ADITS Managed IT ADITS Managed IT
Call Us 1300 361 984

Tag: compliance

7 Tips to Comply with Data Privacy Laws in Your Medical Practice

Posted on by b2medeveloper

When you’re running a medical practice, you’re likely juggling countless, competing priorities – patient care, treatment plans, staffing, safety. But what about data privacy? The consequences of a data breach can be severe, from loss of patient trust and legal penalties, to devastating long-term damage to your reputation. Are you confident your practice isn’t unintentionally exposing itself to serious risk?  

For medical practices, data privacy cannot be an afterthought – it’s mission critical for protecting patient confidence, supporting compliance and keeping sensitive information secure. And it’s more than implementing the right policies. It’s about ensuring policies and best practices are understood, followed and prioritised by all team members.  

Australian healthcare providers are responsible for complying with the Privacy Act 1988 and My Health Record regulations for protection of sensitive information and digital health records, yet many practices unknowingly put patient data at risk.  

Let’s explore key challenges and gaps that can lead to serious breaches, and essential tips for  reducing regulatory risks.  

The Most Common Data Privacy Mistakes for Medical Practices  

Without proper guidance, it’s understandable many medical practices struggle with data privacy – typically due to a lack of training, understanding and best practices.  

1. Improper Training 

Unfortunately, data privacy tends to be overlooked when training takes a back seat. Let’s consider first, that the people responsible for handling sensitive data, such as practice managers and receptionists, typically don’t receive training in this area.  

2. Missed Processes

If your medical practice has a retention policy that includes information about data collection storage, cleaning, retention, disposal, backup and archiving – that’s a great first step. But without staff awareness and clear procedures, these practices can easily be overlooked.   

3. Inappropriate Data Handling 

There are a few ways staff members may be handling data incorrectly. First, considering email breaches are one of the top attack vectors for cybercriminals, it’s alarming how often medical practices email patient records. Even if you utilise a secure platform, sending data to incorrect email addresses is a significant issue (though authentication measures can help mitigate this risk).  

As another example, many medical staff don’t realise images (of patients) are just as sensitive as personal health data. In Australia, while there isn’t a specific law making it illegal to take photos of patients (for instance, during surgery), it’s crucial to obtain informed consent beforehand.  

Consider, for instance, a situation where a doctor takes a photo of a patient during a procedure, using a personal mobile device. Without realising the privacy risks, the image may automatically upload to a personal cloud account, which often lacks the necessary security or data protections. Without proper patient consent and security controls in place, even well-meaning actions can result in serious breaches of sensitive health information. 

4. Lack of Data Inventory 

Without data inventory, knowing where and how your data is stored, it’s impossible to secure it. Even if you’ve put robust protections around your medical software, vulnerabilities can arise elsewhere. For example, if patient data is being emailed or stored in shared accounts without multi-factor authentication (MFA), all your security layers are rendered useless. Tracking and securing all data, across all touchpoints, is essential to preventing potential breaches. 

The good news: many medical practices are starting to take data privacy more seriously. While this positive mindset shift is slowly starting to ripple throughout the industry, there’s more you can do to fully embrace a proactive approach to privacy in your practice 

Essential Tips to Support Compliance for Your Medical Practice  

To stay on the right path towards compliance, here are our best practice recommendations for building a stronger privacy framework. 

1. Develop a Comprehensive Privacy Policy

Create a clear, concise policy that outlines your practices for data collection, use, disclosure and storage. Be sure to obtain explicit patient consent for data collection and use. Most importantly, ensure that your privacy policy is easily accessible and understandable to your patients. 

2. Implement Strong Security Measures (Physical, Technical & Administrative) 

To protect sensitive data, establish strong security measures across three key areas.  

Physical Security:  

  • Ensure any physical patient records are stored securely in locked cabinets with restricted access. 
  • Does your practice have visitor staff or contractors? Maintain proper documentation to avoid unauthorised access (e.g. swipe cards, controlled access to sensitive areas, visitor ID badges). Vet visitors thoroughly and ensure they’re always accompanied by authorised personnel. You may also like to consider implementing CCTV to monitor sensitive areas. 

