By Partner Alec Christie and James Wong, Associate
The business of mining is undergoing seismic disruption with digital technology playing a large (and increasing) role in mining strategy and operations. But with new opportunities come elevated expectations and new responsibilities.
1: Maintaining a compliant Whistleblower Policy
2019 saw the introduction of a significantly expanded whistleblower protection regime covering the majority of larger businesses (all public companies and all private businesses with 50+ staff, $12.5m in group assets or group revenue of $25m+).
A whistleblower who reports any of a broad range of conduct (including ‘misconduct’ and an ‘improper state of affairs’, whether or not the whistleblower reveals their identity and whether or not they act in ‘good faith’) must be protected under the new laws.
A compliant whistleblowing policy must also have been implemented by 1 January 2020. This policy must include certain mandatory content. Failure to have done so by 1 January 2020 is a criminal offence.
You must also be prepared to respond to ‘emergency disclosures’ and ‘public interest disclosures’ (disclosures which can be forwarded to the media in certain circumstances) and ensure your processes are robust enough to comply with this significantly updated regime.
2: Defending against cybersecurity threats including data breaches
It is no secret that cybersecurity threats are becoming more numerous, more complex and more disruptive to business continuity. Consider that every network-connected node (including industrial sensors on rolling stock, monitoring equipment in mines, servers in data centres and mobile phones in pockets) is vulnerable to attack by a malicious actor. Of course, it is not just malware that you need to protect against. Man-in-the-middle, denial-of-service, data injection and increasingly sophisticated phishing attempts all pose a constant threat to your organisation.
In 2020 cybersecurity is a Board-level issue. The Australian Securities and Investments Commission (ASIC) has made clear that it wants to see certain good practices in place and, as early as 2015, suggested that Australian organisations consider adopting a cybersecurity framework based on that of the National Institute of Standards and Technology (NIST) in the United States. The NIST Cybersecurity Framework is centred on a set of concurrent and continuous activities grouped under the five core functions: ‘identify’, ‘protect’, ‘detect’, ‘respond’ and ‘recover’. But implementing a cybersecurity framework is just the first step. Your journey to cyber resilience is likely to include:
- governance – allocating responsibility for each aspect of your cybersecurity framework;
- cyber insurance – offloading some of the risk where appropriate;
- interception and access requests – understanding your potential obligations under the very broad encryption laws introduced in 2018;
- standards – depending on your situation, it might be appropriate to consider uplifting your systems in accordance with relevant standards (e.g. the ISO 27000 family of standards on information security);
- threat intelligence – staying abreast of current threat vectors at the technical, technical, operational and strategic levels;
- vulnerability scanning – periodic testing the strength of your systems and identifying possible weaknesses that could be exploited;
- third party risk management – mapping external data flows and periodically testing the measures that your third party service providers have in place to safeguard data; and
- training – ensuring that your people act as an effective line of defence against cyber threats.
Furthermore, you could be hit by a data breach at any moment. It could be something as simple as an email with the wrong attachment, a box of documents left by a courier outside reception or a phone slipping out of someone’s bag on the bus. When it hits, you want to know that your organisation is able to respond like clockwork using muscle memory from drills.
It is an expectation of the Privacy Commissioner that organisations have a data breach response plan to meet their obligations to notify all ‘eligible data breaches’. Putting the hefty penalties aside, effective data breach response is about protecting your people and your reputation. There are prescribed elements that every data breach response plan should feature but, importantly, it must be tailored to your organisation.
3: Artificial intelligence, robotic process automation and industrial IoT
If you are currently not using RPA or AI, you soon will be.
With significant advancements in machine learning, automated decision-making is moving well beyond simple automation. This often leads to situations where humans are no longer able to explain decision-making performed by machines (black box AI). It’s important that you maintain in-house technical expertise on any AI-driven technologies that you choose to implement and are always in a position to explain the logic behind automated decision-making (explainable AI). This is important from an ethics and responsibility perspective – you need to answer for the decisions that are made on behalf of your organisation – but it is more likely than not that this issue will soon become one of compliance too (following the European example).
While Australia does not yet have overarching legislation on automated decision-making, we can expect GDPR-style regulation soon. Under the GPDR (which has extra-territorial reach and applies to many Australian businesses) data controllers must:
- generally build in meaningful human review of automated decisions;
- be able to explain the logic behind a decision-making process; and
- take steps to eliminate errors, bias and discrimination.
This is best achieved with an AI governance framework.
4: Embracing digital transformation with the right guardrails in place
Achieving sustainably high productivity while being responsive to market demand is becoming more complex in today’s competitive landscape. Constant variation in mine output to stay responsive to live commodity prices catches out poorly integrated operators where decision-making is siloed or disjointed.
Our view is that in the midst of technology-driven disruption, mining operations must be optimised at a systems level and, in 2020, that means having an end-to-end digitised supply chain.
Creating a fully integrated digital supply chain is a significant undertaking. It requires an innovation mindset at every level of the organisation, strong communication channels between the frontline workforce and executive management and, crucially, the adoption of certain ‘agile’ principles that the sector as a whole has thus far been reticent to adopt. Underlying all of this is the idea that your people must be at the centre of any technology transformation.
