Australia Moves Swiftly on Data Protection
The Need for Protection
Data security incidents are occurring daily. Their costs are sometimes measured in the billions and are taking a toll on organisation management and brand reputation. Many organisations are starting to collaborate with the government, Information Sharing and Analysis Centres and other organisations to improve their threat awareness. Big Data analytics are also being employed to model threats and monitor for cybersecurity attacks. These approaches can help to rationalise where cybersecurity resources are employed. Will it be more effective to increase the defense of data repositories instead of spending more on the perimeter? Additionally, understanding where sensitive data resides and exploring usage patterns are useful for identity and access management to ensure that all persons and functional IDs have proper entitlements. Many organisations are looking to create or adopt a risk-based security framework such as ISO 27001, in an effort to create a sensible approach to safeguarding their data. A risk-based framework will help businesses keep their data secure by measuring levels of maturity of control items to improve security.
The Australian Privacy Principal Framework
The Privacy Act defines personal information as information about an identified individual, or an individual who is reasonably identifiable. This includes information such as name, address, telephone number, date of birth, medical records and bank account details. It includes thirteen Australian Privacy Principles (“APPs”). APPs outline how organisations must maintain privacy in the use and handling of both solicited and unsolicited personal information. APPs specify that organisations should de-identify information in situations: - Where particular sections of the organisation do not require access to the full information asset, but could make use of a de-identified version - To minimise the risk of wrongly disclosing personal or confidential information when being shared or being published. Earlier this year, a Privacy management Framework was introduced that provides steps for organisations to achieve compliance with the Australian Privacy Principles. The Framework has four steps to ensure good privacy governance and to meet ongoing compliance obligations. The steps are: - Step 1: Embed: a culture of privacy that enables compliance - Step 2: Establish: robust and effective privacy practices, procedures and systems - Step 3: Evaluate: your privacy practices, procedures and systems to ensure continued effectiveness - Step 4: Enhance: your response to privacy issues
The proposed Privacy Amendment (Notification of Serious Data Breaches) which is also known as the Exposure Bill is the Australian Government’s effort to amend the Privacy Act with an obligation for organisations to notify the Australian Information Commissioner and affected members of the public, when there is unauthorised access to, or unauthorised disclosure of, the information which will result in a risk of serious harm to any of the individuals whose information was compromised; If an organisation is aware, or ought reasonably be aware, that there are reasonable grounds to believe that there has been a serious data breach, then they must prepare a Notification Statement that describes the data breach and the kinds of information that were affected as well as a recommendation about what steps the impacted individuals should take; The Information Commissioner can also require an organisation or agency to publish a Notification Statement if there are reasonable grounds that a serious data breach has occurred. Failure to comply with the requirements of the Bill can be subject to civil penalties of up to AU$1.8 million.
How will it impact my business?
The introduction of mandatory data breach notification laws in other nations has seen the number of reported data breaches increase dramatically and in some cases resulting in a class action. Would the same be expected in Australia? It may be time to get your house in order now or you might be drinking with the flies in the bush.
Joe Santangelo, Delphix Corp.
Joseph.Santangelo@delphix.com +1-646-596-2670 @jisantangelo