Technical Security: 

  • Use strong access controls, including strong passwords and multi-factor authentication (MFA). 
  • Encrypt all electronic patient data and maintain regular backups. 
  • Implement firewalls and antivirus software to protect against cyber threats. 

Administrative Security: 

  • Conduct regular risk assessments and security audits to identify vulnerabilities. 
  • Train all staff on data privacy policies and procedures (more on this to follow). 
  • Establish clear data handling protocols, including a data breach response plan for all of your employees. 

Feeling unsure about how to implement these practices? Find out more about how IT services can help with compliance in your medical practice.  

3. Prioritise Staff Training 

Given we touched on challenges surrounding lack of training, providing training (from administrative staff to medical practitioners alike) is incredibly worthwhile. Empower your team with knowledge, awareness, skills and confidence to protect patient data. Ensure every member of your team understand your practice’s privacy policies, how to handle data properly and why it needs to be a priority.   

4. Respect Patient Rights

Of course, patient trust and care are at the heart of what you do. So it’s important to extend this care to data privacy matters too. Ensure your patients can easily access and correct their medical records. Respect their requests to limit the use or disclosure of their information. 

Supporting compliance is most effective when you keep the human element in mind! Discover how to put people first with Privacy Act compliance.  

An important note on pseudonyms: Patients have the right to use pseudonyms under the Privacy Act. Be sure you have processes in place to verify the identity of individuals (such as through health identifiers) requesting access to medical records, including those using a pseudonym.  

5. Maintain Accurate, Up-to-Date Records

Similar to the above, keep patient information accurate, complete and current. What’s the best way to do this? Consider standardising your data entry processes, such as through templates and prefilled forms to reduce errors. Implement a review or quality assurance system to double-check records and establish clear procedures for correcting errors. You may even benefit from utilising software that flags discrepancies.  

Patient portals, for instance, are a great way to enable patients to update their information directly and keep their records up to date. 

6. Obtain and Document Informed Consent

Ensure patients are fully informed about how their data will be used and disclosed, particularly when they first join your practice. Going forward, continue to obtain and record consent if new uses arise (for example, sharing data with third parties).

As new technologies such as Artificial Intelligence (AI) are introduced into healthcare practices — for example, AI transcription services or diagnostic support tools — it is crucial to be transparent with patients about how their data is being used. General consent to collect and store information may not automatically cover secondary uses involving AI. Ensure you obtain specific, informed consent for any AI processes that collect, process, or generate patient data. This includes informing patients about the purpose, risks, and safeguards in place. Clear communication helps patients make informed choices and supports compliance with your obligations under the Privacy Act. 

7. Minimise Data Collection

Understandably, medical practices want to gather as much information as possible to make accurate health decisions – but what’s truly necessary? Collecting extraneous or sensitive information (such as religion or personal preferences, unrelated to care), may not be needed and can put unnecessary information at risk in the event of a breach.  

Beyond minimising the amount of information collected, it’s equally important to regularly review the data you already hold. Retaining unnecessary personal information can expose your practice to increased risks in the event of a breach. Establish clear data retention policies that specify how long different types of patient information should be kept, in line with legal and regulatory requirements. Once data is no longer required, ensure it is securely destroyed or de-identified, according to your documented policies. Proper de-identification helps reduce privacy risks while maintaining compliance, and supports an overall data minimisation strategy by ensuring your practice only holds what is absolutely necessary.  

Strive for continuous improvement by regularly revalidating your processes and systems. 

The benefits of prioritising data privacy go far beyond ticking boxes. It’s a powerful strategy for strengthening patient trust, organisational security and the overall success of your practice. By implementing these best practices, you’re also being more proactive in supporting compliance. The time to act is now. It’s never too late to start strengthening your privacy measures.  

Want to take the stress out of data privacy for your practice? Find out more and enquire about our cyber security services.  

Putting People First with Privacy Act Compliance

Posted on by b2medeveloper

New statistics from the OAIC reveal the number of data breaches reported in the first half of last year were the highest they’ve ever been in 3.5 years. This alarming volume of breaches represents a major threat to Australians’ privacy, and an increased need for businesses to shore up vulnerabilities and be more vigilant.   

