Overview — Australian data protection strategy

The aim of your Australian data protection strategy is to establish and maintain a culture of information security awareness and compliance within your organisation taking into account the Australian regulatory environment.

Securing information is not just protecting it from being accessed by third parties. A commonly used way to summarise the key objective is to refer to the “CIA” — Confidentiality, Integrity and Availability or, to avoid confusion with the USA Central Intelligence Agency, the “AIC” triad. The AIC triad is an important reminder that information security is not just about confidentiality but also recognising that information can lose its value if it cannot be trusted, perhaps because it has been compromised by error or deliberate interference or has not been maintained accurately. The lack of availability of information when required can have the same consequences as loss or loss of integrity.

The first step in the preparation of a data protection strategy is to understand the regulatory context in which you operate and identify applicable rules and guidelines. Next, you should identify the relevant classes of information that you need to protect, consider the risk exposure that accompanies each class of information and whether or not the measures currently in place are adequate having regard to the potential risk to your organisation.

It is important to consider the components that make up a secure framework. It is a common mistake to focus on the protection of IT systems. While the protection of IT systems from unauthorised access and careful control of access privileges is a critical component, it is also necessary to consider employee related issues such as background checking, the terms and conditions of employment, the adequacy of training, supervision and audit. Control of the physical environment is also relevant.

For more information on practical considerations in developing and implementing a data protection strategy in Australia, see: Developing a strategy for Australian data protection, Procedures for implementation and Systems for improvement.


Overview — Personal data security breach management

Best practice before a breach occurs

An organisation can seek to prevent or minimise a personal data security breach occurring by implementing an effective organisational data security compliance framework.

An effective organisational data security compliance framework can avoid or minimise the risk of an organisation and individuals within it breaching personal data security obligations.

Such a framework should usually include:

  • regular audits of the organisation’s IT security policies, systems, controls, processes and practices;
  • effective IT security policies, systems, controls, processes and practices;
  • staff training and awareness of data security obligations;
  • a positive and strong compliance culture; and
  • ongoing governance oversight.

An organisation should conduct regular audits of the organisation’s IT security systems, processes, practices and policies.

An organisation should develop and maintain effective IT security policies, systems, controls, processes and practices to prevent or minimise the risk of breach of data security obligations.

Employees should receive regular training on compliance with data security requirements.

The main objective of the training should be to build and maintain a good level of current awareness of how to comply with, and avoid breaching, data security obligations.

Employees of an organisation whose roles involve performing services for the organisation’s customers should be familiar with any contractual obligations that the organisation has to the customer concerning data security requirements.

Organisations should develop and maintain a positive and strong compliance culture in relation to data security obligations.

A positive and strong compliance culture can embed best practice with respect to data security awareness and compliance within the values of an organisation and the values and behaviours of its staff.

An organisation should also implement effective internal governance processes and oversight of data security issues.

Internal governance processes should enable the timely and accurate reporting of data security compliance issues and breaches to relevant internal stakeholders.

Responding to a data security breach as it occurs

To determine how to respond to a data security breach involving the personal information of one or more individuals, the organisation should determine:

  • what is the nature of the data security breach;
  • what is/are the cause(s) of the data security breach;
  • who is affected by the data security breach; and
  • what are the potential consequences for the organisation and those affected by the data security breach.

An organisation should have one or more decision-makers (ie a response team) who are responsible for:

  • assessing the nature and cause(s) of a data security breach;
  • identifying who is affected and what the potential consequences are; and
  • deciding upon an appropriate course of action for the organisation in relation to a data security breach.

It is important for an organisation to first identify the nature of a data security breach, to help it determine and plan an appropriate response.

It is also important for an organisation to identify the actual and potential consequence(s) of a data security breach.

This will help the organisation to prepare an appropriate response to the data security breach, including what actions and organisational resources are required to achieve an appropriate response.

