Australia's Privacy Commissioner gets serious about infosec

The new OAIC information security guide sets out "reasonable steps" to protect personal information, but how many organisations will comply by March 2014?

According to Australia's Privacy Commissioner, Timothy Pilgrim, every single one of the high-profile investigations he completed in 2011–12 involved data security issues and information security is now the major issue affecting consumer privacy.

"Information security is clearly a significant privacy issue and has emerged as a major challenge for us all. These incidents tell us that 'privacy by design' is essential. Organisations need to build privacy into business as usual practices and new projects," Pilgrim said in a statement.

A new document from the Office of the Australian Information Commissioner (OAIC) launched yesterday as part of Privacy Awareness Week, Guide to information security (PDF), sets out the Commissioners' expectations of organisations when it comes to protecting the personal information they hold from misuse, loss and from unauthorised access, use, modification or disclosure.

"Although this guide is not binding, the OAIC will refer to this guide when assessing whether an entity has complied with its information security obligations in the Privacy Act," the document reads.

With "significant" privacy reforms coming into force in March 2014, it's clearly time for organisations to review their privacy and associated information security practices.

Yet according to a survey conducted by McAfee in April, most employees responsible for managing personal information aren't across these changes.

Organisations, particularly smaller businesses, could well be caught short.

"Entities are expected to consider ICT security measures and the protection of personal information as part of their decision to use, purchase, build or upgrade ICT systems rather than attempting to address privacy later, for example after a privacy breach has occurred," the guide reads.

"It is also expected that entities regularly monitor the operation and effectiveness of their ICT security measures to ensure that they remain responsive to changing threats and vulnerabilities and other issues that may impact the security of personal information."

The guide lists "reasonable steps" that would be familiar to anyone working in a high-security environment: whitelisting rather than blacklisting applications, Web and email domains; processes to ensure prompt software patching; multi-factor authentication; prompt revocation of access when no longer required, for example when employees leave; log and audit trail monitoring; encryption of data at rest and of portable devices; security testing; backup management; having a data breach response plan and so on.

Yet such things are often unheard of in smaller organisations, and the Privacy Act applies to every Australian business with a turnover greater than $3 million a year, every business handling medical records, and some others as well.

"Businesses and government agencies cannot ignore the need to take steps to protect the personal information of their customers or clients. This is critical to meet the current requirements of the Privacy Act 1988 as well as new requirements due to commence in less than 12 months." Pilgrim said.

But are businesses listening?

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Tags information securityOffice of the Australian Information Commissioner (OAIC)Privacy Awareness WeekGuide to information security|Privacy Commissioner Timothy Pilgrim

Show Comments