A Brief Guide to the ICT Security Controls Required by the Australian Privacy Principles and Mandatory Data Breach Notification Scheme

Entities that handle Personal Information should build privacy into their processes, systems, products and initiatives at the design stage.  Privacy should be incorporated into your business planning, staff training, priorities, project objectives and design processes, in line with APP1.  Building privacy into data handling practices from the start, rather than ‘bolting it on’ at a later stage is known as ‘privacy by design’. 

The ‘privacy by design’ stage should also address Personal Information security, including the appropriateness of technology and the incorporation of information security measures that are able to evolve to support the changing technology landscape over time. 

Entities should design their information security measures with the aim to:

  • Prevent the misuse, loss or inappropriate accessing, modification or disclosure of Personal Information

  • Detect privacy breaches promptly

  • Be ready to respond to potential privacy breaches in a timely and appropriate manner.

One way to achieve privacy by design is to conduct a Privacy Impact Assessment (PIA).  A PIA is an assessment tool that examines the privacy impacts of a project and assists in identifying ways to minimise those impacts.  A PIA will assist in identifying where there are privacy risks, and where additional privacy protections may be required. Generally, a PIA should:

  • Describe how personal information flows in a project

  • Analyse the possible privacy impacts on individuals’ privacy

  • Identify and recommend options for avoiding, minimising or mitigating negative privacy impacts

  • Build privacy considerations into the design of a project

  • Achieve the project’s goals while minimising the privacy impact.

A detailed Guide to conducting PIAs is available from the OAIC website. 

You may also need to conduct an information security risk assessment in conjunction with a PIA.  An information security risk assessment is generally more specific than a PIA because it involves the identification and evaluation of security risks, including threats and vulnerabilities, and the potential impacts of these risks to information (including personal information) handled by an entity.  As with a PIA, an information security risk assessment can be seen as an iterative process and may be undertaken across your business generally.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
CSO WANTED
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags privacylegislationprivacy principlesPrivacy Amendment Act 2012

More about APACAustraliaBillEU

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ashwin Pal

Latest Videos

More videos

Blog Posts