The thing is, many businesses are unknowingly or unintentionally violating an essential data privacy regulation – one that’s mandatory for most Australian organisations: the Privacy Act 1988. And the potential legal, financial, and reputational consequences for putting sensitive information at risk can be severe.  

One property investment company, for instance, landed in hot water after breaching data privacy laws in Australia, sharing the names and addresses of people experiencing financial distress. MediBank suffered a whopping $1.8B loss after a data hack. Customers spoke out about the hidden financial and emotional cost of the breach, as well as genuine concerns for their safety.  

These cases make it clear how privacy breaches can have damaging personal consequences for individuals, while also exposing businesses to significant legal and reputational risks. 

Key Areas of Non-Compliance 

Many organisations assume they’re meeting the requirements outlined in the Privacy Act 1988, yet gaps in their data practices put them at risk. From consent failures to poor data handling, here are the most common compliance blind spots businesses need to address. 

1. Data Collection  

For many businesses, certain data collection practices can increase compliance risks and security vulnerabilities. This includes:  

  • Unnecessary collection – if your business gathers data “just in case” rather than for an intended purpose or specific, immediate need, you may be in breach of the Privacy Act 1988 requirements. 
  • Sensitive information risks – the higher the risk of unauthorised access or activity involving the personal information (and/or potential harm to the person that information is about), the more robust your security controls need to be. This means implementing stringent measures (encryption methods, regular audits, access controls, etc.) to ensure that sensitive information is protected from breaches and misuse.  
  • Lack of transparency – individuals must be informed about how their data is collected, used, and disclosed. If your privacy policy is vague, buried in legal jargon, or not easily accessible, you may not be meeting the Privacy Act compliance standards. 

By limiting data collection to what is strictly necessary and clearly communicating its use, businesses can reduce risk and build greater trust with customers. Plus, the less data you collect, the less you need to protect!  

2. Data Use and Disclosure 

Is your organisation handling personal data responsibly, using it only for its intended purpose? When gaps in data use and disclosure go unnoticed, it can put you at risk of non-compliance, for example:  

  • Using data beyond intended purposes – other than what has been stated at the time of collection, without obtaining proper consent. 
  • Unauthorised disclosure – sharing personal information with third parties without proper authorisation or legal basis. 
  • Data breaches – failing to implement adequate security measures to protect personal information from unauthorised access, use, disclosure, or destruction. 

Consider, for instance, businesses introducing personal information to train an AI model. Without explicit disclosure and express consent at the time of collection, repurposing individuals’ data in this way could breach the Privacy Act compliance obligations. 

3. Data Quality 

One thing many organisations overlook is how easily poor data quality can lead to compliance risks. This includes maintaining inaccurate, incomplete, or outdated personal information, and obstructing individuals’ rights to access and correct their personal information. Failing to update records not only undermines trust but can also lead to incorrect decisions based on flawed data.  

Does your organisation give people access or opportunities to correct their personal information? Difficult processes, such as outdated systems, unclear policies, or unnecessary administrative barriers doesn’t meet the mark.  

Additionally, does your organisation have a data retention policy, and act on it? For example, a medical practice is legally required to retain data for at least 7 years or more, depending on the type of facility and the state in which it operates, but often keeps patient records for decades. While policies are important, procedures are necessary to back them up. 

4. Individual Rights 

Many organisations don’t realise ignoring, delaying, or denying individual’s requests to access, correct or delete their personal information can put them at risk of non-compliance. Not honouring these requests can lead to complaints and penalties.  

The same risks apply if your privacy policy is filled with legal jargon, or doesn’t include clear, concise information about individual’s privacy rights. Having a poorly expressed, out-of-date or inadequate Privacy Policy – could lead to an infringement notice for up to $330,000 under the new Tranche 1 Privacy and Other Legislative Amendments (POLA) laws coming into effect. This is where transparency and responsiveness need to be front and centre. While the process for handling requests can vary from business to business, you may like to consider appointing a privacy officer, or including this as a core responsibility for a team member, to support accountability.  

