DATA4300: Generative

DATA4300 DATA SECURITY AND

ETHICS

Dhanush Chathuranga Hettihandi

1837198
 DATA4300: Generative AI: Data Governance, Privacy and Federated Learning

[Date]

Table of Contents
Table of Contents.......................................................................................................................1
Table of figures...........................................................................................................................1
Introduction to Coles Group.......................................................................................................2
Part A: Ethical Data Collection..................................................................................................2
Data collection methodologies for Cole.................................................................................2
Strategies for Data Accuracy, Completeness, and Reliability at Coles..................................3
Compliance with Relevant Privacy Laws for Coles..............................................................3
Part B: Incident, Response, and Recovery Plan.........................................................................4
Detailed step by step incident response plan for Coles..........................................................4
Communication strategy for Stakeholders.............................................................................5
Key stakeholders and communication channels....................................................................5
Federated learning and data privacy at Coles........................................................................5
Appendix – Generative AI Interactions......................................................................................7
Usage of AI insights...................................................................................................................9
References................................................................................................................................10

Table of figures

Figure 1 - Cole’s franchise.........................................................................................................2

Table 1 - Data collection methods..............................................................................................2

Table 2 - Step by step response plan..........................................................................................4
Table 3 - Communication channels for stakeholders.................................................................5

1
 DATA4300: Generative AI: Data Governance, Privacy and Federated Learning

Introduction to Coles
Group
Coles is a leading Australian
retailer, operating over 1800
stores and employing more than
120000 individuals. The company
collaborates with over 8000
suppliers and caters to millions of
customers each week through
both brick-and-mortar locations
and online services. Coles aims to
be Australia's most trusted retailer
while enhancing long-term
shareholder value, with a mission
Figure 1 - Cole’s franchise
to support Australians in eating
and living better.

Part A: Ethical Data Collection

Data collection methodologies for Cole
Concerning Coles' operational background, we can employ various data collection
methodologies tailored to the specific context, drawing inspiration from the robust framework
of its ethical sourcing program and extending these principles to wider company operations.

Table 1 - Data collection methods

Ethical sourcing context Broader operations

Extend risk assessment
methodologies to other data
collection points, such as new
Company specific practice assessments and
technology implementations
inherent risk evaluations in the supply
Risk assessments customer loyalty programs, and
chain, including site risk assessment
employee data systems, to
questionnaires.
identify potential privacy
impacts and ethical risks
proactively.
Employ ethically designed
Use self-assessment questionnaires for questionnaires and surveys for
Questionnaires and
suppliers to self-assess compliance with customer feedback, employee
Surveys
Coles' “Ethical Sourcing Policy” engagement, and market
research.
Audits (Internal and Maintain risk-based supplier audits every Implement periodic internal
external) 12 to 36 months, with suppliers covering and, where appropriate, third-
the costs. party data privacy and security
audits across various
departments handling sensitive

2
DATA4300: Generative AI: Data Governance, Privacy and Federated Learning

information.
Ensure all digital platforms used for collecting customer data (online shopping
Digital platforms
portals, loyalty program databases, in-store Wi-Fi) and employee data have
and systems
clear privacy notices, consent mechanisms, and robust security features. Data
(including SEDEX)
lineage and purpose will be documented.
Implement accessible and
Maintain various channels for workers and communicated channels for
Grievance and
stakeholders to report concerns, including customers and employees to
feedback
anonymous reporting options. raise concerns or queries about
data collection practices.
Source: ChatGPT prompt

Strategies for Data Accuracy, Completeness, and Reliability at Coles

To ensure data quality,
 Implement validation checks at the point of data entry.
 Provide mechanisms for data subjects (customers, employees, suppliers) to review
and correct their information.
 Conduct regular data quality audits and cleansing processes.
 Clearly define data fields and ensure consistent data entry practices across systems.
Compliance with Relevant Privacy Laws for Coles
Coles, operating primarily in Australia, must exhibit excellent alignment with Australian
privacy laws, and consider international regulations if its operations or customer base extend
further. This necessitates the transparent management of personal information (APP 1), the
collection of data only to the extent reasonably necessary for its functions (APP 3), and clear
notification to individuals regarding the purposes of data collection and their rights (APP 5).
Furthermore, Coles' use and disclosure of personal information are governed by APP 6,
impacting practices such as sharing Flybuys data, while APP 11 mandates robust security
measures to protect data from misuse and unauthorized access.
Beyond the APPs, Coles is subject to the Notifiable Data Breaches (NDB) scheme, requiring
established processes for identifying, assessing and reporting eligible breaches to the OAIC
and affected individuals. While its primary operations are domestic, awareness of
international regulations, such as the GDPR, is crucial for any digital interactions with EU
residents, as it may lead to stricter consent requirements and enhanced data subject rights.
Additionally, Coles must adhere to industry specific regulations such as the Payment Card
Industry Data Security Standards (PCI DSS) for secure payment processing.
(Source: ChatGpt)

