Australia is unveiling its new privacy law changes on March 12th and many businesses have been rushing to meet this deadline. The Australian Privacy Principles (APP) includes a set of 13 privacy principles that regulate the handling of personal information by Australian and Norfolk Island Government agencies and some private sector organizations, replacing previous Privacy Principles that applied to each sector individually.
The APPs cover the collection, use, disclosure and storage of personal information, with specific APPs on the use and disclosure of personal information for the purpose of direct marketing and cross-border disclosure of personal information, among other changes.
The Office of the Australian Information Commissioner (OAIC) has released APP Guidelines to help businesses navigate the mandatory requirements of the APPs, including information on how the OAIC will interpret the APPs. The APPs require that businesses take reasonable steps to implement practices, procedures and systems relating to compliance, including clear records on how personal information is managed. Companies with the highest value of personal information paired with weak controls face the greatest risk of breach, and non-compliant fines, moving forward. Businesses face fines up to $1.7 million for non-compliance with the APP.
The Guidelines outline several suggestions for how to protect personal information, including managing all stages of the information lifecycle, setting up procedures for identifying and responding to a data breach, and regular staff training. The Guidelines do not require specific IT investments, but do require that businesses assess their particular risks around data management and implement appropriate solutions, left up to the choice of each business.
According to an article on ARN, some businesses have been scrambling to understand the specific impact of the APP changes to their organization, and it’s expected that strategic investments in new systems will continue. As we saw when the Information Commissioner’s Office (ICO) in the UK began issuing fines for data breaches 4 years ago, companies in Australia are now looking to implement a layered approach to information security.
A multi-layered approach to security is one that we’ve been recommending to clients all around the world. A layered approach to computer security assesses all the potential risks to data loss and chooses products and procedures that will cover those risks – each layer adding additional protection. No single technology or service can mitigate all risk, so it’s a matter of weighing the costs and benefits of each “layer" to see what best fits your needs. You may also find that you need multiple solutions to cover each "layer."
If your organization is not already APP-ready, we suggest starting with the 10 steps outlined here to assess your needs, check out some simple tips here, and give us a call. When it comes to managing and security your endpoints, a source of significant information risk, we have you covered - and now all under one Unified IT option.