Carly: How was your run this morning?
Jane: How did YOU know I ran this morning?
Carly: Don’t you remember? You shared all your health data with me. I get alerts every time your heartrate goes above 120!
Jane: I did what?!?
This is a fictional scenario, but not at all far-fetched.
You might recall that in 2017, Strava released a ‘heat map’ showing all activities logged by users of the app. Unfortunately, lots of US military personnel were sharing their activities, and the map revealed sensitive data about the (now not-so-secret) location of active members.
What is the Internet of Things?
IBM defines the Internet of Things (IoT) as ‘a giant network of connected things and people – all of which collect and share data about the way they are used and about the environment around them.’
Essentially, this means any ‘smart’ device. You might wear a smartwatch, use a smartphone, or monitor your blood glucose with a device that plugs into your smartphone. Perhaps you binge Netflix on your smart TV, while placing an online grocery order from your smart fridge. Maybe your car can drive itself or you can answer your doorbell from the other side of the world.
The IoT is not new, but more and more products are coming online. Recent estimates suggest that there will be 64 billion IoT devices across the world by 2025. With so many devices connected to the internet and sharing data, security and privacy are critically important.
How safe is your data on an IoT thing?
The Australian Government is considering this question as part of a consultation on the Code of Practice: Securing the Internet of Things for Consumers (the draft Code of Practice). The consultation is a significant component of the development of the Government’s broader 2020 Cyber Security Strategy and is driven by a concern that the security settings of many IoT devices leave users vulnerable to cyber attack.
The draft Code of Practice is aimed at IoT manufacturers, service providers and app developers and includes 13 principles to address IoT data security. The principles recommend measures for IoT devices relating to strong passwords, disclosure policies, software integrity and updates and security and data protection.
The ‘data’ at the centre of this is personal data or personal information. Personal information must be handled in accordance with the Privacy Act 1988 (Cth, the Privacy Act) and the Australian Privacy Principles (APPs) contained at Schedule 1 of that Act.
The Australian Information Commissioner has long had an interest in the IoT. A 2016 sweep of IoT devices in Australia found that:
- 71 per cent failed to properly explain how information was stored;
- 69 per cent did not adequately explain how customers could delete their information off the device;
- 38 per cent failed to include easily identifiable contact details if customers had privacy concerns; and
- 91 per cent did not advise customers to customise their privacy settings.
These are worrying statistics, and give rise to valid concerns from IoT end-users.
What if make IoT, ‘things’?
If you make IoT devices, provide services for the IoT (eg software, communications or cloud) or are an IoT app developer it is important that your device or service complies with legislative requirements, including the APPs.
This includes APP 11, which deals with security of personal information, requiring APP entities that hold personal information to take must take reasonable steps to protect the information:
(a) from misuse, interference and loss; and
(b) from unauthorised access, modification or disclosure.
For some IoT industry participants, security of personal information is core to their business. However, there are risks that security and privacy are treated as a ‘bolt-on’, rather than by design.
If you are in the IoT industry, Gartner has published guidance to help preserve customers security and privacy. This guidance recommends IoT stakeholders to include privacy in their risk assessments to:
- Involve legal advisors to validate regulatory compliance in all business-relevant jurisdictions
- Identify processing purposes, enabling purposeful use in line with individuals’ expectations
- Make an informed decision on appropriate amounts of data needed and purge excess data.
The growing number of devices in the market means there is a goldmine of data for the IoT industry to improve products and services. However, ‘with great power comes great responsibility’ and you need to ensure your business complies with your legislative obligations in relation to security and privacy.
What if something goes wrong?
IoT industry participants need to be prepared in the event they suffer a security breach. Most importantly, IoT industry participants need to have a data breach response plan. That plan should also deal with an APP entity’s obligations under the Notifiable Data Breach scheme.
For more information on your organisation’s requirements under the Privacy Act, contact our office.
 See https://www.homeaffairs.gov.au/reports-and-pubs/files/code-of-practice.pdf, citing a report by Gartner Inc.
 B Willemsen and D Mahdi, Preserve Privacy When Initiating Your IoT Strategy, Gartner, March 2017 (Refreshed December 2019).
 Known as the Peter Parker (aka Spider-Man) principle,. See: https://en.wikipedia.org/wiki/With_great_power_comes_great_responsibility