3
 DATA4300: Generative AI: Data Governance, Privacy and Federated Learning

Part B: Incident, Response, and Recovery Plan

Detailed step by step incident response plan for Coles
A data breach at a large retailer like Coles, with vast amounts of customer and operational
data, could have severe consequences. Given below is the response plan.
Table 2 - Step by step response plan

1. Develop and regularly update a comprehensive Incident

Response (IR) policy and plan, approved by executive
management.
2. Establish a dedicated IR team with defined roles and
responsibilities.
Phase 1 Preparation 3. Conduct regular training and simulation exercises such as
tabletop and technical for the IR team.
4. Maintain up to date inventories of data assets, systems and
their criticality.
5. Establish secure communication channels for the IR team.

6. Detection - Utilise security monitoring tools such as SIEM,

IDS/IPS, and EDR, as well as internal and external reports,
including customer complaints and ethical disclosures, to
detect potential incidents.
Identification
Phase 2 and initial
7. Verification - Quickly verify if a suspected event is a
assessment genuine security incident.
8. Initial triage and escalation - The first responder, whether
from the IT helpdesk or as a security analyst, escalates the
issue to the IR team lead.

9. Short term containment

 Isolate affected systems from the network by taking
actions such as disconnect a compromised server,
block malicious IP addresses at the firewall, disable
compromised user accounts.
10. System backup
Phase 3 Containment  Preserve evidence by taking forensic images of
affected systems before significant changes are
made.
11. Long term containment
 Implement more permanent solutions to prevent
further spread.

Eradication
12. Identify the root cause of the breach.
(removing the
Phase 4
threats)
13. Remove malicious code, compromised accounts and fix
vulnerabilities.
Phase 5 Restore 14. Carefully restore affected systems and data from clean
Operations backups, ensuring they are up to date and secure.

4
 DATA4300: Generative AI: Data Governance, Privacy and Federated Learning

15. Monitor restored systems closely for any signs of

reinfection or unusual activity.
16. Gradually bring services back online, prioritizing critical
retail operations.
17. Conduct a thorough post incident review to identify lessons
learned.
18. Update the IR plan, security controls and training based on
Post incident
Phase 6
review
the findings.
19. Document the incident comprehensively, including actions
taken, impact and outcomes.
20. Report to regulators and other stakeholders.
(Source: ChatGpt)
Communication Strategy for Stakeholders
Effective communication during a data breach is vital for Coles to maintain trust and manage
its reputation. The strategy must be transparent, timely and tailored to different stakeholders.
Guiding Principles:
 Transparency: Be as open and honest as possible about what happened, what data was
affected and the steps being taken, without compromising the investigation or
security.
 Timeliness: Communicate promptly once credible information is available, adhering
to NDB scheme timelines.
 Empathy: Acknowledge the potential impact on affected individuals.
 Clarity: Use plain language, avoiding overly technical jargon.
 Consistency: Ensure all communications are aligned across channels.
Key stakeholders and communication channels
Table 3 - Communication channels for stakeholders

Key Stakeholders Communication Channels

 Direct notification – Email, SMS
 Public Statements – Website banners, press releases,
1. Customers social media updates
 Dedicated hotline
 FAQ page on website
 Internal Communications - internal briefings to inform
employees
2. Employees
Notifications – Email
 Support gateways - helpdesk
3. Regulators  Formal notification - Official emails
4. Suppliers and
 Formal notification
partners
5. Media  Designate a spokesperson

