Practice Areas
Cybersecurity, Data Protection & Privacy

LexisNexis Practical Guidance®

Straightforward guidance across a range of topics
Choose from 24 Practice Areas
GET FREE TRIAL

Overview

  • Data security obligations and data security breaches

  • Personal data security breach management

  • Service providers, security and data breach notification

  • Data security in commercial transactions

  • Big data

Types of data

Identifying and classifying types of data or information can be useful in the context of data security to help determine what:

  • legal obligations and rights may apply to the data or information;
  • benefits and risks may arise from its possession or use; and
  • the data or information can be used for, by whom, and in what circumstances.

Where applicable, it may be useful to classify or categorise data or information as:

  • personal information;
  • confidential information and trade secrets;
  • financial data or information;
  • intellectual property; or
  • government official information.

Personal information is defined in the Privacy Act 1988 (Cth) (Privacy Act).

An organisation may have confidentiality obligations to other parties in relation to data or information. It may have trade secrets such as valuable methods or know-how which are a source of competitive advantage.

There is no single, authoritative definition of financial data or information. Financial data or information may be publicly available, or it may be the confidential information of one or more organisations or individuals.

Likewise, there is no single, authoritative definition of intellectual property.

Government official information is information or data created by or relating to government agencies. It may be required to be treated in a particular manner, based on its security classification.

There are four main sources of legal obligations relating to data security:

  • legislation;
  • common law;
  • formal contracts and other forms of legally binding agreements; and
  • government requirements in relation to government official information.

Classifying or categorising data or information as being of a particular nature or type can help to determine the sources of legal obligations that may apply to particular data or information.

See Types of data.

Types of breaches

A data security breach may occur as a result of a broad range of causes and in a wide variety of circumstances. A data security breach may be caused by:

  • willful or malicious acts by an organisation or individual conventionally referred to as “a bad actor” or “perpetrator” (eg the deployment of malicious code into another organisation’s or individual’s IT systems or IT devices, theft or willful damage to or destruction of data or IT systems or IT devices on which data is stored); or
  • reckless, negligent or careless acts or omissions by an organisation or person.

A data security breach may be caused by a range of acts or omissions by either employees or contractors within an organisation, or acts by organisations or individuals external to an organisation.

See Types of breaches.

Data security obligations

A data security breach may result in a breach of various legal obligations, including:

  • contractual obligations;
  • a common law duty of care;
  • under the Privacy Act;
  • with respect to confidentiality and trade secrets; and
  • government requirements with respect to privacy, confidentiality, data security of government official information,

depending upon the relevant circumstances.

There are also legal requirements in relation to data retention and destruction.

See Data security obligations.

Consequences to an organisation of the data security breaches

A data security breach could have serious, adverse consequences for an organisation and its stakeholders.

If an organisation is affected by a data security breach, it should consider its potential legal remedies. This usually involves gathering the relevant facts and supporting evidence, identifying the relevant sources of legal obligations, and determining which legal remedies to pursue in relation to the data security breach.

Initiating the exercise of legal remedies usually involves preparing and issuing a letter of demand to the organisation or person believed to have caused the data security breach.

See Consequences to an organisation of the data security breaches.

Details
Best practice before a breach occurs

An organisation can seek to prevent or minimise a personal data security breach occurring by implementing an effective organisational data security compliance framework.

An effective organisational data security compliance framework can avoid or minimise the risk of an organisation and individuals within it breaching personal data security obligations.

Such a framework should usually include:

  • regular audits of the organisation’s IT security policies, systems, controls, processes and practices;
  • effective IT security policies, systems, controls, processes and practices;
  • staff training and awareness of data security obligations;
  • a positive and strong compliance culture; and
  • ongoing governance oversight.

An organisation should conduct regular audits of the organisation’s IT security systems, processes, practices and policies.

An organisation should develop and maintain effective IT security policies, systems, controls, processes and practices to prevent or minimise the risk of breach of data security obligations.

Employees should receive regular training on compliance with data security requirements.