The Consequences of Non-Compliance 

When Privacy Act compliance slips through the cracks, the fallout can be swift and severe. Businesses may face hefty fines, which can reach into the millions, as well as potential civil lawsuits from affected individuals. The Tranche 1 POLA law now includes a “Tort for serious invasions of privacy”. This new cause of action empowers an individual to sue another person where that person has invaded the individual’s privacy by intruding upon their seclusion or misusing information relating to them. Under this tort, any individual or organisation can be sued. 

Beyond legal penalties, reputational damage and losing customer trust can be just as costly. Since customers expect their personal information to be handled with care, privacy breaches can quickly erode this trust and leave your business at a competitive disadvantage.  

Prioritising data privacy and supporting compliance means protecting your business’s future.  

Top Tips for Supporting Compliance 

Meeting Privacy Act standards involves more than ticking boxes. It requires an ongoing commitment to safeguarding personal information and using it appropriately. By taking proactive steps, businesses can reduce risk, build trust, and stay ahead in an evolving digital landscape. Here are some tactics for strengthening your approach to compliance. 

Conduct a Privacy Audit 

Start by assessing your current data handling practices against the Privacy Act. Identify gaps in how personal information is collected, stored, and shared. A thorough audit helps uncover risks before they become compliance issues. ADITS’ exclusive assessment focuses on APP11, and provides a comprehensive evaluation of over 200 controls across 17 practice areas. 

Develop a Comprehensive Privacy Policy 

A well-defined privacy policy includes transparency and accountability. Clearly outline how your organisation collects, uses, and discloses personal information, as well as individual’s rights about their data. 

A comprehensive privacy policy includes:  

  • Data collection – the types of personal information as well as how and why it is collected (included if this information is via referral or a third party). Organisations should only be collecting the personal information that is necessary for the purposes for which it is processed, ensuring that excessive or irrelevant data is not gathered.  
  • Data use – specific information about how it will be used (including primary and secondary purposes)  
  • Data protection – how this information is secured (such as through encryption, utilising Australian storage, securing paper records, and access controls), and prove that your organisation has taken all of the reasonable steps possible to protect data.  
  • Data retention – policies about what happens to information when it is no longer required.  
  • Processes – for data breaches or complaints.  

Ensure Effective Data Governance 

Effective data governance is crucial to ensure that your organisation manages its data properly and securely. Begin by identifying the types of personal and sensitive data your organisation handles. This includes determining where this data is stored, processed, and transmitted. 

Next, classify your data based on its sensitivity and importance. This helps in applying appropriate security controls and ensuring that sensitive data receives the highest level of protection. 

Unstructured data, such as emails and documents, can often be challenging to manage. Implement tools and processes to organize, store, and secure this type of data effectively. 

Know where your personally identifiable (PI) and sensitive data resides within your organisation. Ensure that it is stored in approved systems that comply with security and privacy regulations. 

Implement Strong Security Measures 

In protecting data privacy, robust security measures are essential. Consider measures such as strong passwords and MFA (multi-factor authentication), access controls, firewalls, anti-malware software and employee training to protect sensitive information from unauthorised access and breaches. 

Provide Your Team with Adequate Training  

Even the best policies don’t work if your team members don’t follow them, or are uncertain about how to put them into practice. Regular privacy training can help your people understand their obligations, recognise risks, and apply best practices to prevent Privacy Act compliance violations. Incorporate privacy training within your cyber security awareness training. ADITS, for instance, does so through our cyber security training program. The OAIC also offers privacy training video modules. 

Regularly Review and Update Practices 

As privacy law and risks continue to evolve, so should your approach to compliance. Stay informed about changes to Australian privacy laws, review your policies regularly, and adjust your data practices accordingly to keep up with new legal and security expectations. 

On one hand, supporting Privacy Act compliance is a legal requirement. On the other, it’s an opportunity to develop trust with your customers. Taking smart measures, such as prioritising transparency, handling data properly, and providing your team members with ongoing training can help put your organisation on the front foot. As privacy laws in Australia change, being proactive is a great way to develop your business’s reputation and relationships, protect individuals from data breaches, and reduce risk. 

