.
template-health-agencies-IPP-PIA-report-template Assignment – Case Study for 2905ICT (30%) This case study will be around “The Good Guys” company which provides both offline services in stores and online shopping services. In order to improve customers’ online shopping experience, a proprietary app will be developed for its online service which includes all online shopping functionalities, and also a linked analysis tool in the company’s back end. The analysis tool can analyze the popularity of each product/brand for the purpose of storage management, market prediction etc. The analysis tool can also analyze all customers’ shopping behavior, their favorite products for marketing and advertisement purpose. There are three parts to be learnt for this case study. The first task is to analyze the privacy policy for “The Good Guys” company and check if the policy complies with APP. The second task aims to improve cyber security awareness for all employees, third-part contractors of “The Good Guys”. The third task is to undertake a risk analysis for the company and provide appropriate security controls. You need to choose two tasks to complete and include in your final report submission. These three topics will be introduced in workshops 4.1, 4.2 and 5.1 (during week 9-11) and an analysis report shall be generated based on your workshop learning. This instruction document highlights the content you need to cover (in red) and also provides a template or a detailed description for each task. After week 11, a complete report shall be submitted through the assignment submission point in Assessment 2. Report Format: 1. Title (followed by your name, student ID and your course code) 2. Executive Summary (A brief introduction on what will be covered in this report) 3.1 Case description (Introduce what “The Good Guys” is and all relevant services it provides) 3.2 Security Operations (Choose 2 tasks from 3 listed topics to include in your report) Part 1: Privacy Impact Analysis and Compliance Check Part 2: Cyber security awareness measurement questionnaire Part 3: Risk Management and Governance 4. Conclusion and Reflection (Conclude and reflect what you have done/learnt in this report) 5. Reference Case Study – Part 1: Privacy Impact Analysis and Compliance Check A PIA is a systematic assessment of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact. Steps involved in a proper PIA includes: Step 1. Threshold assessment Step 2. Plan the PIA Step 3. Describe the project Step 4. Identify and consult with stakeholders Step 5. Map information flows Step 6. Privacy impact analysis and compliance check Step 7. Privacy management — addressing risks Step 8. Recommendations Step 9. Report Step 10. Respond and review. Instead of going through all steps in this workshop, you only need to undertake one of the critical steps “Privacy impact analysis and compliance check” to examine the privacy policy status of the given case according to what APPs have regulated. The privacy policy you shall analyse is the privacy policy for “The Good Guys” which can be found in https://www.thegoodguys.com.au/privacy-policy . You may use the following table as a template to undertake your compliance check. The table has filled the first row as an example about the analysis on APP1. Note: 13 APP principles shall be kept in the table. Include the complete form with your complete privacy impact analysis and compliance check for your Case Study-Part 1 in your assignment report. Step 6: Privacy Analysis and Compliance Check This PIA assesses “The Good Guys” services/applications against the objects of the Australian Privacy Principles (APPs). Sometimes not all APPs are relevant to their services/applications in the following list, you may put N/A in the corresponding rows. There may not always be a risk or you cannot get details from the privacy policy e.g. how they protect personal information, you may leave your comment in the third column like “No details about how they protect personal information are given in the policy. The personal information shall be transmitted with a secure communication channel such as VPN”. A quick overview on what 13 APPs regulate is given as follows: · open and transparent management of personal information (APP 1); · anonymity and pseudonymity (APP 2); · collection of solicited personal information (APP 3); · dealing with unsolicited personal information (APP4); · notification of the collection of personal information (APP 5); · use or disclosure of personal information (APP 6); · direct marketing (APP7) · cross boarder disclosure of personal information (APP8). · adoption, use or disclosure of government related identifiers (APP 9); · quality of personal information (APP 10); · security of personal information (APP 11); · access to personal information (APP 12); and · correction of personal information (APP 13). The following table summarises the key requirements of each relevant privacy principle. You may use this table to undertake the Privacy Impact Analysis and Compliance Check following 13 APPs. Privacy Principles Implemented information handling practices Identified risks/Comments APP1 - Open and transparent management of personal information · An APP entity must take reasonable steps to implement practices, procedures and systems that will ensure it complies with the APPs and any binding registered APP code and is able to deal with related inquiries and complaints. · An APP entity must have a clearly expressed and up-to-date APP Privacy Policy about how it manages personal information. · An APP entity must take reasonable steps to make its APP Privacy Policy available free of charge and in an appropriate