The main objective of the training should be to build and maintain a good level of current awareness of how to comply with, and avoid breaching, data security obligations.

Employees of an organisation whose roles involve performing services for the organisation’s customers should be familiar with any contractual obligations that the organisation has to the customer concerning data security requirements.

Organisations should develop and maintain a positive and strong compliance culture in relation to data security obligations.

A positive and strong compliance culture can embed best practice with respect to data security awareness and compliance within the values of an organisation and the values and behaviours of its staff.

An organisation should also implement effective internal governance processes and oversight of data security issues.

Internal governance processes should enable the timely and accurate reporting of data security compliance issues and breaches to relevant internal stakeholders.

See Best practice before a breach occurs.

Responding to a data security breach as it occurs

To determine how to respond to a data security breach involving the personal information of one or more individuals, the organisation should determine:

  • what is the nature of the data security breach;
  • what is/are the cause(s) of the data security breach;
  • who is affected by the data security breach; and
  • what are the potential consequences for the organisation and those affected by the data security breach.

An organisation should have one or more decision-makers (ie a response team) who are responsible for:

  • assessing the nature and cause(s) of a data security breach;
  • identifying who is affected and what the potential consequences are; and
  • deciding upon an appropriate course of action for the organisation in relation to a data security breach.

It is important for an organisation to first identify the nature of a data security breach, to help it determine and plan an appropriate response.

It is also important for an organisation to identify the actual and potential consequence(s) of a data security breach.

This will help the organisation to prepare an appropriate response to the data security breach, including what actions and organisational resources are required to achieve an appropriate response.

Promptly upon becoming aware of a data security breach, an organisation should ensure that key internal stakeholders are:

  • alerted to the occurrence of the data security breach; and
  • given sufficient information in relation to the data security breach as soon as possible to enable them to assess the potential impacts of the occurrence.

An organisation may need to develop a different response depending on whether it is at fault or whether another organisation or person is at fault.

Such response should take into account a range of considerations, including complying with any relevant contracts with affected parties and communications with affected parties.

See Responding to a data security breach as it occurs.

Compliance after a data security breach has occurred

Once an organisation has responded to and resolved a data security breach issue, it should:

  • conduct an internal audit to determine the root cause(s) of the data security breach;
  • determine what remediation measures are required to prevent or minimise the possibility of any recurrence of the data security breach; and
  • implement the necessary remediation measures and monitor their effectiveness.

Consideration should be given to whether offshore data transfers comply with APP 8 and whether an offshore data transfer agreement is required.

See Compliance after a data security breach has occurred.

Details
Types of service providers

A service provider is an organisation or person that provides any form of service to another organisation or individual.

Most service providers will have access to, use or store data or information in relation to providing a service that could be involved in a data security breach.

Such data or information may include personal information, confidential financial information or trade secrets, intellectual property and government official information.

A data security breach may arise whenever data or information of a service provider is accessed or used in any manner without permission, or is stolen, lost, corrupted, damaged or destroyed.

This may occur through the deployment of malicious code, by the acts or omissions of the service provider’s employees or contractors, and through unauthorised access to and use of a service provider’s data, or information by theft of data or information, or theft of IT devices on which such data or information is stored.

If a service provider does not maintain effective data security, it may be exposed to a number of risks, in particular, legal, financial and reputational risks.

Where a service provider subcontracts or outsources services or tasks to another party, it should ensure that the security posture of the other party is at least as effective as the security posture of the service provider.

The service provider should also consider whether the jurisdiction in which such other party is located would enable the service provider to effectively enforce contractual obligations in relation to data security against the other party.

See Types of service providers.

Preventative measures for service providers in relation to data security

A service provider can seek to prevent or minimise data security breaches from occurring by implementing an effective organisational data security compliance framework.

An effective organisational data security compliance framework can avoid or minimise the risk of an organisation and individuals within it breaching data security obligations.

The specific details of what comprises an effective organisational data security compliance framework will vary between organisations, and will depend on a range of factors including a service provider’s level of compliance with data security obligations, the types of data it has access to, its structure, size, resources, industry sector, regulatory environment and the compliance issues facing the organisation.

A service provider should conduct regular audits of its IT security systems, processes, practices and policies.

The audits should be undertaken by the service provider’s IT security staff with appropriate skills and experience or by an external IT security specialist.

The findings of such audits will enable the service provider to determine what actions are required to remediate any adverse audit findings, including in relation to its IT security policies, systems, controls, processes and practices.

A service provider’s employees and contractors should receive regular training on compliance with data security requirements.

Service providers should develop and maintain a positive and strong compliance culture in relation to data security obligations.

Service providers should also implement effective internal governance processes and oversight of data security issues.

See Preventative measures for service providers in relation to data security.

Obligations to respond appropriately to data breaches

To determine how to respond to a data security breach, a service provider should determine:

  • what is the nature of the data security breach;
  • what is/are the cause(s) of the data security breach;
  • who is the perpetrator of the breach:
  • who is affected by the data security breach; and
  • what are the potential consequences for the service provider and those affected by the data security breach.

A service provider should have one or more decision-makers (ie a response team) who are responsible for:

  • assessing the nature and cause(s) of a data security breach;
  • who is the perpetrator of the breach;
  • identifying who is affected and what the potential consequences are; and
  • deciding upon an appropriate course of action for the service provider in relation to a data security breach.

It is important for a service provider to first identify the nature of a data security breach, to help it determine and plan an appropriate response.

It is also important for a service provider to identify the cause(s) of a data security breach, to help it determine an appropriate response.

Once a service provider has identified the nature and cause(s) of the data security breach, it can:

  • prepare its response plan; and
  • implement remedial measures to seek to avoid any recurrences of the data security breach.

The nature of a data security breach, eg a breach of the Privacy Act 1988 (Cth) or a breach of a commercial contract in relation to privacy or data security, may require notification to affected parties or regulators within specified periods of time, and may also require a level of cooperation and disclosure in relation to subsequent investigations. See Overview — The data breach notification regime.

It is also important for a service provider to identify the actual and potential consequence(s) of a data security breach.

Promptly upon becoming aware of a data security breach, a service provider should ensure that key internal stakeholders are:

  • alerted to the occurrence of the data security breach; and
  • given sufficient information in relation to the data security breach as soon as possible to enable them to assess the potential impacts of the occurrence.

There is a range of issues for a service provider to consider when responding to a data security breach where the service provider is at fault, including breach notification requirements and communications with affected parties.

There is also a range of issues for a service provider to consider when it is affected by a data security breach by another organisation.

See Obligations to respond appropriately to data breaches.

Managing disaster recovery and business continuity

The concept of disaster recovery usually refers to the ability of an organisation to resume or continue its normal operations or provision or services following the occurrence of an unforeseen, serious incident that caused interruption to its normal operations or provision of services.

Most organisations maintain some form of disaster recovery plan and business continuity plan.

There are a number of international standards relating to business continuity. There are a number of issues for an organisation to consider when preparing a disaster recovery plan and a business continuity plan.

See Managing disaster recovery and business continuity.

Details
Negotiating and drafting data security obligations in commercial transactions

Data security is frequently an issue of critical importance in commercial contracts between both public and private sector customers and their respective suppliers.

Under commercial agreements, a supplier may have access to, or be responsible for managing or hosting, confidential business information, personal information or government official information of the customer or the customer’s end-users.

The issue of data security tends to be addressed in commercial contracts with an ever-increasing level of sophistication and detail, as technological developments continue to rapidly advance and the risk of data security breaches is ever-present.

Data security obligations in commercial contracts are often addressed under three topics:

  • data security;
  • privacy; and
  • confidentiality.

Data security obligations in commercial contracts can cover a number of aspects of data security, including compliance with a customer’s data security policies, the prevention of malicious code, application or system development in compliance with a customer’s security requirements, prescriptive technical requirements for security requirements, data sovereignty requirements, controls on suppliers’ personnel, and system access and monitoring requirements.

Commercial contracts also usually contain a range of privacy and confidentiality obligations.

See Negotiating and drafting data security obligations in commercial transactions.

Managing data security obligations in commercial transactions

Managing data security obligations in commercial transactions usually requires both the customer and supplier to allocate appropriate personnel and IT systems, develop contract management manuals, and implement a range of operational processes.

Both customers and suppliers have concerns in relation to managing data security obligations.

Both customers and suppliers should ensure that they assign appropriate personnel and resources to managing their contractual obligations relating to data security.

A service provider should conduct regular audits of its IT security systems, processes, practices and policies.

There are a number of key contract management issues in relation to data security that customers and suppliers should be aware of.

See Managing data security obligations in commercial transactions.

Cybersecurity liability and insurance

Cybersecurity insurance provides an organisation with the ability to insure itself against certain cybersecurity risks.

By obtaining cybersecurity insurance, an organisation seeks to transfer the risk of financial loss associated with a cybersecurity incident to the insurer.

Cybersecurity insurance policies vary in the nature and extent of the risks covered. They also vary in the nature and extent of the exclusions from insurance coverage.

If an organisation does not have cybersecurity insurance, it may be required to pay the costs associated with cybersecurity incidents itself that it may otherwise have been able to claim under the insurance policy.

An organisation may seek to limit or exclude its liability for breaches of data security by entering into a contract with another organisation or person that contains provisions that limit or exclude the organisation’s liability for breaches of data security.

See Cybersecurity liability and insurance.

Details
What is big data and how to deal with it

The term “big data” is often defined with reference to the characteristics of the volume, variety and velocity of data (the “three V’s”).

The characteristic of “volume” refers to the quantity or magnitude of data. “Variety” refers to the range of different types of data. “Velocity” refers to the speed at which data is generated, processed or analysed.

Other features of big data that have been identified are veracity, variability and complexity. The characteristic of “veracity” refers to the unreliability or imprecision of certain data. “Variability” refers to variability in the rate or velocity of data flow. “Complexity” refers to the multiple sources from which data may be generated.

Big data is created, transferred, stored, hosted, used and processed daily in virtually all industry and community sectors, including by government, the private sector and other community organisations.

Certain types of data may require specific consents, approvals, licences, or agreements in order to permit an organisation to perform certain acts in relation to such data.

Big data may consist of personal information, data protected by copyright, data protected by moral rights, confidential information, and government official information.

Where an organisation enters into a commercial agreement with another organisation that involves the capture, receipt, transfer, hosting, processing or management of big data, there are a number of issues to consider, including which party is responsible for obtaining necessary consents, what contractual obligations will apply in relation to the big data, and technical, functional and performance specifications in relation to dealing with big data.

See Dealing with “big data”.

How to collect and use big data

Big data can be collected by an organisation from a large number of sources.

An organisation may seek to leverage big data using data analytics for a range of purposes.

Big data often constitutes personal information if any individuals to whom it relates are identifiable from the big data.

Data analytics often involves the collection and analysis by an organisation of big data that comprises the personal information of various individuals.

As it may not be possible or viable for an organisation to obtain the required consents from each individual whose personal information is being collected or analysed, the organisation may decide to utilise data anonymisation (or personal information “de-identification”) methods or techniques, to enable the organisation to collect, analyse and process big data that comprises personal information without breaching the Privacy Act 1988 (Cth) (Privacy Act) or confidentiality.

See Collecting and using big data.

Preventative measures

Managing big data in a secure manner requires an organisation to implement an effective organisational data security compliance framework.

Such a framework should usually include:

  • regular audits of the organisation’s IT security policies, systems, controls, processes and practices;
  • effective IT security policies, systems, controls, processes and practices;
  • staff training and awareness of data security obligations;
  • a positive and strong compliance culture; and
  • ongoing governance oversight.

An organisation that stores or uses big data should also ensure that its data security compliance framework is consistent with the legal and contractual obligations the organisation has to other parties with respect to how it stores and uses the big data.

Organisations that store and use big data should develop and maintain effective IT security policies, systems, controls, processes and practices to prevent or minimise the risk of breach of data security obligations.

An organisation that stores or uses big data should conduct regular audits of its IT security systems, processes, practices and policies.

An organisation’s employees and contractors should receive regular training on compliance with data security requirements.

Organisations that store or use big data should develop and maintain a positive and strong compliance culture in relation to data security obligations.

Organisations that store or use big data should also implement effective internal governance processes and oversight of data security issues.

See Preventative measures.

Details

Guidance

Types of data

Details

Types of breaches

Details

Data security obligations

Details

Consequences to an organisation of the data security breaches

Details

Best practice before a breach occurs

Details

Responding to a data security breach as it occurs

Details
Show All Guidance

Checklists

  • Cybersecurity strategy — Checklist for remote working

    LexisNexis Legal Writer Team
    Details

  • EU general data protection regulation (GDPR) — Checklist for controller versus processor

    S. Sharma, Special Counsel and B. Tomlinson, Partner, Maddocks
    Details

  • Data security — Checklist for Disaster recovery planning

    A. Mitchell, Unisys
    Details

  • Data security — Checklist for Data security audit plan

    A. Mitchell, Unisys
    Details

  • Data security — Checklist for De-identification of personal information

    A. Mitchell, Unisys
    Details

  • Privacy — Checklist for Privacy policy

    S. Sharma, Special Counsel, Maddocks
    Details

  • Privacy — Internal privacy guidelines for staff

    S. Sharma, Special Counsel, Maddocks
    Details

  • Workflow Checklist: Assessing a suspected data breach

    D. Kneller, Madgwicks Lawyers
    Details

  • Checklist for Transfers of personal data outside the European Economic Area

    S. Sharma, S. Field and B. Tomlinson, Maddocks
    Details

  • Checklist for Complying with both the Privacy Act and the GDPR

    S. Sharma, S. Field and B. Tomlinson, Maddocks
    Details

  • Checklist for computer and device use

    P. Fair and S. Lee, Baker McKenzie
    Details

  • Workflow Checklist: Content of notification

    D. Kneller, Madgwicks Lawyers
    Details

  • Cybersecurity strategy — Checklist for Overall cybersecurity strategy

    P. Fair and S. Lee, Baker McKenzie
    Details

  • Data Breach Assessment Guideline

    P. Fair and S. Lee, Baker McKenzie
    Details

  • Checklist for Data breach response guideline

    P. Fair and S. Lee, Baker McKenzie
    Details

  • Checklist for Ensuring data protection compliance

    P. Fair and S. Lee, Baker McKenzie
    Details

  • Workflow Checklist: Exceptions to notification obligations

    D. Kneller, Madgwicks Lawyers
    Details

  • EU General Data Protection Regulation (GDPR) — Compliance checklist

    S. Sharma, S. Field and B. Tomlinson, Maddocks
    Details

  • Workflow Checklist: Identifying when a data breach is notifiable

    D. Kneller, Madgwicks Lawyers
    Details

  • Threshold compliance checklist — GDPR and the Privacy Act

    S. Sharma, S. Field and B. Tomlinson, Maddocks
    Details

  • Privacy by design — practical checklist

    S. Sharma, Maddocks
    Details

  • Privacy — Checklist for direct marketing

    S. Sharma and E. Lau, Maddocks
    Details

  • Checklist for Staff training on data protection compliance

    P. Fair and S. Lee, Baker McKenzie
    Details

Legislation

  • Overview

  • Types of data

  • Data security obligations

  • Best practice before a breach occurs

  • Compliance after a data security breach has occurred

  • Overview — Service providers, security and data breach notification

  • Preventative measures for service providers in relation to data security

  • Obligations to respond appropriately to data breaches

  • Cybersecurity liability and insurance

  • Overview — Big data

  • Dealing with “big data”

  • Collecting and using big data

  • Preventative measures

Forms & Precedents

Consequences to an organisation of the data security breaches

Letter of demand

Compliance after a data security breach has occurred

Data Transfer Agreement

Cybersecurity liability and insurance

Data security clause (customer focused)
Data security clause (supplier focused)

Latest Legal Updates

18 May 2020

No right to not hire or force staff to sign up to COVIDSafe app

Details
18 May 2020

Cybercrime Squad detectives charge woman over unlawful digital currency exchange

Details
15 May 2020

COVIDSafe privacy safeguards become law

Details
14 May 2020

UK Supreme Court’s decision on vicarious liability for employee’s data breach highlights importance of robust organisational privacy policy, security and training for remote workers

Details
07 May 2020

Privacy Awareness Week — Tips on staying secure from the Australian Information Commissioner and the Office of the Privacy Commissioner of Canada

Details
06 May 2020

COVIDSafe draft legislation released

Details
30 Apr 2020

Privacy class action representative complaint for Optus data breach made to the Australian Information Commissioner

Details
28 Apr 2020

OAIC supports privacy protections in COVIDSafe contact tracing App

Details
22 Apr 2020

ACSC warns cyber scams mount during COVID-19 crisis

Details
16 Apr 2020

The Office of the Australian Information Commissioner reiterates importance of conducting Privacy Impact Assessments to assess privacy risks with remote working arrangements during COVID-19 pandemic

Details
02 Apr 2020

Ongoing threat of COVID-19-related online scams and increased risk of notifiable data breaches

Details
26 Mar 2020

Australian Signals Directorate issues cyber security warning for remote working in response to COVID-19

Details
26 Mar 2020

Office of the Information Commissioner publishes guidance on privacy obligations during the COVID-19 pandemic

Details
16 Mar 2020

Australian Information Commissioner brings action against Facebook for contravention of the Privacy Act

Details
19 Feb 2020

Do you have access to Victorian Government information? Are you aware of the revised protective data security standards?

Details
13 Feb 2020

Beneficial changes to credit reporting come into effect

Details
12 Feb 2020

Optus pays largest infringement notice issued under the Spam Act for unwanted marketing messages

Details
30 Jan 2020

Privacy (Australian Bushfires Disaster) Emergency Declaration (No. 1) 2020 enhances information-sharing about individuals affected by the Australian bushfires

Details
09 Jan 2020

Pioneering Australian class action lawsuit for alleged breach of privacy settles

Details
25 Nov 2019

All organistions should consider cybersupply risk management as part of their overall cyber strategy

Details
18 Nov 2019

UK and US governments sign historic data-sharing agreement to speed up criminal investigations and prosecutions

Details
27 Sep 2019

Consumer Data Right scheme introduces data portability for consumers

Details
25 Sep 2019

Notifiable Data Breaches on the rise again — human error accounts for large proportion of breaches

Details
01 Jul 2019

Watch our for these top 12 scam email subject lines

Details
24 Jun 2019

ACSC’s Six Day Easy Step Guide to protect yourself from cyber criminals

Details
17 Jun 2019

Has your personal information been lost, released or accessed without your permission? What steps can you take now

Details
13 Jun 2019

New phone scam — scammers impersonating ACSC and seeking help to act against cybercriminals

Details
08 Feb 2019

Notifiable Data Breaches Quarterly Report (October – December 2018)

Details
28 Jan 2019

Human Rights Watch looks into Australia’s surveillance and cybersecurity practices

Details
25 Jan 2019

Key cybersecurity trends businesses should know in 2019

Details
14 Jan 2019

2019’s first data breach took less than 24 hours

Details
09 Jan 2019

My Health Record reported 42 data breaches in 2018

Details
17 Dec 2018

Australian Government Information Security Manual updated

Details
13 Dec 2018

Encryption bill becomes law

Details
10 Dec 2018

Federal government releases new cybersecurity reports

Details
06 Dec 2018

Australian Parliament passes legislation to strengthen My Health Record privacy

Details
26 Nov 2018

My Health Record opt-out period has been extended to 31 January 2019

Details
23 Nov 2018

Preventing data breaches should be business as usual

Details
12 Nov 2018

The Assistance and Access Bill 2018

Details
08 Nov 2018

Milestones for privacy and information access in 2017–18

Details
30 Oct 2018

Facebook security breach investigated by OAIC

Details
22 Oct 2018

Digitised crime reporting via cloud

Details
08 Oct 2018

Telecommunications and Other Legislation Amendment (Assistance and Access) Bill 2018 (Cth)

