New Privacy Rules

AUTHOR: Rick Stone

Most agencies and organisations that collect personal data must comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles and are commonly known as APP entities.

An online checklist can help you determine whether your agency or organisation is an APP entity and is required to protect personal information.

From tomorrow, any APP entity must report any data breach that compromises personal data. If a personal information breach occurs, an agency or organisation must notify the Australian Information Commissioner and affected individuals once it has reasonable grounds to believe there is an eligible data breach.

A breach is considered to have occurred if either of the following conditions are met:

  • unauthorised access to or disclosure of information
  • information is lost where unauthorised access to or disclosure of information is possible

A breach must also be likely to be serious harm to the individuals to which the information relates. Serious harm must be more than (understandable) distress or upset according to the guidance notes.

This means that all APP entities need four things:

  1. A prevention strategy to stop hackers or other adversaries from gaining access to data including personal information. This includes security systems to prevent inadvertent loss (like leaving a computer on the train)
  2. A monitoring systems to detect a potential breach before it becomes an actual breach
  3. A response plan for potential or actual breaches (there is an exemption for notification if the breach is remediated such that no serious harm is likely)
  4. A notification plan to manage any notifiable breach, which includes a way of notifying the Commissioner and the affected individuals within a reasonable timeframe. This could include: direct contact; placing a notice on the entity’s website; and advertising in social or traditional media

This plan may also need to include elements of crisis communication as the entity’s reputation will be under serious threat.

For more information you can read the Office of the Australian Information Commissioner’s Notifiable Data Breach scheme resource page or contact us at Tigertail.

The Show Must Go On

AUTHORS: Kate O'Shea & Matthew Harper

Sudden loss of senior leadership is a risk for every organisation.

From Harold Holt’s disappearance while swimming off the Mornington Peninsula in 1967 to Richard Cousins’ seaplane accident just this summer, the reality is key staff can abruptly leave any organisation at any tme for a multitude of reasons.

Some of these can be foreseen and planned for, some can happen in an instant. Some of these have minimal repercussions for the organisation beyond the change of staff, some can become existentially threatening.

The recent spate of highly-public executive-level staff losses due to allegations of improper conduct sharpens the focus on planning for such events.

In the case of the Melbourne City Council, ex-Lord Mayor, Robert Doyle’s recent resignation revealed an anomaly between the council’s legislated requirements to ensure a safe workplace for elected councillors and the powers that the local government act provides the general manager of a council to manage councillor behaviour.

According to an internal report, the council has been unable to respond effectively because of “major gaps in the reporting and management of sexual harassment allegations” as well as no clear guidance on dealing with harassment allegations from Victoria’s Local Government Act (1989).

Preparation, exercising and execution are the keys to an organisation surviving and thriving when key personnel are abruptly lost.

A good recent example of loss of key staff well prepared for, well exercised and well executed was the departure of Craig McLachlan from the national tour of the Rocky Horror Picture Show.

The theatre industry often employs an understudy setup – where key characters from productions are rehearsed by alternate actors – to ensure the show always goes on. In these instances, personnel loss is prepared for (understudy chosen) and exercised regularly (understudy rehearsals).

 Adam Rennie as Frank-N-Furter. Pic: Annette Dew

Adam Rennie as Frank-N-Furter.
Pic: Annette Dew

In this case, McLachlan’s understudy, Adam Rennie undertook a smooth transition. Preparation, exercising and execution ensured his early performances received strong reviews.

Tigertail helps organisations prepare for the loss of a key staff through developing and exercising transition plans. All of which ensures your organisation can execute when key staff are lost suddenly.

Stimulus for the Strategic: why we need to invest in virtual reality

AUTHOR: Matthew Harper

When it comes to crisis management and preparation, I’m a believer in big exercises. Not necessarily big simultaneous exercises, but carefully managed, logically sequenced exercises. Where people from across a range of skills, experience and roles are tested for reactions and decision-making capability. 

One of the challenges when developing valuable crisis simulation exercises is providing sustained and appropriate stimuli to senior decision makers, including having them respond to the consequences of the decisions they make.

It’s easy to run a fire-drill that gets everyone out of their seat and onto the street. But a real crisis demands more complex and ongoing solutions than a simple building evacuation. Leaders need to make stressful real-time decisions. As such, exercises need to demand more from leaders.

Traditionally, decision makers have been incorporated into tabletop or hypothetical exercises. These are great for testing arrangements, practicing plans, challenging assumptions and establishing the relationships needed in a crisis. What they rarely do is challenge participants to make a decision and then react to the consequences of that decision.

Some form of virtual reality (VR) provides organisations the ability to learn, practice and test not only essential frontline skills but high-level immediate crisis decision making (communication, critical decision making and problem solving).

Let’s consider two real life examples in the aviation sector.

Airports test fire plans, response to a simulated crash and security lock down procedures. But does anyone park a 737-800 full of people, start a fuel leak, open all the emergency doors and evacuate 184 people onto the tarmac in real-time? Does anyone do it a second time, but introduce mobility and vision impaired, unaccompanied minors, non-English speaking passengers and minimal ground staffing?

