A Brief Guide to the ICT Security Controls Required by the Australian Privacy Principles and Mandatory Data Breach Notification Scheme

On 13th of February, 2017 the Senate passed the Privacy Amendment (Notifiable Data Breaches) Bill establishing a Mandatory Data Breach Notification Scheme in Australia.  The purpose of which is to protect the rights of individuals and strengthen community trust in businesses and agencies. 

This amendment to the Australian Privacy Act 1988 (Privacy Act) gives life to the Mandatory Data Breach Notification Scheme (the Scheme) on 22 February, 2018.

The Privacy Act provides significant obligations for the protection of Personal Information held by Australian organisations (APP entities) and material financial penalties of up to $360,000 for an individual and up to $1.8 million for an APP Entity organisation. ‘APP Entities’ are defined as all businesses and non-government organisations with an annual turnover of more than $3 million, all health service providers regardless of turnover and a range of small businesses (see ss 6D and 6E of the Privacy Act).  State Government agencies are not generally governed by the Act.

The Scheme now mandates that any ‘organisation’ (as defined above) must inform the Office of the Australian Information Commissioner (the Commissioner) and affected parties of a data breach (even if only “suspected”) affecting them where “serious harm” is likely to occur.   “Serious harm” may include serious physical, psychological, emotional, economic and financial or reputation harm.

Other than the obvious financial penalties, breaches of the Australian Privacy Principles can have the following additional consequences:

  • Loss of reputation and customer trust;
  • Harm to your customers and consequential litigation;
  • Reduced business functions and activities;
  • Loss of future income; and/or
  • Failure to meet cyber insurance requirements to exercise compensation and remediation

Personal information is defined in s 6(1) of the Privacy Act as:

Information or an opinion about an identified individual, or an individual who is reasonably identifiable: (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not”.  

However, the types of information that are personal information are unlimited and can vary widely as it is not limited to information about an individual’s private or family life, but extends to any information or opinion that is about the individual, from which they are reasonably identifiable. This can include information about an individual’s business or work activities.

The Act also gives rise to Australian Privacy Principals (APPs), legally binding principles forming the cornerstone of the privacy protection framework. The APPs set out standards, rights and obligations in relation to handling, holding, accessing and correcting personal information.  The APPs provide the flexibility to tailor personal information handling practices to your needs and business model.

The APPs are structured to reflect the personal information lifecycle. They are grouped into five parts:

  • Part 1 — Consideration of personal information privacy (APPs 1 and 2)

  • Part 2 — Collection of personal information (APPs 3, 4 and 5)

  • Part 3 — Dealing with personal information (APPs 6, 7, 8 and 9)

  • Part 4 — Integrity of personal information (APPs 10 and 11)

  • Part 5 — Access to, and correction of, personal information (APPs 12 and 13).

Breaches of the Australian Privacy Principles (APPs) are investigated by the Office of the Australian Information Commissioner (OAIC). The OAIC will refer to the ‘Guide to Securing Personal Information, January, 2015’ when assessing an entity’s compliance with its security obligations in the Privacy Act.  As such, it makes a lot of sense for organisations that are covered by the Privacy Act and subsequently the Scheme to be aware of these obligations and understand whether or not they currently comply.

We will now document some salient points from the Guide and highlight briefly how organisations can work towards implementing what the Guide states.

Good privacy practice is important for more than just ensuring compliance with the requirements of the Privacy Act. If an entity mishandles the Personal Information of its clients or customers, it can cause a loss of trust and considerable harm to the entity’s reputation.  Additionally, if Personal Information that is essential to an entity’s activities is lost or altered, it can have a serious impact on the entity’s capacity to perform its functions or activities.

It is important for entities to integrate privacy into their risk management strategies.  Robust information-handling policies, including a privacy policy and data-breach response plan, can assist an entity to embed good information handling practices and to respond effectively in the event that Personal Information is misused, lost or accessed, used, modified or disclosed without authorisation.

Tags privacylegislationprivacy principlesPrivacy Amendment Act 2012

Show Comments