people with issues such as blindness and hearing impairments.

Collection of Personal Information:

Deltex will require collecting and using some personal information from its users, primarily to log in to its game, purchase from its marketplace and play Kartman.

This may include credit card details, real names for payments, usernames and passwords, and dates of birth. Similarly, in-game text and voice chats should be recorded so that user reporting can be adequately handled. This will require consent from all users; otherwise, access to the game will not be provided.

However, the collection of video chat data should not be integrated into Kartman. Deltex cannot control what users display in video chats, and if users begin to display inappropriate content, this could cause serious privacy issues for Deltex and harm to users.

Although, users can convey inappropriate messages through text and voice chat, video chat communication can result in seriously offensive imagery, and potential solicitation.

This recommendation does not cover specific privacy-related legislation but advocates that hosting an in-game video communication service is unethical and dangerous, particularly when the player base will include children.

Consent to Collect Personal Information

As shown above, the collection of player data is necessary for the use and operation of Deltex’s game. However, under APP 3.3, the first step in collecting this information requires users’ consent.

This can be acquired through privacy policies, which contain terms and conditions that users must accept before access to a service is allowed.

Many users simply accept these policies without reading them because they are too long and verbose. Gluck et al. advocate shortening policies to include only relevant and specific information, which may be helpful. However, policies must include complete information to ensure compliance with legislation.

A helpful alternative is to provide a summary page at the top of the policy document that outlines the key issues covered by the policy. This would mean users are more knowingly consenting to collecting personal information.

This PIA advocates clearly detailing the purpose for collection, what the information will be used for, who it is disclosed to, and a notification of collection, as APP 1.4 and 5.2 requires.

Deltex should not attempt to slowly modify its privacy policy to monitor players’ data for sale to third parties. Whilst not explicitly illegal under the APPs, once discovered it would cause severe reputational damage.

Facebook is an example of this. Opsahl has provided a detailed timeline of their privacy policy alterations from inception up until 2010, which demonstrates that once one person has made such discoveries it can spread very quickly.

Methods of Collection:

Deltex executives plan to use machine learning to collect information, such as in-game chats, voice, and video, to offer tips on how to improve each player’s gaming experience.

Toch, Wang and Cranor explain that machine-learning systems pose new privacy risks and are characterised by large numbers of biases. 

Preferably, the privacy team would like to conduct an algorithmic impact assessment to analyse these risks before implementing a machine-learning system.

However, we are constrained by resources and word limits, so we instead recommend this be completed after this PIA. Deltex should use the comprehensive AI Now framework for this.

Disclosure of Personal Information

External consultants, using surveys, have determined that the public ranks personal information security and data privacy as one of their highest priorities.

Therefore, it is important that users give further consent for Deltex to disclose personal information to third parties, such as data hosts, advertising agencies, and direct marketers.

Additionally, under APP 6.1,28 and APP 7this is a legal requirement. Consent documentation should not be hidden deep within Deltex’s privacy policy as it is highly unethical, and will result in reputational damage when discovered.

This PIA advocates implementing an opt-in option for this disclosure to develop a privacy-by-design culture at Deltex and protect our users.

Colesky, Hoepman, and Hillen note that privacy-by-designs’ ability to integrate privacy into systems development,30, is essential for Deltex in extending beyond mere compliance with privacy legislation.

Executives suggested that it was too expensive to separate user information. Systems, such as Schmidtler et al.’ s,31 which can be purchased from Kofax Inc, MUST be implemented to ensure that those who do not opt-in do not have their data disclosed otherwise Deltex will face greater costs from lawsuits and fines due to contravening APP 6.1.32

For users who opt-in, data must be de-identified before it can be disclosed.33 This PIA advocates using our external consultants, the CSIRO and OAIC’s joint de-identification decision-making framework to ensure this process is completed.34

Only if these recommendations are integrated into the Kartman project should Deltex market Kartman as ‘privacy friendly’, otherwise Deltex may be liable under section 18 of the Competition and Consumer Act (Cth) for misleading advertising.35

Furthermore, the continuing deception of users is highly unethical and encourages a privacy-manipulative community of data companies and game developers. Deltex must focus on becoming a privacy-leader, and support the integration of privacy controls and honesty into organisations. This may repair some of the damage sustained from the cybersecurity breaches.

Hosting Data Overseas

The OAIC Guide to Undertaking a PIA states that under the Privacy Act, “your entity is responsible and accountable for the personal information it collects, even when the information is held by external service providers or contractors operating in Australia or overseas”.36

This means that although overseas organisations may not be bound by Australia’s privacy laws, Deltex is still liable and responsible for the information it has collected, disclosed, and is used by overseas partners.

APP 8.1 supports this. 37 Therefore, this PIA strongly recommends against attempting to host data in Libya and Russia, where there are no or inadequate privacy laws, and 38 to avoid Australian privacy law.

Additionally, implementing these methods would be unethical and cause social harm to users. Once data is sent to these data hosts, although Deltex is prosecutable, these organisations are not and can use the disclosed data however they please.

Personal information could be sold on the black market or to thousands of organisations, resulting in significant disclosures of individuals’ personal information.

Instead, Kende and Rose recommend contracting with local data hosts to develop a local internet ecosystem. This would enable and encourage the environment to follow suit, benefiting domestic organisations and the community.

39 Furthermore, although contracting with hosts in developing countries appears cheaper, data delivery is slower, which depreciates user experience and possibly results in higher costs as users become frustrated with poor service.

The authors of this PIA also advocate against contracting with Syrian help-desk services. Syria experiences severe internet outages, and is ranked as one of the most censored countries in the world, where the government repeatedly intercepts transmitted data, which is a privacy concern.

