Thursday, 23 January 2014

CQR Insights: Organisation compliance with New Privacy Laws

From 12 March 2014, the Federal Government’s new privacy laws will introduce a new set of Australian Privacy Principles. The reforms introduce new enforcement powers and remedies for investigations that the Commissioner commences on their own initiative. The Commissioner will be able to make a determination, accept written undertakings that will be enforceable through the courts, or apply for civil penalty orders which can range from $340,000 for individuals and up to $1.7 million for companies.   

Mandatory reporting of data breaches is not part of the new laws (yet) but clearly the new enforcement powers and remedies for investigations is putting everyone on notice as regards the protection of personal information.

How will the new the privacy laws impact your organisation?  Well it is really all about managing risk.

An article by  Alec Christie, partner at DLA Piper in The Australian suggests companies undertake a “mini privacy audit”.

I have put together a list of ten questions to ask yourself:

1.       Do you manage a register of risks relating to your  critical business systems  that store and use personal information?

2.       Do you have procedures for staff & contractor access control to these systems – granting, revoking and privilege levels?

3.       Do you know where personal data is stored?

4.       Do you have a procedure for the removal or de-identifying  personal data from databases and archive systems where this information is no longer required?

5.       Do you have change control procedures for  network, system and application changes which may impact business systems holding personal information?

6.       Does your organisation have an Information security policy and associated procedures?

7.       Does your organisation have a resource who is responsible for information security management?

8.       Do you have procedures for managing and applying operating system and application  patches and  upgrades?

9.       As highlighted in the Privacy Commissioner’s recent AAPT breach investigation (link below), do you have service level agreements in place with third party providers  regarding responsibilities for  protecting personal information and importantly a  means of monitoring compliance?

10.   Do you perform annual vulnerability assessments of internet  infrastructure and applications?

If you answered  yes to all of these questions then you are probably doing ok.

What help does CQR  offer for  the new privacy laws?

As part of our ISMS/ISO27001 business practice we have a  packaged program which runs over a 4-week timeframe where we work with a client to:

1.       Identify business systems that are in scope;

2.       Perform a gap analysis against existing information security procedures and processes;

3.       Highlight risks and maturity of controls in place;

4.       Rate the adequacy of existing procedures;

5.       Provide a draft implementation plan of  activities to effectively manage the risks associated with your information assets.

As part of our technical services CQR can perform vulnerability assessments of your internet facing  infrastructure and services.

AAPT’s data breach investigation which gives some insights into where things can go wrong.

If you would like further information on how CQR can assist with getting inline with the new privacy laws then contact CQR at or
Greg Starkey
Business Development Manager, Government & Commercial

No comments:

Post a Comment