Does your organisation collect or store personal information? The Privacy Act regulates how entities handle individuals’ personal information. Along with obligations regarding the collection, use, disclosure and the provision of access to personal information, the Privacy Act also requires entities to take ‘reasonable steps’ to protect the personal information that they hold from misuse, loss and from unauthorised access, use, modification or disclosure.
When developing or reviewing a project, consider the need for a privacy impact assessment (PIA). A PIA identifies how a project can have an impact on individuals’ privacy, and makes recommendations for managing, minimising or eliminating privacy impacts. CyberRisk recommends that you should conduct PIAs as part of your risk management and planning processes. If your existing systems have never been assessed then CyberRisk can help to make sure that they comply with the relevant standards.
If the Office of the Australian Information Commissioner (OAIC) investigates a possible breach of the Privacy Act it considers two factors:
- the steps that the entity took to protect the information
- whether those steps were reasonable in the circumstances
Our Privacy Readiness Assessment service can provide you with the help you need to ensure that your organisation has reasonable security measures in place to protect personal information and thus meet your privacy obligations.
We can provide answers to the following questions:
- Are my controls reasonable, given the requirements of the Privacy Act?
- Have I taken reasonable steps to secure my customers’ information?
- Does my data breach response plan and procedures comply with the Privacy Act requirements around mandatory data breach reporting?