For more information about how we can protect your data, check out our CyberShield solution.  

Meeting Australia’s Cyber Security Compliance Standards: A Checklist for SMBs

Posted on by b2medeveloper

With a report of cybercrime every 6 minutes in Australia, Cyber security compliance has become more than a regulatory requirement, it is a crucial aspect of safeguarding your business against cyber threats. Australian small and medium-sized businesses (SMBs) face unique challenges in navigating these compliance standards and it can be daunting.

However, with the right guidance and tools, achieving and maintaining compliance can unlock greater protection and stronger reputation. This is why in this article we’ll go through:

 

Understanding the Challenges SMBs Encounter with Cyber Security Compliance

  • Limited Resources: SMBs often have limited financial resources and manpower compared to larger enterprises. This can make it challenging to invest in cyber security and dedicated compliance efforts.
  • Lack of Expertise: SMBs may lack in-house dedicated IT staff who can handle cyber security and compliance. Achieving and maintaining compliance also requires significant investments in technology and training.
  • Complexity of Regulations: Cyber security regulations and standards can be complex and constantly evolving. SMBs may struggle to understand and interpret the requirements, especially if they operate in multiple industries with varying compliance obligations.
  • Balancing Compliance with Business Operations: SMBs often face the challenge of balancing compliance requirements with day-to-day business operations. Compliance measures may require changes to existing processes which could impact productivity and efficiency.
  • Keeping Up-to-date with Technology Advancements: Rapid advancements in technology introduce new cyber security risks and challenges for SMBs. Staying ahead of these developments and implementing relevant security measures can be daunting.
  • Data Protection and Privacy Concerns: SMBs handle sensitive customer and business data, making them attractive targets for cyber-attacks. Compliance with data protection and privacy regulations, such as the Australian Privacy Principles, adds another layer of complexity to their cyber security efforts.

 

Compliance vs. Cyber Security

Whilst the difference is subtle, it’s important to understand that:

  • Compliance is about following the laws and regulations for protecting information from being stolen or compromised.
  • Cyber security is the practice of shielding IT infrastructures against cyber threats through different means, whether required by law or not.

Compliance exists to meet legal obligations that are meant to protect businesses and individuals. Cyber security refers to the systems and controls a business implement to protect its own assets, and compliance is one way to do that

Cyber Security Compliance Standards: Why It is Relevant to Your Business

Cyber-attacks can be very harmful to SMBs. From financial losses to reputational damage, the outcomes can be disastrous. Compliance with cyber security regulations and standards serves as a foundational step in reducing those risks.

Although compliance is just one aspect of a comprehensive cyber security strategy, businesses can expect to:

  • Boost your protection against cyber threats
  • Avoid fines, legal fees, and lost revenue
  • Be deemed as a responsible business
  • Build trust among stakeholders
  • Gain a competitive edge

 

Key Laws, Regulations, and Standards for Cyber Security in Australia

Navigating cyber security compliance in Australia requires organisations to align with various regulations, standards, and frameworks, including the Essential Eight and the Privacy Act.

These are used for organisations to assess their cyber security posture, identify gaps, and implement appropriate measures.

Achieving compliance with cyber security regulations not only helps organisations protect sensitive data and systems but also enhances trust and confidence among stakeholders.

Depending on your industry, you must also comply with additional regulations as described below:

INDUSTRY LAW/REGULATION

Cross Sectors
  • OAIC Privacy Act Reasonable Steps
  • Australian Consumer Law (ACL)
  • The ISO/IEC 27000 series of standards
  • Surveillance Legislation Amendment (Identify and Disrupt) Act 2021

Healthcare & Medical Services

Not-For-Profits
  • Australian Charities and Not-for-profits Commission (ACNC) Regulations

Professional Services
  • Corporations Act 2001
  • Australian Prudential Regulation Authority (APRA) CPS 234
  • Public Governance, Performance and Accountability Act 2013

Education
  • Australian Education Act 2013

E-Commerce
  • Online Safety Act 2021

Critical Infrastructure
  • Security of Critical Infrastructure Act 2018

 

Your Roadmap to Cybersecurity and Industry Data Compliance

Businesses may have some flexibility in how they implement compliance measures, but there are specific requirements outlined in laws, regulations, and standards that must be met. Failure to comply with these requirements can result in legal consequences, penalties, or other enforcement actions which it what we explain to Board members and Executives in our tailored cyber security training.

