This ‘Guide to Securing Personal Information’ (Guide) provides guidance on the reasonable steps entities are required to take under the Privacy Act 1988 (Cth) (Privacy Act) to protect the personal information they hold from misuse, interference, loss, and from unauthorised access, modification or disclosure. It also includes guidance on the reasonable steps entities are required to take to destroy or de-identify personal information that they hold once it is no longer needed (unless an exception applies). Show
This guide is intended for use by entities[1] covered by the Privacy Act, including organisations, agencies, credit reporting bodies (CRBs), credit providers and tax file number recipients.[2] However, this guide may also be relevant to organisations not subject to the Privacy Act as a model for better personal information security practice. This guide is not legally binding. However, the Office of the Australian Information Commissioner (OAIC) will refer to this guide when undertaking its Privacy Act functions, including when investigating whether an entity has complied with its personal information security obligations (s 40) or when undertaking an assessment (s 33C). Information on when and how we might exercise our regulatory powers is available in the OAIC’s Privacy Regulatory Action Policy. Entities subject to the Privacy Act should read this guide in conjunction with the Australian Privacy Principles guidelines (APP guidelines). The APP guidelines outline the mandatory requirements of the Australian Privacy Principles (APPs), how the OAIC will interpret the APPs, and matters the OAIC may take into account when exercising functions and powers under the Privacy Act. Entities should also read this guide in conjunction with the OAIC’s guidance on data breach notification, which includes detailed information about the mandatory requirements for reporting serious data breaches under the Privacy Act.[3] The introductory sections of this guide include a discussion of what is personal information security, why you should have it, and how you should protect personal information through the stages of its lifecycle. Part A discusses five general circumstances that affect what steps an entity should take to protect personal information. Under nine broad topics, Part B outlines examples of key steps and strategies you should consider taking to protect personal information including a number of questions you should ask yourself when considering or implementing these steps or strategies. This guide assumes some knowledge of privacy and security concepts. Additional information and resources are available in Appendix B. The Privacy Act, the APPs, and other obligationsThe Privacy Act and the APPsThe Privacy Act includes 13 APPs that regulate the handling of personal information by certain organisations and Australian Government (and Norfolk Island) agencies (APP entities). APP 11 requires APP entities to take active measures to ensure the security of personal information they hold and to actively consider whether they are permitted to retain this personal information.[4] Specifically, APP 11.1 states that an APP entity that holds personal information must take reasonable steps to protect the information from misuse, interference and loss, as well as unauthorised access, modification or disclosure.[5] Under APP 11.2, APP entities must also take reasonable steps to destroy or de-identify the personal information they hold once it is no longer needed for any purpose for which it may be used or disclosed under the APPs.[6] This requirement does not apply where personal information is contained in a ‘Commonwealth record’ or where the entity is required by law or a court/tribunal order to retain the personal information.[7] An entity ‘holds’ personal information ‘if the entity has possession or control of a record that contains the personal information’.[8] The term ‘holds’ extends beyond physical possession to include a record that an entity has the right or power to deal with. For example, an entity that outsources the storage of personal information to a third party, but retains the right to deal with that information, including to access and amend it, ‘holds’ that personal information.[9] When considering the security of personal information you also need to be mindful of other obligations under the Privacy Act, such as your obligations under APP 8 (Cross-border disclosure of personal information) and APP 12 (Access to personal information). Notifiable Data Breach (NDB) schemeThe NDB scheme applies to all entities with existing personal information security obligations under the Privacy Act. The NDB scheme requires entities to notify affected individuals and the Australian Information Commissioner (Commissioner), in the event of an ‘eligible data breach’.[10] A data breach is eligible if it is likely to result in serious harm to any of the individuals to whom the information relates. Entities must conduct a prompt and reasonable assessment if they suspect that they may have experienced an eligible data breach.[11] Other obligationsAll entities will also need to be aware of relevant legislation (other than the APPs) that impose other obligations in relation to personal information security. If you are a credit reporting body or credit provider covered by Part IIIA of the Privacy Act and the registered CR code;[12] a tax file number recipient covered by the Privacy (Tax File Number) Rule 2015; a participant in the My Health Record system[13] for the purposes of the My Health Records Act 2012; an entity covered by the Healthcare Identifiers Act 2010; or a contracted service provider covered by the National Cancer Screening Register Act 2016, you may have additional personal information security obligations. Under the Public Governance, Performance and Accountability Act 2013 (PGPA Act), Australian Government agencies must also act in a way that is not inconsistent with the policies of the Australian Government.[14] From the security perspective, these policies include the Attorney-General’s Department’s Protective Security Policy Framework and the Australian Signals Directorate’s Australian Government Information Security Manual. These documents articulate the Australian Government’s requirements for protective security and standardise information security practices across government. Other information security resourcesThe advice provided in this guide is not intended to be exhaustive and it does not seek to replace any existing government or industry resources regarding information security. Compliance with these resources may be a relevant consideration in meeting the Privacy Act’s requirements for personal information security. Resources related to personal information security are widely available and entities should be aware of any relevant government, industry or technology specific standards, guidance, frameworks or obligations and incorporate these into their information security practices. A list of additional resources is at Appendix B. What is personal information security?Section 6 of the Privacy Act defines ‘personal information’ as ’information or an opinion about an identified individual, or an individual who is reasonably identifiable.[15] This might include a person’s name and address, medical records, bank account details, photos, videos and even information about what an individual likes, their opinions and where they work. An important subset of personal information in the Privacy Act is ‘sensitive information.’ Sensitive information is defined in the glossary, and includes health information.[16] The Privacy Act generally affords a higher level of privacy protection to sensitive information than to other personal information. Whether information constitutes personal information under the Privacy Act will depend on whether an individual can be identified or is ‘reasonably identifiable’ in the particular circumstances. Some information may not be personal information when considered on its own. However, when combined with other information held or available to you, it may become ‘personal information’. These pieces of information may be collected by, or become available to, you at different times. Whether an individual is ‘reasonably identifiable’ from that information will depend on a range of factors, including the time and cost that would be involved in re-identifying them. It is essential that you are able to recognise the dynamic nature of information, and that information can become personal information some time after you have collected it. You should be fully aware of the personal information you handle, where it is kept and the risks associated with that information. If it is unclear whether an individual is ‘reasonably identifiable’ you should err on the side of caution and treat the information as personal information. Personal information security‘Information security’ involves all measures used to protect any information generated by an entity or individual, that is not intended to be made publicly available, from compromise, loss of integrity or unavailability.[17] This can include personal information, security classified information and commercially confidential information. ‘Personal information security’ is the main focus of this guide and specifically relates to entities taking reasonable steps to protect personal information (including sensitive information) from misuse, interference and loss, as well as unauthorised access, modification or disclosure. This will include consideration of matters before you collect personal information, including whether you should collect it at all. Why is it important?Personal information security is about more than just ensuring compliance with the requirements of the Privacy Act. If you mishandle the personal information of your customers, it can cause a financial or reputational loss to the customer. In turn, this can also lead to a loss of trust and considerable harm to your reputation. A significant breach may result in a loss of customers or business partners and revenue. Under the NDB scheme, you must, subject to some exceptions, notify individuals who are likely to suffer serious harm as a result of an eligible data breach. You must also notify the Commissioner.[18] If personal information that is essential to your functions or activities is lost or altered, it can have a serious impact on your ability to undertake business as usual. The benefits of applying personal information security to your business practices can include more efficient processes. It also reduces the risk of privacy breaches and the time and resources involved in addressing any breaches that do occur.[19] Many of the steps and strategies in this guide will also assist you to take reasonable steps to ensure good handling of other types of information, such as commercially confidential information. The information life cycleIf you handle personal information, you should consider how you will protect personal information during the stages of its life cycle. Personal information security throughout the life cycle involves:
To effectively protect personal information throughout its life cycle, you will need to be aware of when and how you are collecting it and when and how you hold it. As noted above, your personal information holdings can be dynamic and change without any necessarily conscious or deliberate action. Additionally, the life cycle may include the passing of personal information to a third party for storage, processing or destruction. The information life cycle1. Consider whether to collect personal informationUnder APP 3, you should only collect personal information that is reasonably necessary (and for agencies, directly related) to carry out your functions or activities. Over-collection can increase risks for the security of personal information. Therefore, the first step in managing the security of personal information is to ask whether the collection of personal information is reasonably necessary to carry out your functions or activities.[20] If it is, you should then consider, even if you can collect it, should it be collected? That is, do you really need to collect the personal information or can the collection be minimised? Personal information that is not collected or is not stored cannot be mishandled. 2. Privacy by designAPP 1 outlines the requirements for APP entities to manage personal information in an open and transparent way. This includes taking reasonable steps to implement practices, procedures and systems that will ensure compliance with the APPs. The OAIC refers to this as ‘privacy by design’.[21] Privacy should be incorporated into your business planning, staff training, priorities, project objectives and design processes, in line with APP1. You should design your personal information security measures with the aim to:
You will be better placed to meet your personal information security obligations if you embed them early, including by choosing the appropriate technology and by incorporating measures that are able to evolve to support the changing technology landscape over time. You also need to take into account the rapid development of new and existing technologies and platforms when designing your information security policies and systems. An important element of ‘privacy by design’ is to integrate privacy into your risk management strategies (see ‘Assessing the risks’ below). Robust internal personal information-handling practices, procedures and systems can assist you to embed good personal information handling practices and to respond effectively in the event a privacy breach occurs. 3. Assessing the risksAssessing the security risks to personal information is also an important element of ‘privacy by design’. You can assess your personal information security risks by conducting a privacy impact assessment (PIA), an information security risk assessment and regular reviews of your personal information security controls. You should use PIAs and information security risk assessments along with regular reviews so that you are aware of the variety of security risks you face, including threats and vulnerabilities, along with the possible impacts before designing and implementing your personal information security framework. They will also assist you in integrating privacy into your risk management strategies. PIAsA PIA is a written assessment that identifies the privacy impacts of a proposal and sets out recommendations for managing, minimising or eliminating those impacts. Generally, a PIA should:
A PIA, especially one conducted at the early stage of a proposal’s development, can assist you to identify any personal information security risks and the reasonable steps that you could take to protect personal information. A PIA can also be seen as an iterative process during the life of any proposal, being updated to take account of changes to the proposal as it evolves. A detailed guide to conducting PIAs is available from the OAIC website. The OAIC encourages entities to undertake a PIA for any new proposals across all business activities that involve the handling of personal information.[22] The PIA guide includes a threshold assessment to assist you in determining whether it is appropriate for you to undertake a PIA. It will depend on a proposal’s size, complexity and scope and the extent to which it involves personal information. The OAIC also has a PIA eLearning course that aims to help entities to conduct an in-house PIA. While the PIA guide focuses on undertaking PIAs for new projects, you should also consider applying the same principles across your business generally, including existing business operations, to give a greater understanding of the privacy risks that exist currently. Entities should also consider building the use of PIAs into their risk management processes and plans. Information security risk assessmentsYou may also need to conduct an information security risk assessment (also known as a threat risk assessment) in conjunction with a PIA. An information security risk assessment is generally more specific than a PIA because it involves the identification and evaluation of security risks, including threats and vulnerabilities, and the potential impacts of these risks to information (including personal information) handled by an entity. As with a PIA, an information security risk assessment can be seen as an iterative process and may be undertaken across your business generally. The findings of a PIA and information security risk assessment should inform the development of your risk management and information security policies, plans and procedures. Once the risks have been identified, you should then review your information security controls (virtual and physical) to determine if they are adequate in mitigating the risks. Given that processes, information, personnel, applications and infrastructure change regularly, and given the constantly evolving technology and security risk landscape, regular review and monitoring of personal information security controls is crucial. Risk of human errorThreats to personal information can be internal or external as well as malicious or unintentional. Privacy breaches can arise as a result of human activity or events such as natural disasters. Human error is regularly claimed as the cause of privacy incidents; however entities should assume that human error will occur and design for it.[23] Research has shown that human error can be seen as a trigger rather than a cause of an incident.[24] PIAs, information security risk assessments and regular reviews will enable you to design practices, procedures and systems to deal with the foreseeable risk of human error and minimise its effect. 4. Taking appropriate steps and putting into place strategies to protect personal informationOnce your entity has collected and holds personal information, you need to consider what appropriate security measures are required to protect the personal information. This will need to be considered in regards to all of your entity’s acts and practices. Part B of this guide sets out examples of key steps and strategies you should consider taking in order to protect the personal information you hold to satisfy your security obligations under the Privacy Act. 5. Destroy or de-identify personal informationUnder APP 11.2, APP entities must also take reasonable steps to destroy or de-identify the personal information they hold once it is no longer needed for any purpose for which it may be used or disclosed under the APPs.[25] This requirement does not apply where the personal information is contained in a ‘Commonwealth record’ or where the entity is required by law or a court/tribunal order to retain the personal information. Destroying or permanently de-identifying personal information that you no longer need is an important risk mitigation strategy and is discussed in Part B. Part A — Circumstances that affect assessment of reasonable stepsWhat qualifies as reasonable steps to ensure the security of personal information depends on the circumstances, including the following:
These circumstances will also influence the reasonable steps you should take to destroy or de-identify personal information. The examples of OAIC investigations discussed below are intended to assist an entity to understand our guidance. They reflect a point in time circumstance in relation to the particular organisation.[26] Even slight changes to the facts expressed in the examples may lead to a different result. Nature of the entityThe size of your entity, its resources, the complexity of its operations and the business model, are all relevant to determining what steps would be reasonable to protect the personal information you hold. For instance, a franchise or a business using outsourcing is likely to provide access to its personal information to third parties (franchisees and contractors). The reasonable steps it takes may be different to those it would take if it did not operate in this manner. Example 1 An investigation into a telecommunications company following allegations that customer information had been compromised showed that the company’s business model provided access to the company’s databases of customer information to dealership employees via a shared store login ID. Although the use of shared logins and the wide availability of full identity information is an inherent personal information security risk, in this instance the risk was increased by the fact that the entity had less control over information being accessed through dealerships, and no way of tracking or auditing who was accessing the information. Read the full investigation report for Example 1 When you outsource any of your personal information handling to a third party (including to a cloud service provider), and you continue to ‘hold’ that information, you will still be subject to APP 11. Part B sets out steps to assist you when implementing information handling practices. Example 2 The information handling practices of a telecommunications company and its internet service provider (ISP) were considered in an investigation following media reports that a server holding the telecommunications company’s customer personal information had been compromised by an external attack. The investigation found that the telecommunications company and the ISP failed to take reasonable steps to manage and protect personal information held on the compromised server. For example, it was found that the telecommunications company did not have adequate contractual measures in place to protect the personal information held on the compromised server. Read the full investigation report for Example 2 If you are disclosing to an overseas recipient you may need to take further steps to comply with APP 8, the cross border disclosure principle.[27] Amount and sensitivity of personal information heldGenerally, as the amount and/or sensitivity of personal information that is held increases, so too will the steps that it is reasonable to take to protect it. The community generally expects that their sensitive information will be given a higher level of protection than non-sensitive information. This expectation is reflected in the increased privacy protections which apply to the handling of sensitive information. Although it is not defined as sensitive information under the APPs, people often expect that their financial information will be given a high level of protection. The protections in the Privacy Act in relation to credit reporting information and tax file numbers reinforce this. Example 3 The sensitivity of the information was taken into account in an investigation into a telecommunications company following media allegations that personal information of the company’s customers was accessible online, which was confirmed by the company. The personal information of approximately 15,775 customers was compromised, including full names, addresses and phone numbers, including 1,257 customer accounts with silent numbers. The Commissioner stated that a breach of this type of personal information for the 1,257 customers with silent number was not low risk. Further, the Commissioner noted that different risk levels may require an entity to take different security precautions in order to meet the requirements of the Privacy Act. The Commissioner stated that it was a reasonable step for the company to implement security processes and procedures to address the heightened risk environment. Read the full investigation report for Example 3 Adverse consequences for an individualWhen you are assessing the steps that you will take to protect personal information, you should consider the possible adverse consequences for the individuals concerned if the information is not secured. This may extend to material harm from identity theft or fraud. The mishandling of some kinds of sensitive information, such as health information that identifies an individual’s medical condition, may:
The likelihood of harm occurring will be relevant in considering whether it is reasonable to take a particular step. Example 4 The necessity of considering the risk of adverse consequences is highlighted by a case where an Australian Government department published statistical data of highly vulnerable people without taking appropriate steps to ensure it was not identifiable. An investigation found that the department was aware of the privacy risks of embedding personal information in publications, but that their systems and processes failed to adequately address those risks. The likelihood of harm to the individuals affected was a key consideration in assessing whether the department had taken reasonable steps. Read the full investigation report for Example 4 Practicality of implementationThe practicality of implementing a security measure, including the time and cost involved, will influence the reasonableness of taking that step. However, you are not excused from taking specific steps to protect information just because it would be inconvenient, time-consuming or costly to do so. Whether these factors make it unreasonable to take particular steps depends on whether the burden is excessive in the specific circumstances. In deciding whether these factors make a step unreasonable, you should have regard to other circumstances such as the sensitivity of the personal information and the risk to an individual if that information is misused, interfered with, lost, or inappropriately accessed, modified, or disclosed. Example 5 An investigation into a medical centre found that there were boxes of unsecured medical records being stored in a garden shed at a site no longer occupied by the medical centre. The medical centre advised the Commissioner that patient health records were transferred from the locked room inside the former premises to a garden shed at the back of the site (so that renovations for sale of the site could occur). The garden shed door was locked with padlocks. The Commissioner found that the medical centre did not take reasonable steps to protect the personal information, some of which was also sensitive information. Further, the Commissioner did not consider there to be any circumstances in which it would be reasonable to store health records, or any sensitive information, in a temporary structure such as a garden shed. Read the full investigation report for Example 5 Privacy invasivenessIt may not be reasonable to implement a security measure if it is itself privacy invasive. For example, requiring users to supply extensive personal information to identify themselves prior to giving access to their records under APP 12 may result in collecting personal information that is unnecessary (contrary to APP 3).[28] In that instance, you will need to balance what you need to do to prevent disclosure of personal information to the wrong person with the need to ensure that access is given on request. Part B — Steps and strategies which may be reasonable to takeAppropriate security measures for protecting personal information need to be considered in regards to all of your entity’s acts and practices. This section outlines examples of key steps and strategies you should consider under the nine broad topics listed below. It includes a number of questions to ask yourself when considering or implementing these steps and strategies.
These steps and strategies are not intended to be prescriptive or exhaustive and it may not be necessary to take all the steps and strategies outlined below. You should also consult relevant standards and guidance on information security including any which are particular to your sector or industry (see ‘Standards’ and ‘Information security resources’ below). The steps and strategies vary in ease of implementation and the impact that they will have on users. What is reasonable in the circumstances may vary between entities, and may change over time, for example, as a result of technological change or if you become aware that security measures that previously protected personal information are no longer adequate. You should be fully aware of all the personal information you handle, where it is kept and the risks associated with that information before deciding what steps to take. You could undertake robust information asset management by developing and maintaining a list or register which provides a high level description of the types of and location of personal information you handle. This will help ensure that your personal information security measures are comprehensive. Many of the steps and strategies in this guide may also assist you in protecting other types of information, such as commercially confidential information. Governance, culture and trainingFostering a privacy and security aware cultureYour privacy and security governance arrangements should include appropriate training, resourcing and management focus to foster a privacy and security aware culture among your staff. Personal information security should be an integrated component of your entire business and not left to the compliance or ICT area alone. The creation of this culture will require the active support of, and promotion by, senior management. Insufficient interest in personal information security from staff, in particular senior management including the board (or equivalent decision making body), can lead to threats to the security of personal information being ignored and not properly attended to. Appropriate training can assist in mitigating these issues and making staff aware of common personal information security threats (see ‘Personnel security and training’ section below). If your entity has experienced a significant breach of personal information security, the focus of your senior management should be to look at whether significant cultural changes are needed to improve security in the long term rather than relying on superficial solutions or treating such issues as ‘someone else’s problem’. Oversight, accountability and decision-makingYou should establish clear procedures for oversight, accountability and lines of authority for decisions regarding personal information security. You could have a body or designated individual/s that are aware of what personal information you hold, where and how it is held and responsible for ensuring that it is held securely. This role could include defining information security measures and implementing and maintaining those measures. This role should be overseen by, and accountable to, your senior management.
