InfoGovANZ

Information Governance Think Tank

Featured

RIMPA and InfoGovANZ announce continued alliance

by

InfoGovANZ and RIMPA Global Signature

RIMPA and InfoGovANZ are delighted to announce their continued alliance.

RIMPA has been aligned with InfoGovANZ for some years enabling members to embrace and learn from InfoGovANZ leaders in information governance.

The term ‘information governance’ brings together a broad range of professionals from information and records management, legal, privacy, eDiscovery, cybersecurity and information security, AI, data analytics and infonomics.  InfoGovANZ continues to lead the region on information governance thought leadership, innovations and global best practices through its international community.  RIMPA brings a rich history and expertise in records and information management to the InfoGovANZ community.   Our organisations provide important forums for the latest  learning, education and collaboration for our respective members.

Working towards a global framework, RIMPA embrace what InfoGovANZ represent as the leaders in our region bringing together information governance thought leaders globally to promote best practices.

We look forward to the continued alliance and a range of learning opportunities for our respective members in 2023.

Susan Bennett, Executive Director, InfoGovANZ and Anne Cornish, CEO, RIMPA 

7 December 2022

Changes to Australia’s Privacy Act: Overview and Preparation Checklist

by

 

In the wake of the recent wave of high-profile data breaches at Optus, Medibank and MyDeal, Attorney-General Mark Dreyfus tabled the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (the Bill) in Parliament on 26 October 2022.   The Attorney-General referred to the data breaches having highlighted ‘the potential to cause serious financial and emotional harm to Australians’ and that the bill sends a clear message that the government takes privacy, security and data protection seriously.  The Bill significantly increases penalties under the Privacy Act 1988 (Cth), provides the Australian Information and Privacy Commissioner with increased powers to resolve privacy breaches and strengthens the Notifiable Data Breaches Scheme.

Increased penalties

Penalties for a serious or repeated breach of privacy will be significantly increased from the current maximum of $2.22 million to not more than the greater of:

  • $50 million;
  • three times the value of any benefit obtained through the misuse of the information; or,
  • if the value of the benefit obtained cannot be determined, 30% of a company’s domestic turnover in the relevant period, which is a minimum 12 months.

In the Second Reading Speech, the Attorney-General stated that, ‘penalties for privacy breaches cannot be seen as simply the cost of doing business. Entities must be incentivised to have strong cyber and data security safeguards in place to protect Australians.’

Strengthened Notifiable Data Breaches Scheme (NDB Scheme)

The existing NDB Scheme will be strengthened in two significant ways by:

  • empowering the Privacy Commissioner to assess an entity’s compliance with the Scheme’s requirements.
  • providing the Privacy Commissioner with new information-gathering powers in regard to the Scheme’s reporting and notification requirements.

Enhanced enforcement powers

The Bill will also improve the powers available to the Privacy Commissioner to:

  • Resolve privacy breaches by empowering the Commissioner to publish notices about specific breaches of privacy or otherwise ensure those directly affected are informed;
  • Compel entities to undertake external reviews to improve their practices to reduce the likelihood of them committing a breach again; and
  • Provide new information-gathering powers to conduct assessments and new infringement notice powers that can be used if an entity fails to provide information when required, without the need to engage in litigation.

Extraterritorial powers

The Privacy Act’s extraterritoriality provisions will be amended, so that foreign organisations which ‘carry on a business’ in Australia must meet the obligations under the Privacy Act.  In the second-reading speech, the Attorney-General explained that the purpose of this amendment is ‘to ensure Australia’s privacy laws remain fit for purpose in a globalised world and to ensure the Privacy Act can be enforced against global technology companies who may process Australians’ information on servers offshore’.

Greater information sharing arrangements

The Privacy Commissioner will have the express power to publish a final determination following a privacy investigation as well as information about their final assessment report. The Commissioner will be able to publish information about other matters, such as an update about an ongoing privacy investigation, if it is in the public interest.

The Commissioner will also be able to share information with enforcement bodies, alternative complaint bodies and privacy regulators for the purpose of the Commissioner or the receiving body exercising their functions and powers. The Australian Communications and Media Authority will also be provided better powers to share information within government for enforcement purposes.

The aim of the improved information sharing arrangements is to, ‘drive better cooperation between regulators in order to deliver better outcomes for Australians’.

PREPARATION CHECKLIST

Review the checklist below to see how well prepared your organisation is to demonstrate compliance with the Australian Privacy Act 1988 (Cth) (Cth.

1. Policy Compliance

Check that Privacy Policies and Notices up to date and compliant.

  • Audit whether your Privacy Policy is being adhered to within the organisation.
  • Audit whether the collection of personal data accords with the Privacy Notice.

2. Data Minimisation

Check – what personal data does your organisation really need to collect?

One of the critical risks to finally receive attention in Australia arising from the Optus and Harcourt data breaches is the over-collection and over-retention of personal data.

Review Privacy Notices and audit personal data being collected to assess whether it is reasonably required to provide a service or to be collected in accordance with a regulatory obligation to collect and retain that personal data.

3. Data Over-Retention

Check the process for securely disposing personal data.

Audit whether personal data is being disposed of when it is no longer required to be retained in accordance with the organisation’s Records and Archiving Policy or with regulatory requirements to retain records.

In light of the recent high profile data breaches, the over-retention of personal data poses a significant risk for organisations in the event of a serious data breach.