This is why we put together a step-by-step checklist you can follow to help you in your quest for compliance.

Step #1: Risk Assessment

Identify the cyber security risks that your business faces and assess their likely impact. This will help you prioritise your cyber security efforts and allocate resources. Your risk assessment must include analysing your assets, data, systems, processes, and people.

Some questions to ask in this step are:

  • What are your most valuable and most sensitive data and digital assets?
  • How do you store, access, and share your data?
  • Who are the authorised and unauthorised users of your data and systems?
  • What are the possible sources and methods of cyber-attacks?
  • How would a cyber-attack affect your:
    • Business operations?
    • Finances?
    • Reputation?

By assessing your cyber security risks, you can align your cyber security strategy with your business objectives and priorities. This is a crucial foundation for your next steps. Cyber security risks are ever evolving, so risk assessment should be an ongoing process with regular reviews and updates.

Step #2: Cyber Security Compliance Planning

Develop a cyber security plan that outlines your goals, strategies, actions, and responsibilities. This will comprise business’ compliance policies and protocols. Make sure everything aligns with your business objectives, budget, and resources. Make your plan realistic, measurable, and adaptable to changing circumstances.

Aligning your compliance and cyber security with your overall IT strategy can help you to stay ahead of updates to regulatory compliance. More so, it can fortify your protection, heighten customer trust, and increase your competitive edge. A cyber security partner can guide you toward such alignment.

Step #3: Cyber Security Compliance Implementation

Turn your compliance plan to action starting with communicating it to your entire organisation. Make sure each person understands its importance, so they can all be on board with your plan. Going a step further, you can nurture a compliance mindset into your business culture, with corresponding staff training throughout your organisation.

Implementation is optimal when your IT partner collaborates with your departments and external partners, ensuring a consistent and coordinated approach to cyber security compliance.

Step #4: Compliance Record Keeping

Make sure you keep records of everything. Keeping records attests to being compliant, accountable, transparent, and proactive in managing cyber risks. Documentation can show to your stakeholders, customers, regulators, and auditors your compliance performance and your commitment to safeguarding their digital assets.

Well-kept records enable you to monitor and improve your cyber security compliance over time. They can show you gaps, weaknesses, trends, and best practices to help improve your decision-making, planning, and review processes.

Proper documentation can also support your business’ resilience and recovery in the event of a cyber incident, help restore normal operations, investigate the root causes, analyse the impacts, and implement the lessons learned. When that happens, it is very important that you have records of personal information holdings, data flows, privacy policies, consent forms, contracts, and other APP-compliance documents.

Step #5: Cyber Incident Reporting

As soon as you are made aware of an attack on your business, you need to notify many relevant parties as described in the Information Security Manual (ISM) from the Australian Cyber Security Centre (ACSC).

It includes reporting and notification requirements, such as:

  • Industry Regulators: Specific regulators may need to be notified, depending on your industry.
  • Law Enforcement Agencies: If the incident involves criminal activity, consider notifying law enforcement. In Queensland, that would be the Financial & Cyber Crime Group.
  • Affected Individuals or Customers: If personal data is compromised, you have to inform affected individuals or customers.

You’ll need to use secure communication channels to prevent further compromise.

When reporting or notifying, describe the incident, including the nature of the compromise, affected systems, and potential impact. You may also outline actions taken to contain and mitigate the incident.

 

Cyber Security Services for Townsville & Brisbane Businesses

The legal requirements for cyber security and data privacy can vary depending on the type of organisation and the nature of the data being handled. Therefore, it’s recommended that you seek advice to ensure compliance with all relevant laws and regulations.