Personnel security and trainingPersonal information security includes ensuring your entire staff are aware of their privacy and security obligations (including senior management). Human error can be a contributing cause to data breaches and undermine otherwise robust security practices where the systems have not been designed to deal with it.[30] It is therefore important that all staff understand the importance of good information handling and security practices. The commencement of the NDB scheme also highlights the importance for all staff to have the capability to recognise eligible data breaches and understand the appropriate steps to be taken. Privacy training may help staff understand their responsibilities and avoid practices that would breach your privacy obligations. Training should take into account new starters, contractors and temporary staff.
Internal practices, procedures and systemsUnder APP 1.2, entities are required to take reasonable steps to establish and maintain practices, procedures and systems that will ensure compliance with the APPs and any binding registered APP code.[31] For the purposes of APP 11, you should document the internal practices, procedures and systems that you use to protect personal information. Your documentation should outline the personal information security measures that are established and maintained against the risks and threats to personal information. These documents should be regularly reviewed and updated to ensure they reflect your current acts and practices. You could also consider documenting the security choices you have made about your security profile, including the reasons why you have or have not adopted specific personal information security measures. Internal practices, procedures and systems which relate to personal information security may be addressed in a single policy or in a number of separate policies.[32] Additionally, you should make sure that staff are aware of, and have access to, these policies and are trained regarding their responsibilities (see ‘Governance, culture and training’ section above).
ICT securityEffective ICT security requires protecting both your hardware and software from misuse, interference, loss, unauthorised access, modification and disclosure. However, ICT security measures should also ensure that the hardware, software and personal information stored on it remain accessible and useful to authorised users. It is expected that entities regularly monitor the operation and effectiveness of their ICT security measures to ensure that they remain responsive to changing threats and vulnerabilities and other issues that may impact the security of personal information. You should be aware of the personal information you hold on your ICT system and where it is located. Your ICT security measures should ensure that all of your systems are secure and that they provide a safe environment for your:
You need to consider the security of all systems that use or interact with your ICT system. This includes securing your website(s), social media platforms, mobile device applications (apps),[33] along with Internet connected end-user mobile devices (such as smartphones, tablets and laptops), portable storage devices, desktop terminals, kiosks, as well as Wi-Fi networks, remote access and other aspects of your systems. ICT security measures help mitigate the risks of internal and external attackers and the damage caused by malicious software such as malware, computer viruses and other harmful programs. These programs can be used to gain unauthorised access to your computer systems in order to disrupt or disable their operation and steal any personal information stored on those systems. ICT security measures can also help mitigate the risks of internal threats. As well as ICT security against external and internal threats, it is important to consider the possibility of:
Software securityYou should consider whether the software you use is sufficiently secure. Errors made during software development can potentially result in privacy breaches.
Patches can result in a number of extra functions and features that should be assessed for their privacy impacts before they are installed.[34]
Removing or disabling unneeded software, operating system components and functionality from a system reduces its vulnerability to attack, and can make it harder for malware to run or an attacker to gain access.
There is a risk that content delivered through websites can be used to arbitrarily access system users’ files or deliver malicious code. This risk can be reduced by ensuring that software applications and web browsers, including ‘add-ons’ or ‘plug-ins’ are up to date.[35] Disabling unused applications may also assist in preventing unauthorised access to a computer system.
If you are downloading or using web applications (such as web-based email, wikis, directly updating personal details on databases) or importing data to a system, you should ensure that appropriate security and scanning measures are in place.
EncryptionEncryption is important in many circumstances to ensure that information is stored in a form that cannot be easily understood by unauthorised individuals or entities. Encryption methods should be reviewed regularly to ensure they continue to be relevant and effective and are used where necessary. This includes ensuring that the scope of encryption is wide enough so that attackers cannot access another unencrypted copy of your encrypted information.
Network securityYou need to have appropriate security controls in place to protect your network. The security controls that are appropriate will depend on the circumstances. Intrusion prevention and detection systems can be an effective way of identifying and responding to known attack profiles. This may include using firewalls, which control the incoming and outgoing network traffic, and software applications, such as filtering, that monitor network or system activities for malicious activities, anomalous behaviour, or policy violations.
Spammers may use spoofed email to try to bypass filters and make it appear as though email comes from a legitimate source.[37] Such emails may ask the recipient to provide their own or other individuals’ personal information.
Separating an entity’s network into multiple functional segments makes it difficult for an intruder to propagate inside the network. Proper network segmentation assists in the creation and maintenance of network access control lists. Segmentation can also allow for different security measures to be applied to different types of information depending on its sensitivity and the risks associated with it.
Whitelisting and blacklistingWhitelisting and blacklisting are ways of controlling the content, applications or entities that are allowed to run on or access a device or network.[40] Both can prevent potentially harmful material from accessing your system. Whitelisting may offer greater protection than blacklisting as it is not dependent on identifying the material to be blocked. However, a drawback is that it can also block harmless content that is not whitelisted. Reputation-based lists used for blacklisting need to be maintained and updated to be effective due to the rapid pace with which malicious sites come and go.
TestingTesting of ICT systems should occur during their development, transition to operations and regularly once they are operational. Depending on the situation, you may wish to consider penetration (or vulnerability) testing to discover security weaknesses, or configuration reviews, to test whether networks are operating towards a certain standard. You need to consider how to scope your testing — remember that testing only discrete elements of your ICT system may miss systemic issues.
Backing upTo prevent personal information you hold from being lost, you should make copies of important files and store them on a physical device or online using a cloud-based storage solution.
Email securityEmail is not a secure form of communication and you should develop procedures to manage the transmission of personal information via email.
