Overview
Identifying and classifying types of data or information can be useful in the context of data security to help determine what:
- legal obligations and rights may apply to the data or information;
- benefits and risks may arise from its possession or use; and
- the data or information can be used for, by whom, and in what circumstances.
Where applicable, it may be useful to classify or categorise data or information as:
- personal information;
- confidential information and trade secrets;
- financial data or information;
- intellectual property; or
- government official information.
Personal information is defined in the Privacy Act 1988 (Cth) (Privacy Act).
An organisation may have confidentiality obligations to other parties in relation to data or information. It may have trade secrets such as valuable methods or know-how which are a source of
View all Data security obligations and data security breaches guidance
An organisation can seek to prevent or minimise a personal data security breach occurring by implementing an effective organisational data security compliance framework.
An effective organisational data security compliance framework can avoid or minimise the risk of an organisation and individuals within it breaching personal data security obligations.
Such a framework should usually include:
- regular audits of the organisation’s IT security policies, systems, controls, processes and practices;
- effective IT security policies, systems, controls, processes and practices;
- staff training and awareness of data security obligations;
- a positive and strong compliance culture; and
- ongoing governance oversight.
An organisation should conduct regular audits of the organisation’s IT security systems, processes, practices and policies.
An organisation should develop and maintain effective IT security policies, systems, controls, processes and practices to prevent or minimise
A service provider is an organisation or person that provides any form of service to another organisation or individual.
Most service providers will have access to, use or store data or information in relation to providing a service that could be involved in a data security breach.
Such data or information may include personal information, confidential financial information or trade secrets, intellectual property and government official information.
A data security breach may arise whenever data or information of a service provider is accessed or used in any manner without permission, or is stolen, lost, corrupted, damaged or destroyed.
This may occur through the deployment of malicious code, by the acts or omissions of the service provider’s employees or contractors, and through unauthorised access to
View all Service providers, security and data breach notification guidance
Data security is frequently an issue of critical importance in commercial contracts between both public and private sector customers and their respective suppliers.
Under commercial agreements, a supplier may have access to, or be responsible for managing or hosting, confidential business information, personal information or government official information of the customer or the customer’s end-users.
The issue of data security tends to be addressed in commercial contracts with an ever-increasing level of sophistication and detail, as technological developments continue to rapidly advance and the risk of data security breaches is ever-present.
Data security obligations in commercial contracts are often addressed under three topics:
- data security;
- privacy; and
- confidentiality.
Data security obligations in commercial contracts can cover a number of aspects of data security, including compliance with a
The term “big data” is often defined with reference to the characteristics of the volume, variety and velocity of data (the “three V’s”).
The characteristic of “volume” refers to the quantity or magnitude of data. “Variety” refers to the range of different types of data. “Velocity” refers to the speed at which data is generated, processed or analysed.
Other features of big data that have been identified are veracity, variability and complexity. The characteristic of “veracity” refers to the unreliability or imprecision of certain data. “Variability” refers to variability in the rate or velocity of data flow. “Complexity” refers to the multiple sources from which data may be generated.
Big data is created, transferred, stored, hosted, used and processed daily in virtually all
Guidance
Types of data
Identifying and classifying types of data | What are the sources of legal obligations that apply to particular data or information?
Types of breaches
How a data security breach may occur | Who can cause a data security breach
Data security obligations
Legal obligations in relation to data security | Obligations in relation to government requirements | Legal obligations in relation to data retention and destruction
Consequences to an organisation of the data security breaches
Consequences of a data security breach for an organisation | Identifying potential legal remedies for a data security breach | Determining which legal remedies to pursue in relation to a data security breach | Initiating the exercise of legal remedies
Checklists
Data security - Checklist for De-identification of personal information
A. Mitchell, Unisys
Checklist for Complying with both the Privacy Act and the GDPR
S. Sharma, S. Field and B. Tomlinson, Maddocks
Privacy - Checklist for Privacy policy
S. Sharma, Special Counsel, Maddocks
Cybersecurity strategy - Checklist for Overall cybersecurity strategy
P. Fair and S. Lee, Baker McKenzie
Data security - Checklist for Data security audit plan
A. Mitchell, Unisys
Workflow Checklist: Exceptions to notification obligations
D. Kneller, Madgwicks Lawyers
Data Breach Assessment Guideline
P. Fair and S. Lee, Baker McKenzie
Checklist for Ensuring data protection compliance
P. Fair and S. Lee, Baker McKenzie
Privacy - Internal privacy guidelines for staff
S. Sharma, Special Counsel, Maddocks
Cybersecurity strategy - Checklist for remote working
LexisNexis Legal Writer Team
EU General Data Protection Regulation (GDPR) - Compliance checklist
S. Sharma, S. Field and B. Tomlinson, Maddocks
Checklist for computer and device use
P. Fair and S. Lee, Baker McKenzie
Checklist for Transfers of personal data outside the European Economic Area
S. Sharma, S. Field and B. Tomlinson, Maddocks
Checklist for Data breach response guideline
P. Fair and S. Lee, Baker McKenzie
Privacy - Checklist for direct marketing
S. Sharma and E. Lau, Maddocks
Workflow Checklist: Identifying when a data breach is notifiable
D. Kneller, Madgwicks Lawyers
Data security - Checklist for Disaster recovery planning
A. Mitchell, Unisys
Workflow Checklist: Assessing a suspected data breach
D. Kneller, Madgwicks Lawyers
Checklist for Staff training on data protection compliance
P. Fair and S. Lee, Baker McKenzie
EU general data protection regulation (GDPR) - Checklist for controller versus processor
S. Sharma, Special Counsel and B. Tomlinson, Partner, Maddocks
Threshold compliance checklist - GDPR and the Privacy Act
S. Sharma, S. Field and B. Tomlinson, Maddocks
Privacy by design - practical checklist
S. Sharma, Maddocks
Workflow Checklist: Content of notification
D. Kneller, Madgwicks Lawyers
Legislation
- Types of data
- Data security obligations
- Best practice before a breach occurs
- Compliance after a data security breach has occurred
- Preventative measures for service providers in relation to data security
- Obligations to respond appropriately to data breaches
- Cybersecurity liability and insurance
- What is big data and how to deal with it
- How to collect and use big data
- Preventative measures
