With organisations gathering increasing volumes of personal information about their clients, ensuring it remains secure has never been
more important. Everything from identity details, transaction records, credit card numbers and purchase histories are all routinely collected and must be protected from unauthorised use or dissemination.
According to the Australian Privacy Act, personal information is defined as information or opinion about an identified individual or an individual who is reasonably identifiable. The act covers many different types of information within the definition including details of a person's ethnicity, race, political views, health records and financial details.
Privacy is a particularly important topic at the moment as any breaches that result in the release of personal information can have a detrimental impact on the brand and reputation of the organisation involved. For this reason, it has become much more than an IT issue and has ramifications for all areas of the business.
At its heart, personal privacy provisions give people the reassurance that, when their data is collected, it will be stored securely and only used for the purposes initially intended. For those organisations that get privacy right, it can act as a competitive advantage that makes its clients feel comfortable in dealing with them.
The implications of APP 11
When it comes to national privacy regulations, the Australian Privacy Principle 11 (APP 11) is a particularly important component. It deals specifically with the security of personal information and outlines the requirements for all organisations that are gathering and using it.
APP 11 contains four key components to which organisations that hold personal information in any way must adhere. Under the regulation, an organisation holding personal information must:
- take active measures to ensure the security of personal information held and actively consider whether it is permitted to retain that information;
- take reasonable steps to protect the information from misuse, interference or loss as well as unauthorised access, modification or disclosure;
- ensure that these reasonable steps include the preparation and implementation of a data breach policy and response plan;
- take reasonable steps to destroy or de-identify the personal information it holds once that information is no longer needed for any purpose.
Australian organisations are actively assessing their compliance with these requirements as they work towards meeting the nation's mandatory data breach reporting laws that come into action early in 2018. Many are also grappling with the implications of the General Data Protection Regulation that affects any doing business within the European Union.
Increasingly, organisations are understanding they need to have a comprehensive and robust privacy framework that addresses all areas of their operations. To be effective, such a framework needs to be built around the four pillars of privacy.
The pillars of privacy
The four pillars of privacy provide the foundation for an effective security and privacy protection frame work. Organisations must ensure each is in place so they are able to provide the level of data protection that is required under the new regulations. The four pillars are:
- Data governance: An organisation must maintain an accurate and complete inventory of information assets and processing activities. It must implement risk-based access and authorisation and ensure proper governance is maintained at all times.
- Risk assessment: It is important to maintain assessment scopes for sensitive data and perform privacy impact assessments and data protection impact assessments when required. It's also vital that consistent processes are implemented for both existing environments and new initiatives.
- Compliance management: Security teams must ensure issues are managed and tracked in accordance with the policy standards that have been put in place. Training and awareness programs should also be implemented to ensure all staff are aware of their responsibilities under the regulations.
- Breach response: If an organisation suffers a data breach, pre-agreed incident response management processes need to be followed. Teams should ensure forensic capabilities are in place to efficiently investigate what has happened and determine the most appropriate response.
The Privacy Readiness Assessment
The first step in putting the privacy pillars in place should be to conduct a Privacy Readiness Assessment (PRA). Under this process, all existing strategies, practices and tools are examined to identify are any areas in which changes are required.
The PRA should begin at the top of the organisation and determine the awareness and understanding of privacy issues within the C-suite. This is vital as a comprehensive privacy strategy is unlikely to succeed if there is no commitment from senior management.
The PRA should then include a review of all personal information held within the organisation and the policies and security standards that are currently being followed to ensure its protection. This step should also involve assessment of all IT systems used for data collection, processing and storage.
Once these steps have been completed, a comprehensive improvement roadmap can be created that clearly shows any changes required and the investments that need to be made in new systems or processes.
The importance of effectively maintaining the security of personal information has never been more important for organisations. As the volume and types of data held continues to grow, ensuring an effective privacy framework is in place is vital.
By approaching this challenge via the four pillars of privacy, an organisation can be confident it is doing everything possible to protect both the privacy of its customers and its own reputation.