5
DATA4300: Generative AI: Data Governance, Privacy and Federated Learning

Federated learning and data privacy at Coles

FL is a machine learning technique where a shared global model is trained across many
decentralized edge or data silos, without the raw data ever leaving these locations. Instead of
sending data to a central server, the model is sent to the data, trained locally and then an
aggregated summary of the model updates is sent back to the central server to improve the
global model. (Source: IBM)

Applications for Coles

 Coles could use FL to refine recommendation algorithms directly on users' devices via
its mobile app.
 Optimizing stock and demand forecasting
 Improving in store layout or promotions
Privacy Benefits:
 Data minimisation - Raw data, especially sensitive customer behaviour data, remains
localised, significantly reducing the risk of large-scale data breaches from a central
repository.
 Enhanced user control and trust - Users may be more willing to allow their data to be
used for model training if they know it's not leaving their device or local environment.
 Compliance - FL can assist in complying with privacy regulations by reducing the
amount of personal data that needs to be transferred and centrally stored. (Source:
ChatGpt)
Implementing FL requires careful consideration of model aggregation techniques to prevent
inference attacks, ensuring algorithmic fairness, and managing the computational overhead
on edge devices or local servers. However, the potential for privacy preserving innovation
makes it a compelling technology for a data rich retail environment like Coles.

6
DATA4300: Generative AI: Data Governance, Privacy and Federated Learning

Appendix – Generative AI Interactions

Interaction 1: Initial Company Overview (prompt_1, prompt_2)
 Purpose: To obtain a concise summary of Coles Group Ltd. based on user provided
text.
 Prompt Used: "Coles is one of Australia’s leading retailers... write a small summary
for the company using the above information"
 AI Response: Provided a brief paragraph summarizing Coles' scale, employee
numbers, supplier network, customer reach, vision, and purpose.
 How I Used This Information: This initial AI-generated summary was used to
establish a foundational understanding of Coles Group Ltd while serving as a quick
reference for the company's core characteristics before delving into more specific
assessment tasks.

Interaction 2: Assessment Guidance and PDF Analysis (Prompt_3)

 Purpose: To understand the DATA4300 Assessment 02 requirements and receive
comprehensive guidance on achieving maximum marks for a report on Coles Group
Ltd.
 Prompt Used: "Go through this assignment and provide me with a comprehensive
steps and guidelines regarding on getting the maximum marks. The company I select
was Coles Group Ltd. [PDF attached: DATA4300 Assessment 02 T1 2025.pdf]"
 AI Response: Delivered a detailed breakdown of the assessment structure, word
counts, weighting, and specific advice for each section (Parts A, B, C, D),
highlighting criteria for Higher Distinction and tailoring suggestions to Coles.
 How I Used This Information: The AI's analysis of the assessment PDF and its
tailored guidance was used to create a strategic approach for tackling the report,
ensuring all marking criteria were addressed and focusing efforts on areas critical for
high marks.
Interaction 3: Drafting an Ethical Data Collection Plan (Prompt_4)
 Purpose: To develop an academic ethical data collection plan for Coles Group Ltd.,
drawing upon user-provided text about Coles' existing Ethical Sourcing program.
 Prompt Used: "Coles Group uses a multi-faceted approach to ethically collect data...
using the above information write a suitable data collection plan for Coles relating to
the company operations. Make an academic written plan."
 AI Response: Generated a structured "Coles Group: Ethical Data Collection Plan"
including sections on introduction, objectives, specific data collection methodologies