Access securityAccess security and monitoring controls help you protect against internal and external risks by ensuring that personal information is only accessed by authorised persons. ‘Unauthorised access’ is a separate concept from ‘disclosure’, as an entity is not taken to have disclosed personal information under APP 6 (Use and disclosure) where a third party intentionally exploits the entity’s security measures and gains unauthorised access to the information. However, the entity may breach its security obligations under APP 11 if it did not take reasonable steps to protect the personal information from unauthorised access.[42] In addition, unauthorised access of personal information by a third party could trigger notification obligations under the NDB scheme if it is determined that, as a result of this unauthorised access, individuals are likely to be at risk of serious harm. Trusted insider riskYou need to guard against internal threats such as unauthorised access or misuse of personal information by your staff, including contractors (the trusted insider risk). Trusted insider breaches can occur when staff mishandle personal information while carrying out their normal duties. These actions are often motivated by personal advantage, for example insiders accessing personal information for financial gain. To minimise this risk you should, when possible, limit internal access to personal information to those who require access to do their job (ie provide access on a ‘need to know’ basis). Limiting such access is an important personal information security mechanism. If someone is transacting with you using a pseudonym, you could also consider further restricting access to personal information that is linked to that person to protect the pseudonym.[43]
Identity management and authenticationYou should have processes in place to identify individuals accessing your systems and control their access by associating user rights and restrictions with their identity. This will ensure that only authorised persons can access your systems. Authentication is a key part of this process and is often managed by providing one of three factors— something one knows (such as a password or code), something one has (a physical token, such as a bank card, security pass, or a mobile phone to receive SMS confirmation), or something one is (biometric information such as a fingerprint). ‘Multi-factor authentication’ requires at least two factors. Appropriate authentication can be used to limit a person’s access both to the system or network and also to the information contained within it. It can also assist in mitigating security risks such as ‘social engineering’[44] (including ‘phishing’ and ‘spear phishing’[45]).
Access to non-public content on web serversIf you host content that is not intended for public release (non-public content) on your web servers, you should consider storing this content elsewhere or restrict access to this information to authorised and authenticated users only. This ensures that non-public content will not be accessed by unauthorised third parties, including search robots[46] such as GoogleBot.[47] In conjunction with authentication, you should also disable directory browsing when configuring web servers.[48]
If you store non-public content on your web servers:
Passwords and passphrasesYour entity should use passwords and passphrases to identify that users requesting access to your systems are authorised users. Passwords and passphrases should be complex enough so that others are not able to guess it, for example using a combination letters, numbers and symbols rather than actual words or common numbers.
Sometimes passwords are created using patterns that are known only to an entity and its staff (or part of its staff). Whilst each password is unique, there is a risk that a password may be inferred by someone who is aware of the pattern but is not authorised to access the file. Longer password patterns with many variations that are selected randomly rather than following a recognisable or known pattern are less likely to be guessed by unauthorised persons.
CollaborationIf you collaborate and share personal information with other entities while working on projects, you may continue to ‘hold’ personal information that is being used by the other collaborator. In these circumstances you must take reasonable steps to protect the information from unauthorised access while in their physical possession, including having effective controls in place to ensure that it is only accessed by authorised persons.
Audit logs, audit trails and monitoring accessUnauthorised access of personal information can be detected by reviewing a record of system activities, such as an audit log. Maintaining a chronological record of system activities (by both internal and external users) is often the best way for reviewing activity on a computer system to detect and investigate privacy incidents. Audit logs should also be named using a clear naming convention. Audit trails are used to reconstruct and examine a sequence of activities on a system that lead to a specific event, such as a privacy incident.[51] Access monitoring software that provides real time (or close to real time) dynamic review of access activity can also be useful for detecting unauthorised access to personal information. Use of proactive monitoring to identify possible unauthorised access or disclosure, including any breach that might amount to an eligible data breach for the purposes of the NDB scheme, may be a reasonable step for you to take particularly if you use many systems or databases which hold large amounts of personal information.
Individuals accessing and correcting their own personal informationUnder the Privacy Act, entities must, on request, give individuals access to the personal information held about them unless an exception applies.[53] Individuals are also able to request correction of the personal information held about them.[54]
Third party providers (including cloud computing)Entities that outsource part or all of their personal information handling will need to consider whether they still ‘hold’ that personal information. If so, APP 11 will apply and you will need to take reasonable steps to comply with APP 11. If APP 11 applies to you, you will also be subject to the requirements of the NDB scheme, even if it is the third party who suffers the eligible data breach.[55] In this instance, while both you and the third party are subject to the requirements of the NDB scheme, only one of you is required to notify individuals of an eligible data breach.[56] General issuesRelevant factors in deciding the steps that are reasonable in the circumstances include whether the third party is subject to the Privacy Act in its own right. Even if the third party is subject to the Privacy Act, if you hold the personal information, you still need to consider what steps are reasonable to protect the personal information. Steps may include influencing the third party’s conduct. Have you:
Cloud computingCloud computing can range from data storage to the use of software programs, with data being stored and processed by the cloud service provider.[58] For instance, an entity can store data on remote servers operated by the cloud service provider rather than storing it on their own servers. If you continue to ‘hold’ personal information when storing or using it in the cloud, reasonable steps may include robust management of the third party storing or handling your clients’ personal information, including effective contractual clauses, verifying security claims of cloud service providers through inspections, and regular reporting and monitoring. If you choose to adopt cloud computing you need to assess the security controls of the provider to ensure that you continue to comply with APP 11.[59] However, other APPs may also apply in these circumstances, including APP 8 (where personal information is disclosed to an overseas recipient),[60] and APPs 12 and 13 (access and correction). These are discussed in more detail in the APP guidelines. You should also be aware of your obligations under the NDB scheme, and have measures in place to manage your relationship with the cloud provider to ensure all eligible or suspected data breaches are assessed and notified in accordance with those obligations.[61] You should also consider whether your cloud service provider should be required to have similar controls to those you might apply to your own systems, such as governance arrangements and controls relating to software security, access security and network security set out in the sections above.
Data breachesIn the event of a data breach, having a response plan that includes procedures and clear lines of authority can assist you to contain the breach and manage your response. Ensuring that staff (including contractors) are aware of the plan and understand the importance of reporting breaches is essential for the plan to be effective. The OAIC has published its Data Breach Preparation and Response.
Following the commencement of the NDB scheme, data breaches that are likely to result in serious harm to an individual are also subject to notification requirements. Entities covered by the My Health Records Act 2012 and current and former contracted service providers covered by the National Cancer Screening Register Act 2016 have additional notification obligations to the Commissioner.[65] Physical securityPhysical security is an important part of ensuring that personal information is not inappropriately accessed. You need to consider what steps, if any, are necessary to ensure that physical copies of personal information are secure. Similarly, you should consider whether the workspace itself is designed to facilitate good privacy practices.
Where an entity holds personal information it no longer needs for a purpose that is permitted under the APPs, it must ensure that it takes reasonable steps to destroy or de-identify the personal information (APP 11.2) — in some cases, one or the other may be more appropriate. This obligation applies even where the entity does not physically possess the personal information, but has the right or power to deal with it.[66] However, depending on the type of entity and the type of personal information involved, you may have specific obligations under law or a court/tribunal order to retain and/or destroy or de-identify personal information. Agencies also have specific retention obligations for personal information that forms part of a Commonwealth record.