Promptly upon becoming aware of a data security breach, an organisation should ensure that key internal stakeholders are:

  • alerted to the occurrence of the data security breach; and
  • given sufficient information in relation to the data security breach as soon as possible to enable them to assess the potential impacts of the occurrence.

An organisation may need to develop a different response depending on whether it is at fault or whether another organisation or person is at fault.

Such response should take into account a range of considerations, including complying with any relevant contracts with affected parties and communications with affected parties.

Compliance after a data security breach has occurred

Once an organisation has responded to and resolved a data security breach issue, it should:

  • conduct an internal audit to determine the root cause(s) of the data security breach;
  • determine what remediation measures are required to prevent or minimise the possibility of any recurrence of the data security breach; and
  • implement the necessary remediation measures and monitor their effectiveness.

Consideration should be given to whether offshore data transfers comply with APP 8 and whether an offshore data transfer agreement is required.

For more information on practical considerations in personal data security breach management, see: Best practice before a breach occurs, Responding to a data security breach as it occurs and Compliance after a data security breach has occurred.


Overview — Ensuring data protection compliance

Perhaps the most difficult challenge in ensuring effective cybersecurity is making sure that the elements of your strategy are implemented in practice.

Allocation of responsibility

The analysis necessary to identify relevant information, relevant risks and the steps necessary to devise appropriate remediation procedures and solutions can be undertaken at a point in time as a discrete project. It is relatively straightforward to complete such a project, publish your policies and to conduct initial training. The temptation and natural tendency is to regard the completion of that work as a job done. This is particularly the case because your policies can serve as evidence of compliance and may even be referenced to clients as evidence of your awareness of the relevant issues and an indication of your commitment to cybersecurity.

Induction and training

Policies and procedures buried on the intranet or forgotten at the bottom of the drawer will not impact the cybersecurity risks faced by your organisation. In order to be effective policies and procedures must be integrated in data to day operations, be used in decision making and training, and be revised and updated in response to changes in technology, changes to the business and experience with risks and incidents. If not implemented, your well-documented strategy can serve as a benchmark available to be called upon as evidence of proper practice should a third party claim or formal investigation by a regulator take place as a result of a security incident. It is vital that your security strategy be embedded in the operational life cycle of your organisation.

Monitoring, testing and responding to change

In this subtopic, we discuss steps that you can take to embed your cybersecurity strategy and the management culture and business life cycle of your organisation. As part of the privacy operational life cycle, data protection compliance is achieved through the monitoring, auditing and communication aspects of the management framework, where:

  • monitoring identifies any gaps and weaknesses in an organisation's privacy program;
  • auditing ensures consistency, effectiveness and sustainment of the privacy practices; and
  • communication creates internal and external awareness of the privacy program, ensuring flexibility to respond to legislative and industry changes.
For more information on the practical considerations in ensuring compliance of a data protection strategy, see Allocation of responsibility, Induction and training, and Monitoring, testing and responding to change.

Overview — Planning and Implementing New Projects

In order to mitigate the risk of privacy issues, cyber security threats and achieve data resilience, it is important to take a proactive approach to privacy.

This means thinking critically about privacy during the planning and implementation stages of a project.

Conducting a privacy impact assessment

A privacy impact assessment (PIA) is an essential part of implementing new projects in order to achieve privacy by design.

A PIA is a systematic evaluation of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact.

Obtaining consent to collect personal information

For any new project where personal information is collected, it is vital to consider the issue of consent. Consent is relevant to the operation of a number of Australian Privacy Principles (APPs). In some APPs, consent is an exception to a general prohibition against personal information being handled in a particular way (for example, an APP entity can only collect “sensitive information” if an individual consents, unless an exception applies. In others, consent provides authority to handle personal information in a particular way (for example, sensitive information cannot be used for marketing with out express consent and obtaining express consent after disclosure that the relevant information will not be protected by APP1 allows disclosure of personal information overseas).