Equally, do strategic decision makers test their decision-making if an A330 lands with a suspicious package on-board? Do they consider the range of potential issues? Do they watch the response agencies move into position? Do they manage the terminal shut down and the associated road traffic build up?  Can they cope with social media pictures from inside the plane and radio stations bombarding the switchboard? Can they do all this while still not quite knowing the full extent of what’s happening inside that large white metal cylinder?

VR_1.png

Changi Airport does. So do others, but big picture exercises are still a distant reality for many.

Virtual reality is effective at putting leaders under stress. In the real world, key decision makers are often miles away from the situation and engaging via phone, text, television or live-streaming. These are the delivery tools of a VR system, the people in the room are real, the decision making is real and the simulation is where the improbable and impossible become reality.

Tigertail Australia will be bringing international expert Martijn Boosman from XVR in the Netherlands to Canberra to present a breakfast forum on VR technologies, the trends and its use around the world. Click here to access the booking form for event and registration information.

Day Zero in Cape Town - Who'll Be Ready?

Author: MATTHEW HARPER

Rarely do we know the date disaster will strike, but April 16 could be a bad day for residents, businesses and travellers in Cape Town. The South African government are calling it Day Zero.

The region is experiencing a critical water shortage due to insufficient rainfall and fast declining dam levels. In response, authorities have developed a Water Disaster Plan and a series of FAQ’s that are a sobering read.

On Day Zero (based on the City of Cape Town Water Dashboard), city officials will shut down all water distribution and require more than one million households queue for water at one of 200 distribution points. When you reach the front of the queue, you will receive 25 litres of water per person up to 100 litres.

 

 Image: independent.co.uk

Image: independent.co.uk

So, what will happen on Day Zero?

The average Cape Town household will have to find containers, sort out a roster for lining up and be prepared to wait. Those families without access to a vehicle will endure the daily effort of carrying their ration home.

Some residents (disabled, elderly) won’t be able to get to their water at all. Will their communities rally to help them?

While the impacts on the residents will become evident very quickly, for local and international businesses the realities may come as a shock.

If your business is operating in South Africa, you need to consider your exposure to Day Zero.

In Cape Town:

  • Offices will not receive reticulated water
  • Water for firefighting is not guaranteed
  • Families may need additional time to ensure their water supplies
  • Services may not be available for all the above reasons
  • The security situation may deteriorate

Elsewhere in South Africa:

  • Impact on accommodation (office and home) as businesses relocate
  • Loss of markets
  • Impact on staff who may be helping friends and family forced to move
  • The security situation may deteriorate

In Australia:

  • Do you have staff with families in Cape Town?
  • Do you have staff travelling for business or holiday in the region?

Do you have the plans in place to deal with Day Zero in Cape Town or similar crises that could disrupt your business in Australia, the region or the world? 

If in doubt, Tigertail has the experience to help you prepare for your own Day Zero.

Hawaii Missile Alert: how would you fare?

Author: MATTHEW HARPER

Several years ago, while working at Emergency Management Australia, I attended a conference on disaster preparedness. It was in an earthquake prone, known tsunami hot spot, so - being me - I went prepared with a survival kit designed to cope with the first 48 hours of any crisis.

In the first day, we experienced a magnitude 5 earthquake and a series of rolling aftershocks. As such, I couldn’t sleep and was convinced the next one was going to be the big one.

On the second day, a Tsunami Alert System siren activated across the island. It was louder than any siren I’d ever heard before and I quickly began the seven-floor climb to the roof, survival kit in hand.

Arriving about 8 minutes later, I was alone except for a young American couple. They’d come straight from the pool, through the hotel, up the stairs and seemed hopeful of sharing my survival kit.

So, what happened? Turns out, it was just a test.

On this particular island, test announcements are made after the test occurs and we soon learned the sirens went off most Tuesdays around 2pm. While my new American friends were embarrassed, I was just incredibly happy to have completed the stair climb quite so quickly. The staff, it goes without saying, thought it was the funniest thing they’d seen for some time.

As a crisis professional, I’ve been watching the commentary regarding the recent incorrect missile alert in Hawaii with keen interest. The way people react to sudden onset crisis has fascinated me for many years. In particular, how businesspeople lead or manage during a crisis.

 Photo: The Daily Beast

Photo: The Daily Beast

The idea that America’s island state could be at risk grew steadily during 2017 and Hawaiian officials have clearly been undertaking work to be ready for any eventuality.

On December 1st, the Washington Post reported on the first test of the new Hawaiian emergency siren system and the next day a National Public Radio story covered the level of concern felt by residents, the preparation work being done in schools and the reactions of business and workers.

Importantly – but unfortunately – the media reporting after the false test focussed on the failures, errors and problems involved with the system, which led to the message being sent. In an ideal world, reports would have focussed on what residents should do to get it right in case of a real event.

The tests were not perfect by any stretch of the imagination and the employee responsible for sending the message lost their job. But officials who risk their reputations to prepare communities for crises should be applauded not vilified.

