Australia’s Privacy Act update – How to comply to the Act and secure your firm’s data?

In conjunction with the huge volumes of electronic data in existence today, there has been a steep rise in the amount of confidential information being misused, lost or stolen. Organisations must now safeguard their sensitive data to meet the requirements of Australia’s updated Privacy Act, or face the harsher fines that have been defined.
On March 12th 2014, Australia implemented its Privacy Amendment Act 2012. This Act now comprehensively extends the regime around the collection, use, disclosure and transfer of data of a personal and sensitive nature. These amends follow the recent, similar changes to the EU Data Security Directives set out to provide a more harmonised approach to data protection across the EU Nations. Consequently, organisations are required to take “reasonable steps” to protect such information from misuse and loss. 

According to the Act, what constitutes reasonable steps depends on the nature of the organisation holding the personal information and its handling practices, the volume of information held and the risk posed to individuals if personal information is not secured. This means that certain sectors such as legal that deal with sensitive information on a daily basis require higher levels of security.

In order to enforce the Privacy Act, greater powers have been given to the Australian Information Commissioner. Representatives can now implement civil penalties of up to $1.7 million in the case of serious or repeated privacy breaches and conduct assessments of privacy performance.

A comprehensive list of recommendations 

To protect organisations from data breaches, the Office of the Australian Information Commissioner has supplied a comprehensive list of recommendations. It takes into consideration security aspects from every angle within a firm - from implementing ICT security (blacklisting contents and applications, ensuring user authentication, encryption and network security measures) to developing governance and policies to promote awareness and compliance of any new procedures. 

The list also suggests the deployment of personal and physical security policies (appropriate security clearances, availability of access logs to audit, monitoring of document throughout its lifecycle and the provision of secure work and storage spaces) while ensuring that sensitive information is safeguarded during system upgrades or when exchanged to third parties. 

With this long list of recommended measures, ultimately it is up to the organisation to determine and prioritise the steps they need to take to combat the most poignant risks faced. The recommended starting point at this stage would be to review the basic, but fundamental processes such as the firm’s information workflow. This will help identify areas that are prone to threats and allow firms to prioritise their security efforts. 

One area of particular concern is the remote access and the sharing of sensitive information – be it between colleagues or with clients. With hundreds of documents containing sensitive data being transferred via mobile devices or using unauthorised file sharing applications, this area requires particular attention.


Correct tools and technologies are required

For firms to retain control of their data and adhere to the requirements of the Act, the correct tools and technologies are required. As minimal requirement such tool should provide: 

• End-to-end encryption: This ensures that documents remain fully protected at all times
  
  - when stored, uploaded or downloaded to and from a mobile device or a remote location. It also assures that individuals have their own unique decryption key and that it cannot be replicated. 

• Restricted access to sensitive data: Robust authentication procedures (logon passwords or remote authentication measures for example) and granular file/folder permission settings restrict data access to only those who require this. Settings to control user behaviour adds another level of security to the data. For example, you may want to provide full control on a document to a colleague and a temporary and read only (no download) access to a client for initial review of the same document.

• Audit trails and file logging capabilities: This offers a fast, efficient way of tracking all the document and folder activities to see who has accessed, viewed, downloaded or shared these and with whom. It highlights and rectifies any violations in security as soon as they arise to prevent these from becoming serious threats.

• A means to manage BYOD: When files are shared through personal devices and public cloud file sharing services, a firm’s data security and integrity is compromised as they no longer know where their data resides. This in turn leads to compliance issues. A secure platform for sharing sensitive files ensures that documents remain within a firm’s control throughout its life cycle while alleviating the need for users to find their own methods of transferring files. 

Essentially, for the successful implementation of a security strategy, firms must establish clear procedures and lines of authority for decisions regarding information security. Guidelines and policies addressing the use of mobile devices, BYOD and offsite work policies should be developed. 
Finally and most importantly, staff should be fully educated and trained to gain complete "buy in". Overall this will help control and limit data breaches and will improve the ability to manage data in accordance with the new regulatory requirements as outlined by the latest version ofthe Privacy Act.


Nila Hirani [    ]

Nikec Solutions [ www.nikecsolutions.com ]

Sources & references: 

  - The Office of the Australian Information Commissioner (OAIC) [ here ]
  - Combined set of APP guidelines (as at 1 March 2014) [ here ]
  - Summary of version changes to APP guidelines [ here ]

Nikec Docstore is a mobile application designed for professionals which allows storing any type of file, accessing them remotely from a computer or an iPad and sharing them with authorised colleagues or clients. By combining ease of use and the level of security required in the exchange of working and sensitive documents Nikec Docstore is ideal for mobile professionals and collaborative work. Plus the application is available on premise or in cloud (SAAS), so you always keep full control of your documents.

Visit Nikec Docstore page

Need more information or want to test drive one of our products? info@nikecsolutions.com