The Information Commissioner has made clear that consent is a particular regulatory focus. She has stated publicly that “The practical application of concepts of fairness and the role of consent will be central to the future of privacy in Australia. It is a key issue that unites my regulatory priorities and, accordingly, I also think it should be a key focus point for every organisation moving forward.”

Given these statements, consent, when relied on as a basis for complying with the Privacy Act needs to be carefully considered by organizations.

Separately, once an APP entity collects personal information from an individual, APP 5 — Notification of the collection of personal information requires that the individual be notified of certain mandatory issues.

For more information on practical considerations when planning and implementing a privacy-based approach in projects, see: Implementing a privacy by design approach, Conducting a Privacy Impact Assessment, and Obtaining consent to collect personal information.

Cyber attacks: risks and remedies for the modern firm

When many people think of cybersecurity, they think of two-step authentication, multiple passwords and firewalls - but it’s much broader than that. While these systemic defences are absolutely necessary for any business, data breaches are inevitable. So rather than spending energy and resources on prevention, businesses need to focus on managing cyber attacks quickly and efficiently to minimise the fallout. Data privacy is paramount for the financial and reputational health of any business - and in order to maintain this, businesses need to understand the risks and how to mitigate them.

At the 2019 LexisNexis Decoding Cybersecurity: Clause and effect Perth event, panellist Zahn Nel, Director at CT Group Solutions, said, ‘There are two types of businesses. Those who have been breached and those who are not aware they have been breached.’ Many of the best-resourced and secure organisations in the world including Facebook, Google and Maersk have suffered high profile breaches.

The damage from a breach can be severe and come in the form of regulatory penalties or fines, other financial damage resulting from the loss of data, and loss of reputation – which, in some cases, can be worse than the economic toll. For example, the Cambridge Analytica scandal has dragged Facebook’s name through the mud and it now faces a $5bn fine from regulators. Google suffered a huge drop in share price following a 2018 breach, and the damage bill from Maersk’s run in with 2017’s NotPetya malware is estimated at $300 million.

There are many types of cyber attacks, and hackers will try different things depending on their intent - they may just want to incapacitate an organisation’s systems (DDoS attack) or they may decide to hijack data in order to extort money (ransomware attack). Hackers can gain access through a number of different means, but the most common way is through an organisation’s biggest vulnerability: its people.

A 2019 report from Kaspersky Lab found that some element of human error is present in 90% of data breaches. This could mean errantly clicking on a link in a phishing email, lax personal cybersecurity like leaving passwords somewhere easily accessible or using the same simple password across multiple systems. Hackers are skilled at identifying and exploiting these sorts of errors as it makes their jobs much easier - why waste time picking a lock when you can just take the key? Therefore, it is critical that businesses educate staff on best practice in cybersecurity and how to respond when a breach occurs.

While the vast majority of attacks come from outside the organisation, they may also come from inside - the most common example of this being disgruntled employees stealing and leaking data. In 2018, the electric vehicle giant Tesla discovered an employee had written code to regularly export large quantities of sensitive intellectual property and financial data which was being shared with undisclosed third parties. After uncovering the breach, Tesla alleged that the employee was disgruntled after being reassigned to a new role within the business and passed over for a promotion.

With so much at stake, businesses need a plan to maintain their defences and minimise financial and reputational loss in the inevitable event of a data breach. There are some key steps that every organisation should be taking to minimise their vulnerability to cyber attack:

It would be wrong to say that any business can ever be 100% secure, or fully immune to cyber attack. But by following the steps above, businesses can reduce the likelihood of attack and drastically reduce the financial and reputational damage resulting from a breach.

Contact your Relationship Manager for more in depth information on our Practical Guidance Cybersecurity, Data Protection and Privacy module. Alternatively email Sales.Enquiries@lexisnexis.com.au or call us on 1800 772 772

Contact our Experts Now

Contact Us