At ADITS we developed a tailored cyber security solution built around managed IT, essential security controls, and compliance for a multitude of industries. Whether you’re in Brisbane, Townsville, or beyond, we help structure your data and processes to ensure compliance with relevant regulations. Check out our CyberShield brochure today or get in touch with our cyber security experts.

Navigating Cyber Security Compliance and Regulations: Essential 8 vs. Privacy Act

Posted on by b2medeveloper

The ASD Cyber Threat Report 2022-2023 released mid-November 2023 highlights alarming results. It reveals that:

  • The number of cybercrime reports has increased by 23%
  • The average cybercrime cost per report is up 14%

Cybercriminals were described as adversaries who show “persistence and tenacity” and “constantly test vulnerabilities in Australia’s cyber ecosystem and employ a range of techniques to evade Australia’s cyber defences.”

As an authorised Australian Government framework, the Essential Eight were of course among the measures suggested in the report to be implemented. We’ll start off by reviewing the Essential Eight and then delve into a framework that is less talked about but is actually mandatory for most Australian organisations – the Privacy Act.

 

The Essential 8 is a Good Foundation (But Not the Finish Line)

The Essential Eight is a set of controls prescribed by the Australian Cyber Security Centre (ACSC) to protect organisations from cyber threats and attempts to compromise the personal information of their customers and stakeholders.

The eight strategies are:

  • Application control – restricting the use of unapproved software
  • Patching applications – updating software to fix vulnerabilities
  • Configuring Microsoft Office macro settings – disabling/limiting macros from running malicious code
  • User application hardening – disabling exploitable features (e.g., web browser plug-ins)
  • Restricting administrative privileges – limiting the number of users who can perform high-risk actions
  • Patching operating systems – updating the system software to fix security vulnerabilities
  • Multi-factor authentication – requiring an additional security layer to verify a user’s identity
  • Daily backups – creating copies of important data and storing them securely

The ACSC has developed a security model from 0 to 3 for each of these strategies. An organisation with a maturity level 0 has not achieved any of the requirements. A level 3 means the organisation has achieved a high level of maturity. A common misconception is that organisations must achieve level 3 to be compliant. On the contrary, organisations can adopt the maturity level they need, depending on their vulnerabilities to cyber threats.

The Essential Eight cyber security risk mitigation are baseline strategies, and implementing them is the minimum expected from organisations. They are foundational and highly recommended, but your cyber security efforts should not stop there.

 

The Privacy Act: Mandatory for Data Protection

In its latest report, the Australian Signals Directorate (ASD) urges businesses to ensure resistance to cyber threats and go beyond the Essential Eight.

Say hello to the Privacy Act 1988.

Whilst the Essential Eight is one of the most well-known frameworks in Australia, its strategies are actually not mandatory. In contrary, the Privacy Act is less mentioned but most Australian organisations handling personal information must comply with it.

The organisations covered by the Privacy Act have an annual turnover greater than $3 million* OR are:

  • An Australian Government agency;
  • Private sector health service providers including private hospitals, therapists, gyms and child care centres;
  • Not-for-profit organisations;
  • Businesses that sell or purchase personal information;
  • A credit reporting body;
  • A contracted service provider for an Australian Government contract;
  • A business that holds accreditation under the Consumer Data Right System; and
  • A business that is related to a business that is covered by the Privacy Act.

*Note: Following the Privacy Act review in September 2023, one of the ‘Agreed in Principle’ proposals was the abolishment of the small business ($3m) exemption. Find out more.

 

The Privacy Principles

The Privacy Act includes 13 Australian Privacy Principles (APPs) that organisations must comply with, so you should be careful of the financial risks if you were to be assessed by the government. Meanwhile, whilst the Essential Eight are not mandatory, being non-compliant with some of those steps could lead to legal actions under the Privacy Act.

In short, the Essential Eight and the Privacy Act are both vital to IT security and data protection – but let’s look at the Privacy Act in more detail. The law regulates how personal information is handled by organisations and agencies. Below is an overview of the APPs which set the standards, rights, and obligations for collecting, using, disclosing, storing, securing, and accessing personal information.