form (usually on its website). · An APP entity must, upon request, take reasonable steps to provide a person or body with a copy of its APP Privacy Policy in the particular form requested. The Good Guys’ Privacy Policy is publicly and freely available on their website. The policy claims they’ve followed APPs when dealing with the personal information they collect. It describes the processes to deal with inquiries and complaints from individuals about the entity’s compliance with the APP. (This can be a relevant comment or an identified risk) The policy includes an email address and a post address for lodging a complaint. No telephone number is given for inquiring the handling status or quickly reporting a data breach. APP 2 — Anonymity and pseudonymity · An APP entity is not required to provide those options where: · the entity is required or authorised by law or a court or tribunal order to deal with identified individuals, or · it is impracticable for the entity to deal with individuals who have not identified themselves · Anonymity means that an individual dealing with an APP entity cannot be identified and the entity does not collect personal information or identifiers. · A pseudonym is a name, term or descriptor that is different to an individual’s actual name. Where applicable, an APP entity must ensure that individuals are made aware of their opportunity to deal anonymously or by pseudonym with the entity. APP 3 — Collection of solicited personal information · An APP entity solicits personal information if it explicitly requests another entity to provide personal information, or it takes active steps to collect personal information. · For personal information (other than sensitive information), an APP entity that is: · an agency, may only collect this information where it is reasonably necessary for, or directly related to, the agency’s functions or activities · an organisation, may only collect this information where it is reasonably necessary for the organisation’s functions or activities · Personal information must only be collected by lawful and fair means. APP4 --- Dealing with unsolicited personal information An APP entity that receives unsolicited personal information must decide whether or not it could have collected the information under APP 3, and: · if the entity could not have collected the personal information and the information is not contained in a Commonwealth record — the entity must destroy or de-identify the information as soon as practicable, if it is lawful and reasonable to do so, or · if the entity could have collected the personal information under APP 3, or the information is contained in a Commonwealth record, or the entity is not required to destroy or de-identify the information because it would be unlawful or unreasonable to do so — the entity may keep the information but must deal with it in accordance with APPs 5–13. APP 5 — Notification of the collection of personal information · An APP entity that collects personal information about an individual must take reasonable steps either to notify the individual of certain matters or to ensure the individual is aware of those matters. · The matters include: · the APP entity’s identity and contact details · the fact and circumstances of collection · whether the collection is required or authorised by law · the purposes of collection · the consequences if personal information is not collected · the entity’s usual disclosures of personal information of the kind collected by the entity · information about the entity’s APP Privacy Policy · whether the entity is likely to disclose personal information to overseas recipients, and if practicable, the countries where they are located APP 6 — Use or disclosure of personal information · An APP entity can only use or disclose personal information for a purpose for which it was collected (known as the ‘primary purpose’), or for a secondary purpose if an exception applies. · The exceptions include where: · the individual has consented to a secondary use or disclosure · the individual would reasonably expect the APP entity to use or disclose their personal information for the secondary purpose, and that purpose is related to the primary purpose of collection, or, in the case of sensitive information, directly related to the primary purpose · the secondary use or disclosure is required or authorized by or under an Australian law or a court/tribunal order · a permitted general situation exists in relation to the secondary use or disclosure · the APP entity is an organization and a permitted health situation exists in relation to the secondary use or disclosure · the APP entity reasonably believes that the secondary use or disclosure is reasonably necessary for one or more enforcement related activities conducted by, or on behalf of, an enforcement body, or · the APP entity is an agency (other than an enforcement body) and discloses biometric information or biometric templates to an enforcement body, and the disclosure is conducted in accordance with guidelines made by the Information Commissioner for the purposes of APP 6.3 APP 7 — direct marketing An organisation must not use or disclose personal information for the purpose of direct marketing unless an exception applies, such as where the individual has consented. Where an organisation is permitted to use or disclose personal information for the purpose of direct marketing, it must always: · allow an individual to request not to receive direct marketing communications (also known as ‘opting out’), and · comply with that request. An organisation must provide its source for an individual’s personal information, if requested to do so by