An observation and actions out of the Australian Federal Police privacy breach Determination from the OAIC. The breach arose out of a free of charge proof of concept for 10 people.
Many companies run proofs of concept but the AFP Determination is a high impact regulatory action from a very small and contained proof of concept. The AFP determination recalibrates how we must think about privacy compliance for proofs of concept.
The Determination is about what the AFP failed to do, not what a supplier should have done. So, assuming that you can’t get a vendor to take much, if any, liability for a proof of concept (free or not) then you will need to consider a privacy impact assessment and compensating controls that address the level of risk to individuals and privacy compliance relevant to the activity.
This may mean adjusting your internal procedures to ensure that proofs of concepts are treated now as a potentially high-risk privacy compliance exposure.
A privacy impact assessment is still not mandatory for private organisations in Australia (it is for Government Agencies like the AFP), but the signal from the Commissioner is clear. Not having one for a high risk activity (even though not mandatory) isn’t going to be well received.
Sure, the AFP had some control measures in place, yet the Commissioner still found the AFP in breach because of the high risk nature in the activity and not having appropriate controls in place to support the proof of concept’s compliance requirements.
Simply, the AFP didn’t do enough that the Commissioner thought was reasonable.
And now, in addition to the breach finding, the AFP has an independent assessor who must review the AFP’s privacy compliance systems and controls.