4. Data Map

Ensure there is an up-to-date data map, showing where data is stored, particularly personal data, which is essential for:

  • Robust information lifecycle management, including disposal of data that is no longer required to be retained;
  • Responding efficiently to a serious data breach by being able to quickly identity the types of data that have been subject to unauthorised access;
  • Demonstrating the measures in place to protect and secure personal data in accordance with the requirements of the Privacy Act.

Check whether it is includes identifying and locating personal in all the organisation’s systems including cloud storage and any third-parties’ systems that have been listed on the data map identifying all the locations where personal data is stored?

5. Data Security

Ensure the organisation is prepared to defend against and respond to cyber-attacks and incidents by assessing whether:

  • Organisational IT policies (BYOD, password, data management, IT procurement, network access) up to date and being complied with (check via audit).
  • Necessary steps have been taken to protect personal data in the custody of the organisation – e.g. encryption being applied to all personal data both in transit and at rest as required.
  • User, application and backend access controls are correct and up to date. Personal data being held in locations with limited or just-in-time access.
  • Local and cloud-based and third party controlled applications used by the organisation have been tested for security suitability and approved for use.
  • The organisation has fit for purpose security software and hardware to assist in the prevention, detection and response to security incidents (e.g. multi-factor authentication on critical systems particularly those with external access, anti-virus/mal-ware suites, actively managed proxy firewalls, intrusion detection systems, enterprise incident response applications).
  • Proactive steps to build security culture and awareness within the organisation are taking place (e.g. training, education, phishing and social engineering exercises).
  • Relevant security information and performance metrics are being reported to executives and the board

6. Data Breach Incident Response Plan

Check has your data breach incident response plan been reviewed and updated? Consider the following elements:

  • Are roles and responsibilities during a data breach clearly laid out and up to date?
  • Is there clear escalation procedures and established arrangements to activate internal or external incident response specialists?
  • Does the plan have sufficient detail and guidance to address both deliberate and accidental data breach incidents, as well as internal and external originating threats?
  • Are there protocols in place for capture and analysis of logs and other records from critical systems in the event of a suspected breach?
  • Does the response plan provide sufficient guidance on how to approach internal and external communications, particularly with media and customers?
  • Has there been recent data breach response training exercise carried out involving executives, Board and key players listed in the response plan?

7. Robust Information Governance

Implement and/or review the Information Governance Framework and polices to ensure there is adequate holistic information governance reporting, which is identifying and monitoring privacy compliance across the organisation including the various areas of privacy and legal, IT and cybersecurity and records and information siloes.

A robust enterprise-wide information governance framework provides a mechanism to co-ordinate and collaborate across the organisational siloes and to promote an information and data protection culture led from the top-down to minimise privacy and data breach risks.

At least one-third of all data breaches are caused by human error and many other successful cyberattacks are greatly enabled by human error from within an organisation.  Robust information governance can greatly assist in both minimising data and information risks as well as enabling organisations to maximise data and information value.

Authors: Susan Bennett, Founder and Executive-Director InfoGovANZ and Dr Peter Chapman, Forensic Technology Expert and InfoGovANZ Advisory Board

InfoGovANZ is delighted to announce a new platinum sponsorship with Ansarada

by

Ansarada is a global information governance platform that companies, advisors and governments rely on for securely managing their critical information in high-stakes processes like deals, risk, compliance, board governance and infrastructure procurement. Ansarada is the software relied upon by business professionals in over 180 countries worldwide.

As businesses grow and get more complex, processes are often the first thing to slip. Ansarada puts an end to inefficient, chaotic, outdated and risky systems by providing a comprehensive toolkit for all things governance. Run everything from risk and compliance to ESG programs to audits in one centralised hub. A little more order, a lot less risk.

Ansarada believes when information and processes are structured correctly, organisations gain the insight and confidence required to achieve better outcomes.  Ansarda’s mission is to protect and raise every company’s potential and we are delighted that Ansarada are committed to working the members of InfoGovANZ and to support the community in achieving global best practices in information governance and innovation. Together we can seek to ensure that the professional discipline of information governance is recognised as a key component of governance strategies to effectively govern, align and manage the risks and opportunities arising from the exponential growth of data in the information age.

We look forward to Ansarada becoming a valued member of the InfoGovANZ community.

Questions for boards to ask about cybersecurity

by

The Australian Cyber Security Centre  (ACSC) has released a guide for boards and executives that discusses high-level topics to know about cyber security within organisations.  Boards need to proactively build an understanding of their organisation’s specific cyber threat and risk environment.

The Guide sets out how the board can understand as much as possible about cyber security risks, how they can stay informed and the questions they should be asking to mitigate cyber risks.

Read the ACSC Guide here.

Optus Data Breach – the risks of data over – retention

by

  The Optus Data Breach incident has shed some much-needed light on the need for robust, top-down board governance over organisational data and information. It is evident that this attack has demonstrated the need for organisations to sufficiently invest in cyber-attack prevention, detection and response. While the Optus data breach is still under investigation, the consensus from government statements and external experts seems to be that that human error played a significant part in this data breach. It is not uncommon for human factors to either cause or amplify technical weaknesses resulting in a data breach, about one-third of all reported personal data breaches from OAIC’s Notifiable Data Breaches Reports are attributed to human error as the primary factor. Whether data breaches are caused by human error or technical fault, security experts widely agreed that organisations should consider data breaches a question of ‘when’ rather than ‘if’. This in turn […]
Member only content (join now)