Destroying personal information — irretrievable destructionPersonal information is destroyed when it can no longer be retrieved. The steps that are reasonable for an entity to take to destroy personal information will depend on whether the personal information is held in hard copy or electronic form.
Destroying personal information held in electronic form — putting beyond useWhere it is not possible for an entity to irretrievably destroy personal information held in electronic format, reasonable steps to destroy it would include putting the personal information ‘beyond use’. For example, this could include where technical reasons may make it impossible to irretrievably destroy the personal information without also irretrievably destroying other information held with that personal information. Personal information is ‘beyond use’ if you:
It is expected that only in very limited circumstances would it not be possible for an organisation to destroy personal information held in electronic format.
De-identifying personal informationDe-identification of personal information may be more appropriate than destruction where the de-identified information could provide further value or utility to the entity or a third party, but you should consider whether de-identification is appropriate in the circumstances. Personal information is de-identified under s 6 of the Privacy Act, ‘if the information is no longer about an identifiable individual or an individual who is reasonably identifiable’.
Standards‘Standards’ are documents that set out requirements, specifications and procedures designed to ensure products, services and systems are safe, reliable and consistently perform in the way they are intended.[67] Standards can include guidelines, handbooks, manuals or policies and may be general or specific to particular industries or sectors, or practices. Entities should consider using relevant international and Australian standards, policies, frameworks and guidance on information security. This includes any which are particular to their sector or industry (for example the National eHealth Security and Access Framework, which is relevant to the Australian healthcare sector). Australian Government agencies must apply the Attorney-General’s Department’s Protective Security Policy Framework and the Australian Signals Directorate’s Australian Government Information Security Manual. These documents articulate the Australian Government’s requirements for protective security and standardise information security practices across government. They may also be used by other government agencies (including state and territory agencies) and the private sector as a model for better security practice. You may also want to consult the ISO/IEC 27000 series of information security management standards and the ISO/IEC 31000 series of risk management standards published by both the International Organization for Standardization and the International Electrotechnical Commission, parts of which have been adopted by Standards Australia.[68] The 27000 series of standards provide recommendations on information security management, risks and controls. The 31000 series relates to standards for the design, implementation and maintenance of risk management processes. Compliance with standards can be tested internally or certified by a third party. Adopting a standard is one way that you can gain some confidence regarding your security practices, but complying with a standard does not of itself mean that you have taken reasonable steps to protect personal information. It may be a reasonable step, but you may also need to take further action to meet your obligations under APP 11. You may also seek to use certification of compliance with a standard as an assurance that you are protecting personal information. However, you will need to be aware of the scope of any certification, for example, whether it includes an assessment of the implementation of the relevant standard/s in practice; or the suitability of the risk profile underpinning the adoption of the standard/s. You will also need to be aware of the extent to which you may rely on any certification of your processes or the processes of a party you are dealing with. Relying on the certification of your processes or the processes of a party you are dealing with may not of itself be considered ‘reasonable steps’ for the purposes of APP 11. You may need to take further action to meet your security obligations under APP 11. In adopting any standard, you must make sure that you apply the definition of personal information and sensitive information from the Privacy Act, and not any other similar definitions that might by imported by or used in the standard.
Appendix A — Glossary of termsUnless otherwise stated, terms used in this guide have the same meaning as in the Privacy Act. Some of these terms are explained in more detail in the APP guidelines and Data Breach Preparation and Response. ’Agency’ has the meaning set out in s 6(1) of the Privacy Act and includes a Commonwealth Minister, certain Australian Government agencies and the Norfolk Island administration. ’APP entity’ means an agency or organisation and has the meaning set out in s 6(1) of the Privacy Act. ’APPs’ means the Australian Privacy Principles, which are set out in Schedule 1 of the Privacy Act. ’CII’ means Commissioner initiated investigation, made under s 40(2) of the Privacy Act, where the Commissioner may, on his or her own initiative, investigate an act or practice that may be an interference with the privacy of an individual or a breach of APP 1. Investigations relating to acts or practices prior to 12 March 2014 use the term ‘own motion investigation’. ’Commonwealth record’ is defined in s 6(1) of the Privacy Act to have the same meanings in s 3 of the Archives Act 1983 (Cth). ’CRB’ means credit reporting body andhas the meaning set out in s 6 of the Privacy Act. ’Credit provider’ has the meaning set out in s 6(1) of the Privacy Act. ’CR Code’ means the registered Privacy (Credit Reporting) Code 2014, a mandatory code that binds credit providers and CRBs. The CR code supplements the provisions contained in Part IIIA of the Privacy Act and the Privacy Regulation 2013. A breach of the CR code is a breach of the Privacy Act. ’Cth’ means Commonwealth. ’Data breach’ means, for the purpose of this guide, when personal information held by an entity is lost or subjected to unauthorised access, use, interference, modification, disclosure, or other misuse. ’Disclosure’ is not defined in the Privacy Act and its meaning is discussed in the APP guidelines Chapter B: Key concepts, paragraphs B.63-B.69. ’Eligible data breach’ is a data breach that is likely to result in serious harm to any of the individuals to whom the information relates. Further information about eligible data breaches can be found in the OAIC’s Data Breach Preparation and Response. ’Entity’ means an agency, organisation or other person covered by the Privacy Act, including those covered by the APPs, Part IIIA and the Privacy (Tax File Number) Rule 2015. ’Holds’ has the same meaning set out in s 6(1) of the Privacy Act (discussed in the APP guidelines Chapter B: Key concepts, paragraphs B.79-B.82) and as summarised on page 3 of this guide. ’Information security’ means all measures used to protect any information generated by an entity or individual that is not intended to be made publicly available from compromise, loss of integrity or unavailability. ’NDB scheme’ means the notifiable data breach scheme, under Part IIIC of the Privacy Act, which came into effect on 22 February 2018. The OAIC has a number of resources with further information about the NDB scheme. ’NPPs’ means the National Privacy Principles, which used to apply to organisations unless an exemption applied. The NPPs were replaced by the APPs on 12 March 2014. ’OAIC’ means the Office of the Australian Information Commissioner. ’Organisation’ has the meaning set out in s 6C of the Privacy Act and, in general, includes all businesses and non-government organisations with an annual turnover of more than $3 million, all health service providers regardless of turnover and a range of small businesses (see ss 6D and 6E of the Privacy Act). ’Personal information’ has the meaning as set out in s 6(1) of the Privacy Act:
