Australia's Privacy Commissioner gets serious about infosec

The new OAIC information security guide sets out "reasonable steps" to protect personal information, but how many organisations will comply by March 2014?

According to Australia's Privacy Commissioner, Timothy Pilgrim, every single one of the high-profile investigations he completed in 2011–12 involved data security issues and information security is now the major issue affecting consumer privacy.

"Information security is clearly a significant privacy issue and has emerged as a major challenge for us all. These incidents tell us that 'privacy by design' is essential. Organisations need to build privacy into business as usual practices and new projects," Pilgrim said in a statement.

A new document from the Office of the Australian Information Commissioner (OAIC) launched yesterday as part of Privacy Awareness Week, Guide to information security (PDF), sets out the Commissioners' expectations of organisations when it comes to protecting the personal information they hold from misuse, loss and from unauthorised access, use, modification or disclosure.

"Although this guide is not binding, the OAIC will refer to this guide when assessing whether an entity has complied with its information security obligations in the Privacy Act," the document reads.

With "significant" privacy reforms coming into force in March 2014, it's clearly time for organisations to review their privacy and associated information security practices.

Yet according to a survey conducted by McAfee in April, most employees responsible for managing personal information aren't across these changes.

Organisations, particularly smaller businesses, could well be caught short.

"Entities are expected to consider ICT security measures and the protection of personal information as part of their decision to use, purchase, build or upgrade ICT systems rather than attempting to address privacy later, for example after a privacy breach has occurred," the guide reads.

"It is also expected that entities regularly monitor the operation and effectiveness of their ICT security measures to ensure that they remain responsive to changing threats and vulnerabilities and other issues that may impact the security of personal information."

The guide lists "reasonable steps" that would be familiar to anyone working in a high-security environment: whitelisting rather than blacklisting applications, Web and email domains; processes to ensure prompt software patching; multi-factor authentication; prompt revocation of access when no longer required, for example when employees leave; log and audit trail monitoring; encryption of data at rest and of portable devices; security testing; backup management; having a data breach response plan and so on.

Yet such things are often unheard of in smaller organisations, and the Privacy Act applies to every Australian business with a turnover greater than $3 million a year, every business handling medical records, and some others as well.

"Businesses and government agencies cannot ignore the need to take steps to protect the personal information of their customers or clients. This is critical to meet the current requirements of the Privacy Act 1988 as well as new requirements due to commence in less than 12 months." Pilgrim said.

But are businesses listening?

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Tags: Privacy Awareness Week, information security, data security, Office of the Australian Information Commissioner (OAIC), Privacy Commissioner Timothy Pilgrim, Guide to information security|

JP Morgan to invest £150 million on boosting cyber security

Comments are now closed.
CSO Corporate Partners
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Fraud Management Solutions

Reduce fraud losses regardless of channel by preventing cybercrime, identity theft, and other threats targeting your customers.

Latest Jobs
Security Awareness Tip

Incident handling is a vast topic, but here are a few tips for you to consider in your incident response. I hope you never have to use them, but the odds are at some point you will and I hope being ready saves you pain (or your job!).

  1. Have an incident response plan.

  2. Pre-define your incident response team 

  3. Define your approach: watch and learn or contain and recover.

  4. Pre-distribute call cards.

  5. Forensic and incident response data capture.

  6. Get your users on-side.

  7. Know how to report crimes and engage law enforcement. 

  8. Practice makes perfect.

For the full breakdown on this article

Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.