Understanding your organisation’s obligations for protecting Personal Identifiable Information
19 Nov 2024
With the Australian Government’s imminent introduction of new cyber security legislation, it’s becoming more important than ever to understand your organisation’s legal responsibilities for protecting Personal Identifiable Information (PII).
What is PII?
The Australian Signals Directorate (ASD) – Australia’s top government cyber security agency – says that personal data includes a broad range of information that could identify an individual. That may include an individual’s:
Name
Date of birth
Address
Medical records
Racial/ethnic origin
Political opinion
Religious beliefs
Gender
Sexual orientation or practices
Criminal record
Payment details
Email address
Password
License
Photo
Video
Phone number
Passport
Employment information
Biometrics, such as voice prints and facial recognition
The Office of the Australian Information Commissioner (OAIC) extends that definition even further, saying it can include:
Signatures
Credit information
IP addresses
Trade union membership and associations
Genetic information
The OAIC cautions that sensitive information has a higher level of privacy protection than other personal information. It includes in that definition race and ethnicity, political opinions and associations, religious and philosophical beliefs, trade union membership and associations, sexual orientation and practices, criminal record, health or genetic information and some aspects of biometric information.
Importantly, personal data is often greater than the sum of its parts. When seemingly innocuous data is aggregated or combined, it can be used to form a more complete picture about an individual.
What Existing Laws Require
The Privacy Act 1988 sets out how organisations must handle personal information, and applies to organisations with an annual turnover of more than $3 million, unless they’re a small business operator, registered political party, state or territory authority or a prescribed instrumentality of a state.
Some small business operators do have obligations under the Act. These include:
private sector health service providers
businesses that sell or purchase personal information
credit reporting bodies,
contracted service providers for the Australian Government
employee associations
businesses accredited under the Consumer Data Right System
businesses that have opted-in to the Privacy Act
businesses related to a business covered by the Privacy Act
businesses prescribed by the Privacy Regulation 2013.
New Obligations Incoming
In October 2024, The Australian Government introduced to parliament the Cyber Security Act 2024, Australia’s first standalone cyber security legislation. If passed as expected, this new Act will impose new compliance and reporting requirements on Australian businesses.
The Act is designed to address seven initiatives within the 2023-2030 Australian Cyber Security Strategy, including:
• Mandating minimum cyber security standards for smart devices
• Mandatory ransomware reporting for certain businesses to report ransom payments
• A ‘limited use’ obligation for the National Cyber Security Coordinator and the Australian Signals Directorate
• Establishment of a Cyber Incident Review Board.
The legislation will also progress and implement reforms under the Security of Critical Infrastructure Act 2018 (SOCI Act):
• Clarifying existing obligations in relation to systems holding business critical data
• Simplifying information sharing across industry and Government
• Introducing Government powers to direct entities to address serious deficiencies within their risk management programs
• Moving regulation for the security of telecommunications into the SOCI Act.
Legal firm A&O Shearman cautioned that the new Cyber Bill will introduce several new critical areas of compliance and reporting. It advised businesses to take heed of these new obligations, and ensure they put in place robust cyber security measures.
• Ransomware Reporting Obligations: Entities impacted by cyber security incidents and making ransomware payments must report these payments within 72 hours.
• Security Standards for Smart Devices: The Cyber Bill mandates that manufacturers and suppliers of smart devices comply with specified security standards.
• Protected or Limited Use of Incident Information: The Cyber Bill includes provisions to ensure that information provided about cyber security incidents is used or disclosed only for permitted purposes, with strict limitations on using this information for civil or regulatory actions against the reporting entity.
• Cyber Incident Review Board: The new Board will review certain cyber security incidents and make recommendations. It will have the authority to require documents.
A&O Shearman said organisations should make sure they implement security standards in compliance with the specified security measures currently provided for in the Cyber Bill, and make sure they can comply with the ransomware reporting obligations, including the timelines foreseen in the Cyber Bill.
ASD Advice on Data Security Practices
ASD says that, for businesses to be confident they’re employing appropriate data security practices, they should consider implementing these measures:
Create a register of personal data
Limit personal data collected
Delete unused personal data
Consolidate personal data repositories
Control access to personal data
Encrypt personal data
Back up personal data
Log and monitor access to personal data
Implement secure Bring Your Own Device practices
Report a data breach involving personal data
ASD warned that “businesses cannot afford to forgo investing in their security, and risk compromising the security of their customers’ personal data. The prevalence of data breaches and ransomware attacks underscores the importance of sound security practices. Businesses cannot afford to assume that they will not be targeted. Investing in security proactively can be far more cost effective than having to manage the repercussions and costs of a major data breach”.
Solutions to Help Meet PII Obligations
Cyber criminals succeed when organisations don’t adequately protect their data transfers and systems access. Keeping the thieves at bay requires a multi-layered strategy, including robust data transfer protection, multifactor authentication and employee training.
Managed File Transfer (MFT) solutions such as the class-leading GoAnywhere MFT encrypt data at rest and in transit, complying with the highest data security standards. MFT manages inbound and outbound file transfers across an organisation, using industry-standard file transfer protocols such as SFTP, FTPS, and AS2 to send files securely, and encryption standards such as Open PGP and AES to protect data in transit and at rest.
GoAnywhere MFT also provides audit reports, which will help organisations meet the new reporting and compliance needs. All file transfer and administrator activity is stored and easily searchable. To help organisations report on file transfer activity and remain compliant with the new legislation, these audit logs can be automatically generated and provided as PDFs.
Advanced Threat Protection adds a further layer of defence. SFT Threat Protection enables safe collaboration with external parties, preventing malware from entering an organisation, and reducing the risk of employees losing or mishandling sensitive data.
Local Experts Here to Help
Generic Systems Australia are your local experts in Managed File Transfer solutions. We’ve assisted dozens of organisations across the Asia-Pacific region to secure their data and keep cybercriminals at bay.
If you’d like to discuss improving your cybersecurity, please feel welcome to contact me, Bradley Copson. I’m always happy to have an obligation-free discussion, explain how simply we can transition you to the latest software and approaches, and even offer you a zero-cost Proof of Concept.