Additionally, due to the Syrian civil war, which the BBC has detailed, the country is highly unstable. It is likely that communication with servicesin Syria would be unreliable, resulting in poor customer-service.

Deltex should partner with either a local customer-service provider or seek these services from organisations operating in more stable countries where privacy capabilities can be should meet the framework’s requirements before partnerships are formed, as otherwise Deltex’s stakeholders may suffer if Deltex and our data hosts are breached.

On a final note, Deltex’s director’s should be wary of receiving advice from former Equifax security advisors. These footnoted articles should convince readers why.

Bibliography

Articles, Books and Reports

Australian Privacy Foundation, Privacy Impact Assessments (2017)

Bowker, Lynne and Gloria Pastor, ‘Translation Technology’, The Oxford Handbook of Computational Linguistics 2nd edition (Oxford University Press, 2015)

Chang, Yaping et al., ‘Online In-Game Advertising Effect: Examining the Influence of a Match Between Games and Advertising’ (2013): 11Journal of Interactive Advertising 63

Colesky, Michael, Jaap-Henk Hoepman and Christiaan Hillen, ‘A Critical Analysis of Privacy Design Strategies’ (Paper presented at 2016 IEEE Security and Privacy Workshops, San Jose, CA, USA, 22-26 May 2016)

Gluck, Joshua et al., ‘How Short Is Too Short? Implications of Length and Framing on the Effectiveness of Privacy Notices’ (Paper presented at the Twelfth Symposium on Usable Privacy and Security, Denver, CO, USA, 22-24 June 2016)

Information and Privacy Commission, Guide to Privacy Impact Assessments in NSW (2016)

Keogh, Karen, Chelsea Gordon and Patricia Marinovic, ‘Global developments in cybersecurity law: is Australia keeping pace’ [2018]: (42)Law Society of NSW Journal 82

Layton, Roslyn, How the GDPR Compares to Best Practices for Privacy, Accountability and Trust (2017) Office of the Australian Information Commissioner, Australian Community Attitudes to Privacy Survey 2017 (2017)

Office of the Australian Information Commissioner, Guide to undertaking privacy impact assessments (2014)

Office of the Australian Information Commissioner, Mapping Information Flows (2014)

adequately assessed using leading frameworks like the GDPR,45

requirements of the APPs.

combined with the

Data Security

Currently, Deltex uses ROT-13 cryptography to encrypt information held in data centres. This is inadequate, as Swenson notes ROT-13 provides effectively no cryptographic security. 46 Additionally, this security cannot encrypt data being transmitted between data centres.

It’s unethical and socially harmful for Deltex to fail in taking steps to ensure personal information is protected, as hackers could use this information to commit identity fraud and access financial accounts.47 Under APP 11.1 this is also illegal for Deltex to fail in this capacity.48

This PIA recommends contracting with Security First Corp to acquire O’Hare and Orsini’s data-security-in-motion technologies for implementation into Deltex’s operations.49

Furthermore, Thota et al’s progressive and established framework for big data security should be incorporated into the decision-making process when selecting the datahosts Deltex will contract with to prevent engaging with privacy-lacking firms.50 Organisations Office of the Australian Information Commissioner, Rights and responsibilities (2014)

Office of the Australian Information Commissioner, The De-Identification Decision-Making Framework (2017)

Reisman, Dillon, Algorithmic Impact Assessments: A Practical Framework For Public Agency (2018) Swenson, Christopher, Modern Cryptanalysis: Techniques for Advanced Code Breaking (John Wiley and Sons, 2008)

Taylor, Robert, Eric Fritsch and John Liederbach, Digital Crime and Digital Terrorism (Prentice Hall Press, 2014)

Thota, Chandu et al, Big Data Security  Framework  for  Distributed  Cloud  Data  Centers, in Cyber  Security and Threats: Concepts, Methodologies, Tools, and Applications (Information Resources Management Association, 2018)

Toch, Eran, Yang Wang and Lorrie Faith Cranor, ‘Personalization and privacy: a survey of privacy risks and remedies in personalization-based systems’ (2012): 22 User Modeling and User-Adapted Interaction 203

Legislation

Competition and Consumer Act 2010 (Cth)

Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth)

Other

Arends, Brett, ‘Equifax hired a music major as chief security officer and she has just retired’ Market Watch, September 152017

BBC, ‘Syrian Internet Back After a 19-Hour Blackout’ BBC News, 9 May 2013 BBC, ‘Why Is There A War In Syria’, BBC News, 18 September 2018

Bernard, Tara Siegel et al, ‘Equifax Says Cyberattack May Have Affected 143 Million in the U.S.’ New York Times, September 7, 2017

CPJ, ‘10 Most Censored Countries’ Committee to Protect Journalists, 2 May 2012

Gaudin, Sharon, ‘Syria Hit By Widespread Internet Outage’ Computer World, 21 March 2014 Kende,  Michael  and  Karen  Rose,  ‘Promoting  Local  Content  Hosting  to  Develop  the  Internet Ecosystem’ (2015) Internet Society

O’Hare, Mark S. and Rick L. Orsini, ‘Systems and methods for securing data in motion’ (Patent NoUS9443097B2, 2010)

Opsahl, Kurt, ‘Facebook’s Eroding Privacy Policy: A Timeline’, Electronic Frontier Foundation, 28 April 2010

Rumyantsev, Stanislav, ‘Russian Federation: GDPR is Haunting Russia: Compliance Challenges’, Mondaq (Russia), 19 September 2018

Schmidtler, Mauritius A. R. et al, ‘Systems and methods for organizing data sets’ (Patent No US9082080B2, 2008)

Reference No. CSH019001992