Privacy Act – Security Compliance

The Australian Privacy Act now includes thirteen (13) harmonised privacy principles that regulate the handling of personal information by Australian and Norfolk Island Government agencies and private sector organisations that are covered by the by the Privacy Act 1988 (Cth). These principles are referred to as the Australian Privacy Principles (APPs).

APP eleven (11) requires entities (agencies and organisations) to take active steps to ensure the security of personal information (PI) they hold and to consider whether they are permitted to retain this information. An APP entity has a duty-of-care to implement reasonable controls that protect PI from misuse, interference (e.g. cyber-attack) and loss, and from unauthorised access, modification or disclosure. Failure to take reasonable steps to prevent unauthorised access such as a cyber-intrusion may be considered a breach of APP 11.

Non-compliance can be costly. The new privacy laws provide the Privacy Commissioner with powers to resolve privacy complaints and conduct investigations. In serious or repeated cases of non-compliance, fines up to $1.7 million may be imposed on the APP entity. Of course a security incident impacting the protection of PI is likely to negatively impact the entities’ brand reputation with its customers and future revenue. From a business risk perspective this can be material.

Our consultants are experienced security professionals that possess globally recognised industry certifications such as ISO 27001 Lead Auditor, PCI Qualified Security Assessor and Certified in Risk and Information Systems Control (CRISC).

Sense of Security has a well-defined methodology to assess an APP entity’s level of security maturity and compliance with the intent of APP 11. Typically, our consultants will lead the APP entity through a three stage process including:

  • Discovery and Characterisation: Understand business context, roles & responsibilities, PI data flows and system identification
  • Information Security Assessment: Governance and technology controls assessment against industry better practice.
  • Report Presentation: Overview of findings and recommendations including maturity level qualifiers against applicable controls and practical steps to meet compliance objectives

Furthermore, SOS is able to assist you with preparation relating to Australia’s Data Breach Notification laws (passed in February 2017) and any global exposure your organisation may have. For example, in the EU, where they are already transitioning into their General Data Protection Regulation (GDPR) set to come into full effect in May 2018 – and which will impact on all enterprises who may be processing PI data belonging to EU citizens.

To discuss how our specialist services can help your organisation meet their Privacy Act compliance obligations please contact us on 1300 922 923 or complete the enquiry form by pressing the button below.

Contact Us

Disclaimer: This web page includes content sourced from the Office of the Australian Information Commissioner: