Global privacy and data protection strategy
Australian data protection strategy
Ensuring data protection compliance
To develop a strategy for cross jurisdictional privacy and data protection, it is necessary to build a functional understanding of the physical assets, information located and the activities taking place within each jurisdiction. It is also necessary have a functional understanding of the legal regime in each jurisdiction with particular attention to:
- •the regime protecting information and communications from unauthorized access or interception;
- •rules that prevent cross border transfers ("on soil requirements") and/or which impose requirements that apply before information can be sent or made accessible outside the jurisdiction;
- •the privacy regime and whether or not it could be used to protect information not collected from residents in the jurisdiction;
- •making sure that local privacy policies and the information handling practices are consistent with the local law relating to collection, use or processing, disclosure and destruction or de-identification; and
- •information regulations that apply to specific industry sectors that may be applicable to your business and or the business that are your customers.
See Developing a strategy for cross jurisdictional compliance.
Your strategy needs to consider a range of elements including:
- •making sure that the transfers and disclosures of information that are taking place are consistent with the laws and policies in place in the source jurisdiction; and
- •making sure that information is not being placed at risk by procedures or processes taking place in a location where there may be no effective legal remedy for a failure in compliance and/or where security procedures cannot be assured.
The US National Institute of Standards and Technology (NIST) Framework for improving critical infrastructure cybersecurity, which has been adopted by the Australian Government and ASIC, outlines that a resilient strategy should:
- •identify the security environment;
- •protect the security system;
- •detect security breaches;
- •incorporate a data breach response strategy; and
- •incorporate a recovery strategy following a data breach.
See Analysing your data and data flows.
See Anticipating issues and risks.
See Selecting local experts and asking the right questions.
Documenting, implementing and maintaining complianceGenerally, strong technical controls and procedures are used to help prevent information from being hacked or a system from being compromised by malware. Technical controls can be overcome with well targeted and sometimes simple efforts in social engineering. There is no point in having strong software, network security and well trained personnel if relevant physical assets are vulnerable due to low security awareness, poor business practices or vulnerable physical security.
It is important to maintain a needs-based information control system across the organization. Access controls must ensure that information is not available to those who have no good reason to access it. Your strategy also needs to guard against a determined insider — background checking, security training, a culture that encourages and rewards reporting, appropriate logging of access incidents and information used together with periodic auditing and penetration testing must form part of the picture.
See Documenting, implementing and maintaining compliance.
In this subtopic, we discuss your objectives in developing a global privacy and data protection strategy. We identify aspects of your business that should be considered, the information collected and processed and the location of that information. We describe considerations in carrying out data mapping, anticipated issues and risks and also provide guidance regarding the selection of local experts. Finally, we provide suggestions for implementing and maintaining compliance.
The aim of your Australian data protection strategy is to establish and maintain a culture of information security awareness and compliance within your organisation taking into account the Australian regulatory environment.
Securing information is not just protecting it from being accessed by third parties. A commonly used way to summarise the key objective is to refer to the “CIA” — Confidentiality, Integrity and Availability or, to avoid confusion with the USA Central Intelligence Agency, the “AIC” triad. The AIC triad is an important reminder that information security is not just about confidentiality but also recognising that information can lose its value if it cannot be trusted, perhaps because it has been compromised by error or deliberate interference or has not been maintained accurately. The lack of availability of information when required can have the same consequences as loss or loss of integrity.
The first step in the preparation of a data protection strategy is to understand the regulatory context in which you operate and identify applicable rules and guidelines. Next, you should identify the relevant classes of information that you need to protect, consider the risk exposure that accompanies each class of information and whether or not the measures currently in place are adequate having regard to the potential risk to your organisation.
See Developing a strategy for Australian data protection.
It is important to consider the components that make up a secure framework. It is a common mistake to focus on the protection of IT systems. While the protection of IT systems from unauthorised access and careful control of access privileges is a critical component, it is also necessary to consider employee related issues such as background checking, the terms and conditions of employment, the adequacy of training, supervision and audit. Control of the physical environment is also relevant.
See Procedures for implementation and Systems for improvement.
In this chapter, we step through the development of an Australian specific cybersecurity strategy having regard to the Australian regulatory context.
Perhaps the most difficult challenge in ensuring effective cybersecurity is making sure that the elements of your strategy are implemented in practice.
Allocation of responsibilityThe analysis necessary to identify relevant information, relevant risks and the steps necessary to devise appropriate remediation procedures and solutions can be undertaken at a point in time as a discrete project. It is relatively straightforward to complete such a project, publish your policies and to conduct initial training. The temptation and natural tendency is to regard the completion of that work as a job done. This is particularly the case because your policies can serve as evidence of compliance and may even be referenced to clients as evidence of your awareness of the relevant issues and an indication of your commitment to cybersecurity.
See Allocation of responsibility.
Induction and trainingPolicies and procedures buried on the intranet or forgotten at the bottom of the drawer will not impact the cybersecurity risks faced by your organisation. In order to be effective policies and procedures must be integrated in data to day operations, be used in decision making and training, and be revised and updated in response to changes in technology, changes to the business and experience with risks and incidents. If not implemented, your well-documented strategy can serve as a benchmark available to be called upon as evidence of proper practice should a third party claim or formal investigation by a regulator take place as a result of a security incident. It is vital that your security strategy be embedded in the operational life cycle of your organisation.
Monitoring, testing and responding to changeIn this subtopic, we discuss steps that you can take to embed your cybersecurity strategy and the management culture and business life cycle of your organisation. As part of the privacy operational life cycle, data protection compliance is achieved through the monitoring, auditing and communication aspects of the management framework, where:
- •monitoring identifies any gaps and weaknesses in an organisation's privacy program;
- •auditing ensures consistency, effectiveness and sustainment of the privacy practices; and
- •communication creates internal and external awareness of the privacy program, ensuring flexibility to respond to legislative and industry changes.