We see that miners are getting better at including a more diverse range of perspectives at digital strategy meetings – perspectives from every affected team are essential to success. One key meeting invite you might not immediately think of is to your legal department. Up to this point, legal teams have acted as a final rubber stamp on most IT projects. In 2020, however, they should be involved from day one. Here’s why:
- Compliance-by-design: The front end role of lawyers in your digital strategy reflects so-called ‘compliance-by-design’. A subset of this of particular relevance to digital transformation is ‘privacy-by-design’. Whenever you initiate a new project involving personal information (including a technology implementation), you need to be planning it with privacy compliance in mind from day one, not as a bolt-on at the end.
We recommend formalising privacy-by-design by embedded your privacy impact assessment (PIA) process into your standard project methodology. A PIA provides a systematic approach to assessing any changes to data flows, understanding the impact on privacy and identifying options for mitigating any negative impacts. Dealing with these issues upfront almost always saves significant expenditure
- Cloud services: If you are taking advantage of the cost savings and convenience of outsourced IT including cloud-based services (e.g. for ERP) what you may not be aware of is that, depending on your arrangements, use of these services can amount to ‘disclosures’ of personal information potentially in breach of privacy laws. In other words, the data that individuals entrust to your care could be shared in ways you have limited visibility over. If a cloud service provider were to mishandle personal information or become the subject of a data breach (whether malicious or accidental), this is going to damage goodwill and your public reputation.
- Contract Lifecycle Management: When your services contracts come up for renewal, ensure your in-house lawyers are at the table. You want to ensure that these contracts continue to give you exactly the benefits you need and no more (i.e. no ‘gold-plating’) and address all the potential digital risk issues (e.g. privacy and security obligations). It’s usually worth getting your lawyers to review an IT contract along with privacy and security arrangements before signing up to a new service or renewing a contract.
5: Managing the personal information of employees, contractors, site visitors and the community
From the mine to the operations centre, from the community outreach centre to the corporate headquarters, you have legal and social obligations in respect of the personal information you collect and use.
You likely collect data about employees, contractors, tenants, site visitors and/or the local community. Failure to handle this data in accordance with the requirements of the Australian Privacy Principles under the Privacy Act (APPs) could see you facing fines of up to $2.1m (soon to be the greater of $10m and 4% of the annual domestic group revenue), damages of around $10,000 per successful complainant and possibly irreparable damage to your reputation.
Do you know what data you actually collect, hold and/or share that could constitute personal information. That is, information that could reasonably identify an individual, including if mixed with other generally available information. We guarantee that you have much more than you think.
Also, contrary to the prevailing wisdom, the collection of employee personal information is not exempt from the APPs.
The APPs include requirements relating to the storage, use sharing of personal information, notification of all ‘eligible data breaches’ and a requirement that you delete or de-identify personal information when it is no longer required by law to be kept and no longer needed for the purpose(s) for which it was collected. How long are you keeping visitor registration information?
We recommend that you conduct an audit/review of your information holdings and processes to determine what you collect and hold and ensure that you are collecting, using and disclosing personal information in an open, transparent and compliant manner, that any consents you require are actually being obtained and your data breach response plan and document retention policy are appropriate.
6: Tracking, surveillance and fleet management
There are numerous privacy issues to consider. In particular, where such information is collected in tandem with technologies offered by social media platforms and/or where such data is used as part of a data analytics program. Also, surveillance data footage is personal information and can only be held as long as required for the notified purposes of collection. Once these purposes are fulfilled (and if not otherwise required to be kept by law) such must be deleted or de-identified.
While surveillance (of all sorts) can be done in a privacy-compliant way, we have rarely seen such done well in practice without assistance. We recommend undertaking a privacy review (starting with data flow mapping) of all tracking, surveillance and analytics activities.
7: Ongoing privacy and information security management through a privacy management framework and audits/reviews
The Office of the Australian Information Commissioner (OAIC) sets out the steps it expects you to take to meet your ongoing compliance obligations under APP 1.2 in its model privacy management framework. These include taking steps to:
- embed a culture of privacy that enables compliance;
- establish robust and effective privacy processes;
- evaluate your privacy processes to ensure continued effectiveness; and
- enhance your response to privacy issues.
Even if you do not have a holistic privacy management framework in place yet, you may already have some of the component parts. The first step to assessing where you are today is to conduct a privacy audit/review.
A privacy audit (where performed as part of your organisation’s internal audit program) or review (where performed outside of your internal audit program) is an incredibly powerful tool to determine your organisation’s current privacy and information security compliance. This details where your organisation is, not where you think you are or where management hopes you are. It delivers independent assurance as to where your organisation truly is at when it comes to privacy and information security compliance.
A privacy audit/review can be comprehensive (covering your entire organisation and all privacy obligations) or targeted (covering specific business units and/or high-risk areas of compliance). When determining the scope of your next privacy audit/review, also consider including a review of contractual arrangements with third parties – this is a risk area often overlooked.
Please do not hesitate to contact us if you have any questions or if we can assist you on any of these (or your other digital law matters).
Get the latest news insights and articles straight to your inbox, simply enter your details.