Overview
To develop a strategy for cross jurisdictional privacy and data protection, it is necessary to build a functional understanding of the physical assets, information located and the activities taking place within each jurisdiction. It is also necessary have a functional understanding of the legal regime in each jurisdiction with particular attention to:
- the regime protecting information and communications from unauthorized access or interception;
- rules that prevent cross border transfers ("on soil requirements") and/or which impose requirements that apply before information can be sent or made accessible outside the jurisdiction;
- the privacy regime and whether or not it could be used to protect information not collected from residents in the jurisdiction;
- making sure that local privacy policies and the information handling practices are consistent with
View all Global privacy and data protection strategy guidance
The aim of your Australian data protection strategy is to establish and maintain a culture of information security awareness and compliance within your organisation taking into account the Australian regulatory environment.
Securing information is not just protecting it from being accessed by third parties. A commonly used way to summarise the key objective is to refer to the “CIA” — Confidentiality, Integrity and Availability or, to avoid confusion with the USA Central Intelligence Agency, the “AIC” triad. The AIC triad is an important reminder that information security is not just about confidentiality but also recognising that information can lose its value if it cannot be trusted, perhaps because it has been compromised by error or deliberate interference or has not been
The analysis necessary to identify relevant information, relevant risks and the steps necessary to devise appropriate remediation procedures and solutions can be undertaken at a point in time as a discrete project. It is relatively straightforward to complete such a project, publish your policies and to conduct initial training. The temptation and natural tendency is to regard the completion of that work as a job done. This is particularly the case because your policies can serve as evidence of compliance and may even be referenced to clients as evidence of your awareness of the relevant issues and an indication of your commitment to cybersecurity.
See Allocation of responsibility.
Policies and procedures buried on the intranet or forgotten at the bottom of the
Guidance
Developing a strategy for cross jurisdictional compliance
Your objectives in developing a strategy for cross jurisdictional compliance | Understanding the nature of cross border business operations
Analysing your data and data flows
What is data mapping? | Importance of data mapping | Global regulatory compliance
Anticipating issues and risks
Introduction | Protection measures | Risks to consider | Jurisdictional compliance
Selecting local experts and asking the right questions
Introduction | Step 1 - Engage a local expert | Step 2 - Ask the right questions | Step 3 - Other considerations
Checklists
Data security - Checklist for De-identification of personal information
A. Mitchell, Unisys
Checklist for Complying with both the Privacy Act and the GDPR
S. Sharma, S. Field and B. Tomlinson, Maddocks
Privacy - Checklist for Privacy policy
S. Sharma, Special Counsel, Maddocks
Cybersecurity strategy - Checklist for Overall cybersecurity strategy
P. Fair and S. Lee, Baker McKenzie
Data security - Checklist for Data security audit plan
A. Mitchell, Unisys
Workflow Checklist: Exceptions to notification obligations
D. Kneller, Madgwicks Lawyers
Data Breach Assessment Guideline
P. Fair and S. Lee, Baker McKenzie
Checklist for Ensuring data protection compliance
P. Fair and S. Lee, Baker McKenzie
Privacy - Internal privacy guidelines for staff
S. Sharma, Special Counsel, Maddocks
Cybersecurity strategy - Checklist for remote working
LexisNexis Legal Writer Team
EU General Data Protection Regulation (GDPR) - Compliance checklist
S. Sharma, S. Field and B. Tomlinson, Maddocks
Checklist for computer and device use
P. Fair and S. Lee, Baker McKenzie
Checklist for Transfers of personal data outside the European Economic Area
S. Sharma, S. Field and B. Tomlinson, Maddocks
Checklist for Data breach response guideline
P. Fair and S. Lee, Baker McKenzie
Privacy - Checklist for direct marketing
S. Sharma and E. Lau, Maddocks
Workflow Checklist: Identifying when a data breach is notifiable
D. Kneller, Madgwicks Lawyers
Data security - Checklist for Disaster recovery planning
A. Mitchell, Unisys
Workflow Checklist: Assessing a suspected data breach
D. Kneller, Madgwicks Lawyers
Checklist for Staff training on data protection compliance
P. Fair and S. Lee, Baker McKenzie
EU general data protection regulation (GDPR) - Checklist for controller versus processor
S. Sharma, Special Counsel and B. Tomlinson, Partner, Maddocks
Threshold compliance checklist - GDPR and the Privacy Act
S. Sharma, S. Field and B. Tomlinson, Maddocks
Privacy by design - practical checklist
S. Sharma, Maddocks
Workflow Checklist: Content of notification
D. Kneller, Madgwicks Lawyers
Legislation
Healthcare Identifiers Act 2010 (Cth)
Personally Controlled Electronic Health Records Act 2012 (Cth)
Privacy Act 1988 (Cth), s 6(1)
Freedom of Information Act 1982 (Cth)
Invasion of Privacy Act 1971 (Qld)
Listening and Surveillance Devices Act 1972 (SA)
Listening Devices Act 1991 (Tas)
Listening Devices Act 1992 (ACT)
Surveillance Devices Act 1998 (WA)
Surveillance Devices Act 1999 (Vic)
Surveillance Devices Act 2004 (Cth)
Surveillance Devices Act 2007 (NSW)
Surveillance Devices Act 2007 (NT)
Surveillance Devices Act 2016 (SA)