’Personal information security’ means keeping personal information secure from misuse, interference and loss, as well as unauthorised access, modification or disclosure. ’PIA’ means privacy impact assessment and is discussed in the OAIC’s Guide to Undertaking Privacy Impact Assessments. ’Privacy Act’ means the Privacy Act 1988 (Cth). ’Sensitive information’ has the meaning as set out in s 6(1) of the Privacy Act and includes information or an opinion about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, sexual orientation, criminal record, health information and some aspects of genetic and biometric information. ’TFN’ means a tax file number and has the meaning set out in Part VA of the Income Tax Assessment Act 1936 (Cth). ’TFN information’ means information that connects a TFN with the identity of a particular individual (for example, a database record that links a person’s name and date of birth with the person’s TFN). ’Use’ is not defined in the Privacy Act and its meaning is discussed in the APP guidelines Chapter B: Key concepts, paragraphs B.142-B.144. Appendix B — Additional resourcesOAIC resourcesOther resourcesIn addition, the following information security resources may be relevant to entities:
The following resources are particularly relevant to Australian Government agencies but are also useful for other organisations and government agencies:
[1] We have used the term ‘entity’ throughout this guide to refer to all agencies and organisations subject to one or more of the provisions of the Privacy Act. [2] For more information about the jurisdiction of the Privacy Act, see Rights and Responsibilities. [3] To access the OAIC’s guidance on data breach notification, see Data Breach Preparation and Response. [4] See Explanatory Memorandum, Privacy Amendment (Enhancing Privacy Protection) Bill 2012, p 86. [5] The six terms listed in APP 11, ‘misuse’, ‘interference’, ‘loss’, ‘unauthorised access’, ‘unauthorised modification’ and ‘unauthorised disclosure’, are not defined in the Privacy Act. See Chapter 11 of the APP guidelines for further guidance on the meaning of these terms. Some of these terms, including ‘unauthorised access’, ‘unauthorised disclosure’ and ‘loss’ are also discussed in Data Breach Preparation and Response. [6] APP 4.3 also requires the destruction or de-identification of unsolicited personal information received by an organisation in certain circumstances. [7] For more information about destroying or de-identifying personal information see Chapter 11 of the APP Guidelines and the De-identification Decision-Making Framework published by the OAIC and CSIRO’s Data61. [8] See s 6(1) of the Privacy Act. [9] See APP guidelines Chapter B: Key concepts. [10] For more information about what will constitute an ‘eligible data breach’, see Data Breach Preparation and Response. [11] For more information, see Notifiable Data Breaches. [12] See ss 20Q and 21S of the Privacy Act and cl. 15 of the registered CR code. The provisions in Part IIIA make it clear whether the obligations in Part IIIA replace relevant APPs or apply in addition to relevant APPs. For example, s 21S states that if a credit provider is an APP entity, APP 11 does not apply to them in relation to credit eligibility information. [13] Participant is defined in the My Health Records Act 2012. [14] Under s 21 of the PGPA Act the accountable authority of a non-corporate Commonwealth entity must govern the entity in accordance with paragraph 15(1)(a) in a way that is not inconsistent with the policies of the Australian Government. Paragraph 15(1)(a) is about promoting the proper use and management of public resources for which the accountable authority is responsible. [15] The full definition of ‘Personal information’ is set out in the Glossary section. [16] For more detail on the definition of ‘personal information’ and ‘sensitive information’ see the APP guidelines Chapter B: Key concepts. [17] Australian Signals Directorate, Australian Government Information Security Manual, Controls Manual, Glossary of Terms – definition of information security, p.314. [18] For more information, see the OAIC’s guidance on the Notifiable Data Breaches. [19] Certain organisations such as the Ponemon Institute (www.ponemon.org) have sought to quantify the cost of data breaches to business. In its 2017 Cost of Data Breach Study: Australia, Ponemon found the average data breach cost to a company to be $2.51m. A copy of the report can be found on the IBM website. Note registration is required to access the report. [20] For agencies it can also be collected if it is ‘directly related’ to its functions or activities. [21] Privacy-by-design was first developed in the 1990s by Dr Ann Cavoukian, former Privacy and Information Commissioner of Ontario, Canada. Since then, it has been adopted by both private and public sector bodies internationally. For further information, see Privacy by Design. [22] Under s 33D of the Privacy Act, if an agency proposes to engage in an activity or function involving the handling of personal information and if the OAIC considers that the activity or function might have a significant impact on the privacy of individuals, the OAIC may direct the agency to give the OAIC, within a specified period, a PIA about the activity or function. [23] See the Own Motion Investigation Report AICmrCN 5. This case illustrates how the failure to put in place adequate policies, procedures and systems to mitigate the risk of human error can result in a data breach. Failures at a number of levels aligned to create circumstances that enabled a breach to occur. [24] This approach is based on the ‘Swiss cheese’ or ‘cumulative act effect’ model of accident causation which is an illustration of how organisational failures at a number of levels can combine to create a situation in which human error can trigger a data breach. This is a model used in risk analysis and risk management originally propounded by Dante Orlandella and James T. Reason in 1990. [25] APP 4.3 also requires the destruction or de-identification of unsolicited personal information received by an organisation in certain circumstances. [26] The examples of OAIC investigations were undertaken before the commencement of the APPs on 12 March 2014 and therefore refer to the National Privacy Principles (NPPs), specifically NPP 4 (replaced by APP 11). However the examples are still relevant in relation to the circumstances that will affect whether an entity has taken reasonable steps to protect personal information under APP 11. [27] See APP guidelines, Chapter 8 for further information. [28] APP 12 requires an APP entity that holds personal information about an individual to give the individual access to that information on request. [29] For more information about why you should have a data beach response plan, and how to develop one, see Data Breach Preparation and Response. [30] See the Own Motion Investigation Report AICmrCN 5. The case illustrates how the failure to put in place adequate policies, procedures and systems to mitigate the risk of human error can result in a data breach. [31] For further information see the APP guidelines, Chapter 1. [32] Use of the term ‘policy’ in this section refers to your entity’s internal documentation regarding its personal information security profile, not its APP privacy policy which is discussed in APP 1.3-1.6. [33] The OAIC has developed a guide to help mobile device application (app) developers embed better privacy practices in their products and services. See Mobile Privacy: A Better Practice Guide for Mobile App Developers. [34] Patches are software that is used to correct a problem with a software program or a computer system. [35] Add-ons and plug-ins are software that add specific functions to a browser [36] Decryption is the process of converting encrypted data back into its original form, so it can be understood. In order to easily recover the contents of encrypted information, the correct decryption key is required. [37] Spoofed email is email in which parts of the email header are altered so that it appears to have come from a different source. [38] Sender Policy Framework is an email validation system designed to detect email spoofing by allowing receiving mail exchangers to check that incoming mail from a domain is being sent from a host authorised by that domain’s administrators. [39] DomainKeys is an email authentication system designed to verify the domain of an email sender and that the email message was not modified in transit. [40] Whitelisting is permissive — it is a list of the content, applications or entities that are allowed. Blacklisting is prohibitive — it is a list of the content, applications or entities that are not allowed. [41] An example of a ‘use’ that an individual may be taken to reasonably expect is use for the secondary purpose of a normal internal business practice, such as auditing, business planning, billing or de-identifying personal information. The OAIC generally considers that the