7
DATA4300: Generative AI: Data Governance, Privacy and Federated Learning

(risk assessments, SAQs, audits, digital platforms, etc.) tailored to Coles, data
accuracy, ethical considerations (consent, anonymity, transparency), and compliance.
 How I Used This Information: The AI-generated plan provided a robust,
academically styled framework. This was used as a primary draft, adapting Coles'
ethical sourcing principles to broader data collection contexts relevant to the
assessment's requirements.
Interaction 4: Generating Detailed Report Content (Parts A & B – prompt_5 )
 Purpose: To create extensive draft content for Part A (Ethical Data Collection Plan)
and Part B (Incident, Response, and Recovery Plan) of the assessment, specifically
targeting Higher Distinction criteria and utilizing all previously discussed information
and uploaded documents.
 Prompt Used: A detailed prompt outlining the specific requirements for Higher
Distinction in Part A (Key Ethical Issues, Data Accuracy & Reliability, Compliance
with Privacy Laws) and Part B (Incident Response Plan, Communication Strategy,
Federated Learning & Data Privacy), requesting content generation using all available
information.
 AI Response: Produced comprehensive draft text for each specified subsection of
Parts A and B, integrating concepts from the assessment brief, workshop materials,
and Coles' Ethical Sourcing Policy, with examples relevant to Coles' retail operations.
 How I Used This Information: This extensive AI-generated content formed a
significant foundational draft for the main body of the report. It was then critically
reviewed, edited for flow, supplemented with further specific examples, and aligned
with my own analysis to ensure originality and meet the assessment's depth
requirements.
Interaction 5: Summarizing Legal Compliance Section (Prompt_6)
 Purpose: To condense a detailed section on Coles' compliance with Australian
privacy laws into a concise, professional paragraph of approximately 200 words.
 Prompt Used: Provided the AI-generated text on Coles' compliance with the Privacy
Act 1988 (APPs), NDB Scheme, GDPR considerations, and PCI DSS, and asked for a
200 word summary with a professional tone.
 AI Response: Delivered a succinct 200w ord paragraph summarizing Coles' key
obligations under Australian privacy law (Privacy Act, APPs, NDB), with brief
mentions of GDPR and PCI DSS.
 How I Used This Information: The AI-generated summary was used to refine a key
section of the report, ensuring it was both comprehensive in its overview of legal
obligations and adhered to a professional tone and conciseness, suitable for an
academic report.

8
DATA4300: Generative AI: Data Governance, Privacy and Federated Learning

Usage of AI insights
In preparing this report, I employed AI tools to improve the research process and the quality
of the written content. I began by using AI to generate innovative data collection methods
suitable for a large retail operation such as Coles. The AI produced a well-organised list of
approaches, which I subsequently tailored to fit Coles’ current ethical sourcing practices and
overall operational objectives.
AI played a crucial role in developing the step-by-step incident response plan. I asked AI to
outline industry best practices for data breach management, but I modified the generic
framework by tailoring it to the retail sector and Coles’ specific communication needs. For
example, I emphasized customer communication channels like dedicated hotlines and FAQ
pages based on Coles’ customer engagement strategies.
In exploring federated learning, I initially relied on AI for a basic understanding of how the
technology works. However, I substantially elaborated and tailored this knowledge to align
with Coles’ practical uses, like customising shopping experiences and enhancing store
layouts, all while adhering to privacy regulations.
Throughout the process, AI acted as an initial idea generator, but I was careful not to copy
outputs simply. I critically reviewed, edited and recontextualised the AI suggestions to ensure
that the report reflected thoughtful human insight, matched the company’s specific
environment, and met academic standards. In short, AI served as a collaborative tool which
provided a starting point that I refined and expanded to create a coherent, customised, and
professionally relevant report.

9
DATA4300: Generative AI: Data Governance, Privacy and Federated Learning

References
 Ibm, R.D.C. and Cole Stryker (2025) What is federated learning?What is federated
learning, IBM. Available at: https://www.ibm.com/think/topics/federated-
learning#:~:text=Federated%20learning%20is%20a%20decentralized,require
%20massive%20volumes%20of%20data. (Accessed: 07 May 2025).
 Human rights (2025) Human Rights | Coles Group. Available at:
https://www.colesgroup.com.au/sustainability/?page=human-rights (Accessed: 05
May 2025).
 (13th of December 2013) Ethical sourcing policy. Available at:
https://www.colesgroup.com.au/FormBuilder/_Resource/_module/ir5sKeTxxEOndzd
h00hWJw/file/Ethical_Sourcing_Policy.pdf (Accessed: 05 May 2025).
 Group, C. (2024) Providing the unseen safety: A day in the life of a cybersecurity…:
Coles Group, Providing the unseen safety: A Day in the Life of a Cybersecurity… |
Coles Group. Available at: https://www.linkedin.com/posts/colesgroup_providing-the-
unseen-safety-a-day-in-the-activity-7259690724655267841-61Z9/ (Accessed: 06 May
2025).
 Bugcrowd Staff (2023) Coles Group Limited vulnerability disclosure program,
Bugcrowd. Available at:
https://bugcrowd.com/engagements/coles-vdp-pro/changelog/7497dc81-f11a-480f-
996d-7717f6b77547 (Accessed: 07 May 2025).

10