Details
02 Oct 2018

Telecommunications executives liable for misleading advertisements

Details
24 Sep 2018

Unveiling of cybersecurity strategy

Details
19 Sep 2018

Hacker convention on cyber-attack simulation

Details
12 Sep 2018

Treasury Laws Amendment (Consumer Data Right) Bill 2018 (Cth)

Details
12 Sep 2018

My Health Records Amendment (Strengthening Privacy) Bill 2018 (Cth)

Details
03 Sep 2018

Cybersecurity strategy — Tech giants face $10m fines in new cyber security laws

Details
28 Aug 2018

Cybersecurity strategy — Decryption laws edge closer to reality

Details
20 Aug 2018

Mandatory data breach notification — Notifiable data breaches second quarterly report released

Details
13 Aug 2018

Cyber security is being tightened at Australian airports after an identity card data hack

Details
06 Aug 2018

Watch out for fake myGov tax refund email

Details
30 Jul 2018

Timehop data breach impacts 21 million users

Details
17 Jul 2018

My Health Record opt-out period begins, but privacy concerns remain

Details
10 Jul 2018

Privacy by design — Aussie businesses look to get ahead of GDPR privacy requirements

Details
10 Jul 2018

Privacy by design — Privacy business resource 21: Australian businesses and the EU General Data Protection Regulation

Details
06 Jul 2018

Threat and kidnap scams targeting Chinese community

Details
25 Jun 2018

Data security obligations and data security breaches — ASD confirms new cyber manual

Details
19 Jun 2018

Service providers, security and data breach notification — ACSC working with PageUp People on security incident

Details
11 Jun 2018

General Data Protection Regulation guidance for Australian businesses

Details
05 Jun 2018

General Data Protection Regulation commences 25 May 2018

Details
29 May 2018

Cybersecurity strategy — Pacific Cyber Security Operational Network

Details
24 May 2018

Data security — Stop and check: is this for real? — Scams Awareness Week 2018

Details
11 May 2018

Privacy — Privacy Awareness Week 2018 website launched

Details
27 Apr 2018

Mandatory data breach notification — Global shipping company Svitzer announces first data breach under Australian Data Breach Notification Laws

Details
18 Apr 2018

Data security — Scam calls claiming to be from ACSC

Details
22 Feb 2018

The data breach notification regime — Guide to data breach preparation and response released

Details
22 Feb 2018

Anti-piracy website-blocking regime under review

Details
12 Jan 2018

The data breach notification regime — Small business cybersecurity guide released

Details
07 Dec 2017

The data breach notification regime — What the Notifiable Data Breaches scheme means for schools

Details
29 Nov 2017

Data security obligations and data security breaches — Updated 2017 ISM Controls

Details
23 Nov 2017

ACSC: Threat Report 2017

Details
06 Nov 2017

Understanding the relationship between privacy, cybersecurity and data resilience — Australian government agencies Privacy Code

Details
02 Nov 2017

Australian data protection strategy — Reports 467 — Cybersecurity compliance — Inquiry based on Auditor-General’s report 42 (2016–17)

Details
26 Oct 2017

Privacy by design — Australians continue to exercise choice and control over their personal information — OAIC Annual Report 2016–17 released

Details
18 Oct 2017

The data breach notification regime — Guide to mandatory data breach notification in the My Health Record system

Details
09 Oct 2017

Australian data protection strategy — Government to push for expansion of biometric surveillance — Seeks to have states hand over driver’s licence photos

Details
06 Oct 2017

Personal data security breach management — New guide paves way for better data privacy management

Details
06 Oct 2017

The data breach notification regime — New notifiable data breaches scheme resources released

Details
Start on point, stay informed and consult the experts with Practical Guidance
Get Free Trial