use of personal information to test ICT security systems may be a normal internal business practice in limited circumstances, such as where it is unreasonable or impracticable to use de-identified or dummy data (subject to the exception in APP 6.2(a)). For further information see APP guidelines, Chapter 6, paragraph 6.22. [42] The terms ‘unauthorised access’ and ‘unauthorised disclosure’ are not defined in the Privacy Act. See Chapter 11 of the APP guidelines for further guidance on the meaning of these terms. [43] APP 2 covers issues related to anonymity and pseudonymity. [44] ‘Social engineering’ is a term used to describe manipulating individuals into revealing confidential information or performing actions such as granting access to systems. [45] ‘Phishing’ typically involves sending an email that appears to come from a legitimate organisation and attempts to trick the recipient into supplying personal information. ‘Spear phishing’ is a personalised attack utilising personally relevant information to attempt to appear legitimate to a particular user. [46] Search robots or bots are software programs which run automated repetitive tasks over the Internet. They are most commonly used by web search engines and other sites for ‘Web crawling’ or ‘Web spidering’. This involves a search engine using bots to discover new and updated pages which are then added to the search engine’s index of Web content. [47] GoogleBot is Google’s web crawling bot. [48] Directory browsing gives permission to users to view a listing of the files in a web server. If directory browsing is disabled, an ‘Access Forbidden’ error message is displayed if the user attempts to access either a file or folder on the web server. [49] One way to prevent GoogleBot from crawling content on a website is to use robots.txt to block access to files and directories on a server. ‘Robots.txt’ is a protocol used to request cooperating search robots not to access all or part of a website which is otherwise publicly accessible. Search engines comply with ‘robots.txt’ voluntarily and the OAIC has noted that most search engines comply with ‘robots.txt’, including Google, Bing and Yahoo. [50] ‘Salting’ is basically where an additional string of data, such as random numbers or text, is added to the password to make it less predictable and harder to attack, and ‘hashing’ is where passwords are processed through cryptographic algorithms that convert them into seemingly random characters. While passwords may be guessed through computational ‘brute-force’ attacks, this becomes very difficult when strong hash algorithms and passwords are used. Hashed passwords are therefore more secure to store than their clear-text passwords. The Australian Signals Directorate’s Australian Government Information Security Manual, Controls Manual (Control 1252, page 177) requires agencies to ensure usernames and passwords are hashed with a strong hashing algorithm which is uniquely salted. [51] ‘Audit log’ and ‘audit trail’ are defined in the Australian Signals Directorate’s Australian Government Information Security Manual, Control Manual, Glossary of Terms, p. 307. [52] Note that an entity must take all reasonable steps to assess whether a suspected data breach is an eligible data breach within 30 calendar days after the day the entity became aware of the grounds that caused it to suspect an eligible data breach. For more information about evaluating suspected data breaches, see Data Breach Preparation and Response. [53] See APP 12. Along with the right to request access under the Privacy Act, individuals have a right under the Freedom of Information Act 1982 (Cth) (the FOI Act) to request access to information held by Australian Government agencies. [54] See APP 13 — where an individual requests an APP entity to correct their personal information, APP 13.1 provides that the entity must take reasonable steps to correct the personal information it holds, to ensure it is accurate, up-to-date, complete, relevant, and not misleading, having regard to the purpose for which it is held. Individuals also have rights under the FOI Act to have their personal information amended if it is out of date, misleading, incorrect or inaccurate. [55] See Data Breach Preparation and Response. [56] For more information about data breaches involving more than one organisation, see Data Breach Preparation and Response. [57] In particular, the agency must ensure that the contract does not authorise a contractor to do or engage in such an act or practice. An agency must also ensure the contract contains provisions to ensure that such an act or practice is not authorised by a subcontract. [58] Cloud computing services have been defined as a way of sourcing and delivering ICT which enables convenient, on-demand network access to a shared pool of configurable computing resources (eg. networks, servers, storage, applications and services). The Australian Government has adopted the US Government’s National Institute of Standards and Technology definition for cloud computing. For further information see the Australian Government’s Secure Cloud Strategy and supporting material which apply to the use of cloud services by Commonwealth entities, available on the Digital Transformation Agency’s website. [59] The Australian Signals Directorate publishes resources with guidance on addressing information security risks of cloud computing. [60] You may also need to consider the data protection or privacy legislation in place where the data is stored by the cloud provider, as well as any other jurisdictions the cloud service provider may be subject to. [61] For more information, see Notifiable Data Breaches. [62] In 2014, the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) also published ISO/IEC 27018:2014 which relates to the implementation of measures to protect personal information while it is being processed in the public cloud. The standard uses a definition of ‘Personally Identifiable Information’ adopted from ISO/IEC 29100:2011. If adopting this standard, entities must ensure that they apply the definitions of personal information and sensitive information in the Privacy Act. More information can be found in the ‘Standards’ section below. [63] For more information about assessing a suspected data breach, see Data Breach Preparation and Response. [64] For more information about assessing suspected or eligible data breaches, see Data Breach Preparation and Response. [65] For more information about the mandatory My Health Record data breach notification requirements, see the Guide to Mandatory Data Breach Notification in the My Health Record System. Information about the interaction between these requirements and the broader NDB scheme can be found in that guide under the heading ‘The broader Notifiable Data Breaches (NDB) scheme’. [66] See Chapter 11 of the APP guidelines for further guidance on the destruction or de-identification of personal information and the De-identification Decision-Making Framework published by the OAIC and CSIRO’s Data61. [67] The term ‘standards’ is defined on the Standards Australia webpage What is a Standard? [68] Further information regarding Australian and international standards is available from the Standards Australia website at www.standards.org.au and the International Organization for Standardization website at www.iso.org. What is the document that provides basic guidance and regulatory requirements for derivative classification for DOD personnel?There are two primary sources of policy guidance for derivative classification. Within the Department of Defense, DOD Manual 5200.01, Volumes 1 through 3: DOD Information Security Program, provides the basic guidance and regulatory requirements for the DOD Information Security Program.
What document is used to record original classification guidance and supports derivative classification?Security Classification Guides (SCG) are the primary sources for derivative classification.
Which are authorized sources for derivative classification guides?For this reason, SCGs are the primary source guide for derivative classification. A second authorized source for derivative classification is an existing, properly marked source document from which information is extracted, paraphrased, restated, and/or generated in a new form for inclusion in another document.
What information does a security classification guide provide a derivative classifier?SCGs provide detailed classification guidance on program-specific information for use by derivative classifiers in applying appropriate classification markings and facilitate the proper and uniform derivative classification of information.
|