Privacy Act ComplianceDo you comply with the Australian Privacy Principles?
The Commonwealth Privacy Act 1988 defines how your business should handle and manage any personal information about your employees, customers and anyone else who has entrusted you with private information. It includes 13 Privacy Principles and the Notifiable Data Breaches (NDB) scheme, and is supported by similar state privacy acts.
The Act and Principles apply to organisations with an annual turnover above $3 million and all government agencies, health sector providers and small businesses
Private information is identifying information like peoples’ names, addresses, positions, medical and bank records, telephone numbers, and other contact details. It also includes any opinions they may have recorded or your comments about them.
Both you and your business must comply with principles and actions defined in the Privacy Act, NDB scheme, Australian Privacy Principles and state acts. You may also have international obligations under foreign laws.
The Act and Principles include an expectation that you will have strong cyber security framework that includes regular penetration testing, riskt assessments, access control reviews and other services.
Sense of Security’s privacy experts can advise you on how to meet the requirements of the Act and Principles, your reporting obligations and how the Australian and State acts overlap.
Australian Privacy Principles
The 13 Australian Privacy Principles (APPs) are part of the Privacy Act 1988 and meeting them will largely meet the compliance needs of international legislation as well.
The Principles cover:
- Open and transparent management of personal information
- Anonymity and pseudonymity
- Collection of solicited personal information
- Dealing with unsolicited personal information
- Notification of the collection of personal information
- Use or disclosure of personal information
- Direct marketing
- Cross-border disclosure of personal information
- Adoption, use or disclosure of government related identifiers
- Quality of personal information
- Security of personal information
- Access to personal information
- Correction of personal information
The Principles are comprehensive and require you to have policies and procedures in place for information management if you are to meet them effectively.
Those procedures are similar to the policies and procedures you need for good cyber security, and in many cases, they cross over between disciplines.
The cost of non-compliance with the Privacy Act
There are penalties for non-compliance with the Privacy Act and the Principles. Any cyber security breach can compromise the personal information you hold and could put you in breach of the APP’s.
Sense of Security’ security and privacy experts hold globally-recognised industry certifications for assessing risks, improving security and tightening processes. Our professionals will assess your business’s level of security maturity and compliance.
Our team uses a three-stage process that includes:
- Discovery and characterisation: understanding the business context of your systems, the roles and responsibilities of personnel, personal information data flows, and identifying the systems that use them
- Information security assessment: assessing your governance of your systems and the technology controls in place, against industry best practice
- Report presentation: providing an overview of their findings and making recommendations that include practical steps towards compliance.
Notifiable Data Breaches Scheme
The Notifiable Data Breaches (NDB) scheme is an amendment to the Commonwealth Privacy Act 1988 that requires organisations to notify impacted individuals and the Australian Information Commissioner (OAIC) when any information held by the organisation is accessed without authorisation, or lost.
The scheme mandates reporting and notification that ahd previously been recommended as best practice by the OAIC.
International privacy laws and obligations
With many businesses, focusing purely on local requirements is not enough. Many businesses trade internationally and must comply with European and other legal frameworks.
Other businesses use cloud servers overseas to store local information for local use.
In all of these scenarios, an understanding of the international requirements for storing and handling of information is important.
Sense of Security can work with you to navigate overseas laws regulating the collection and management of personal information, and the potential risks and rewards of using servers located overseas.