Individuals and organisations must be constantly thinking of, and planning for, potential crisis challenges. We should all be wondering whether enough has been done to prepare our families and organisations for sudden disaster.

Is an evacuation plan in place for a terror warning? Can your organisation secure its premises in a sudden storm? What happens after a chemical spill? Can leaders provide guidance or assistance to their staff during an external disruption, like say, a city’s rail system shutting down unexpectedly?

Whatever plans are in place need to be practised and drilled. There’s no point knowing what the plan is if you can’t actually follow through with the instructions. Efforts must be made to ensure front-line staff can provide the necessary guidance and leadership to other staff, customers and visitors. While a communications plan reaching everyone under your organisation’s real or perceived care should be enacted.

Tigertail can help your business prepare and exercise for the crisis times; and that will have you better prepared for everyday disruptions, like the trains.

Why Mt Agung could be more than a holiday disruption.

Over the past few months, volcanic eruptions throughout Indonesia have made the news for the disruption to human life in Indonesia and the inconvenience caused by airlines cancelling flights to and from Bali. The current eruptions have been accompanied by travel insurance companies taking a clear risk leadership position, withdrawing coverage to people insisting on travelling into an area being impacted by an active volcano.

But what if the real problems are yet to come?

Volcanic eruption and its impact on modern life is not a big consideration in most business risk statements. Australia has been mainly free of the effects of volcanic eruption for most recorded history but we don’t have to look far to see how we could be significantly impacted by a regional volcano undergoing an explosive eruption.

In May 1980, Mt St Helens in Washington State ejected “about 0.3 cubic mile of uncompacted ash” (USGS) resulting in the loss of 57 lives and more than 200 homes, as well as damage to 185 miles of highways and roads. Over 1000 flights were affected while everyday lifelines – electricity, sewage and fresh water – were disrupted in Washington State.

In 2010, Iceland’s Eyjafjallajökull Volcano threw Atlantic and European air travel into chaos when it pumped huge volumes of ash directly into a very stable jet stream, which sent the volcanic debris across Europe and the UK.

So, what does this mean for business in Australia? 

Our recent experience is of small eruptions stopping Australians travelling to and from Bali, beyond that it is limited. But what if Mt Agung, Mt Butur or any of the 125 other active volcanos in Indonesia erupt with the ferocity of Krakatoa in 1883

That eruption fired ash an estimated 80km into the atmosphere, dropped average global temperatures by around 1.2 degrees. While the explosion itself, along with tsunamis, pyroclastic flows, food production loss and contamination of fresh water probably killed 36,000 people.

We don’t really know what the effect of such a massive disruption could be to life in Australia. The obvious is the immediate loss of any international jet travel through the ash cloud, but what would it do to shipping, electricity and international communications (including to cloud computing services that are so reliant on the international undersea cable network)?

Effective planning means you need to think about the most likely disruptions first; but remember to consider less likely, potentially more damaging possibilities.  Talk to one of the Tigertail team about how to test your emergency, crisis and continuity plans today.

With thanks to the US Geological Service and linked sources.

 
 Mt. Agung, Amed, Bali

Mt. Agung, Amed, Bali

Fraud: When public, customer and community service loses out to self service

When crises unfold, poorly planned and untested response operations will stress any organisation. Fraud, corruption and malfeasance can be substantial risks during times of disruption.

While fraud losses have greatest impact on smaller organisations (often threatening existential risks to finances or reputation), even companies with mature identification and investigation capabilities are not immune.

Some of the worst examples have occurred most brazenly within the top tiers of large, established organisations. According to the Report to the Nations on Occupational Fraud and Abuse – 2016 Global Fraud Study, the typical organisation loses 5% of revenues in a given year as a result of fraud. And when owners or executives commit fraud the median damage increases tenfold.

Increasingly not-for-profit organisations have been place under the corruption spotlight. Risk amongst these organisations is higher partly due to less stringent reporting rules, lower accountability, and limited controls and oversight (especially in developing countries).

Which brings us to the recent Red Cross admission, “that millions of dollars meant for fighting the deadly outbreak of Ebola in west Africa were siphoned off by its own staff.”

It’s an example of untested channels and systems being built and operated with little planning and almost no testing. And while the Red Cross has “committed to holding all those involved in any form of fraud to account”, it’s too little too late. How many lives could have been saved if that money had gone where it needed to go?

Closer to our home, incidents of fraud in NSW have increased steadily since comparable records began in 1995. And all three levels of Australian government have experienced fraud or corruption within their own ranks over the last few years.

As corruption is demonstrably increasing across Australian businesses and governments (and can even happen to the Red Cross!), organisations without a plan for reducing corruption risk during times of crisis are simply asking for trouble.

While the specifics of the Ebola outbreak could not have been predicted, a massive scale crisis in western Africa could have reasonably been envisaged. Responsible planning for the immediate roll out of new operational channels and systems should remain ongoing for all organisations. Crucially, training and drilling these plans regularly reduces the likelihood of corruption during an emergency or crisis response.

Tigertail can help your organisation with crisis planning and training, including systems of communication, accountability and reliability.

 
red-cross-volunteer-twitter_650x400_61509847030.jpg