Principle Title Summary
APP 1 Open & Transparent Management of Personal Information APP entities must have a privacy policy and handle personal information lawfully and fairly.
APP 2 Anonymity & Pseudonymity Individuals must have the option to not identify themselves or use a pseudonym when dealing with APP entities, unless impracticable or unlawful.
APP 3 Collection of Solicited Personal Information APP entities must only collect personal information that is reasonably necessary or directly related to their functions or activities and do so by lawful and fair means.
APP 4 Dealing With Unsolicited Personal Information APP entities must determine whether they could have collected the personal information under APP 3 and, if not, destroy or de-identify it as soon as practicable.
APP 5 Notification of the Collection of Personal Information An APP entity that collects personal information must tell an individual about certain matters under certain circumstances.
APP 6 Use or Disclosure of Personal Information APP entities must only use or disclose personal information for the purpose for which it was collected unless the individual consents or an exception applies.
APP 7 Direct Marketing An organisation may only use or disclose personal information for direct marketing purposes if certain conditions are met.
APP 8 Cross-Border Disclosure of Personal Information Outlines what an APP entity must do to protect personal information before it is disclosed overseas.
APP 9 Adoption, Use or Disclosure of Government Related Identifiers APP entities must not adopt, use or disclose a government-related identifier of an individual, unless the identifier is prescribed by law, or an exception applies.
APP 10 Quality of Personal Information An APP entity must take reasonable steps to ensure that the personal information they collect, use, or disclose is accurate, up-to-date, complete, and relevant.
APP 11 Security of Personal Information APP entities must take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification or disclosure, and to destroy or de-identify personal information when it is no longer needed.
APP 12 Access to Personal Information An APP entity must give individuals access to their personal information on request, unless an exception applies, such as when giving access would pose a serious threat to someone’s life or health.
APP 13 Correction of Personal Information Outlines the reasonable steps an APP entity must follow to correct personal information that is inaccurate, out-of-date, incomplete, irrelevant or misleading, either on their own initiative or at the request of the individual.

Over the last few years, we’ve seen an influx of cybercrime which prompted a lengthy review of the Privacy Act. In September 2023, a report was released over 100 new principles and while some were agreed in full, there were many only “agreed in principle”. One in particular was the proposal to remove the exemption for small businesses.

 

Discover How This Impacts Your Organisation

How the Privacy Act Review Affects Non-Profits

How the Privacy Act Review Affects the Medical Industry

How the Privacy Act Review Affects the Education Sector

See Privacy Act Report

 

The Essential 8 and The Privacy Act: Parallel Paths to Protection

The frameworks of the Essential Eight and The Privacy Act both aim to enhance the cyber resilience and privacy protection of Australian entities. Here’s how they compare:

The Essential 8 The Privacy Act
What is it? A recommended set of eight strategies to mitigate cyber security threats and incidents. A comprehensive law that regulates the handling of personal information.
What’s the purpose? To help organisations prevent or minimise the damage caused by cyberattacks. To help organisations comply with their legal obligations and ethical responsibilities when handling personal information.
How do organisations benefit from it? Reduction of cyber-attack risk and protection of sensitive data. Prevention of data breaches and improvement in customer trust.
What are the consequences of non-compliance? No penalties but can increase the risk of threats and compromise sensitive data. Companies:

1. AU$50 million, or;

2. Three times the value of benefits obtained or attributable to the breach (if quantifiable) or;

3. 30% of the corporation’s ‘adjusted turnover’ during the ‘breach turnover period’ (if the court cannot determine the value of the benefit obtained)

Individuals:

Was $440,000 but was increased to $2.5 million on December 13th 2022.
What’s involved? Assessing an organisation’s current level of compliance, based on a four-tier maturity model, then implementing the strategies and moving toward optimal protection at maturity level 3. Understanding an organisation’s obligations under the APPs, then implementing privacy policies and practices, guided by resources and tools from the OAIC.
Who’s covered? Recommended for all organisations, but not mandatory for Australian businesses. Mandatory for organisations with an annual turnover of more than $3 million*. Some small businesses are also covered if they store person identifiable information and meet other criteria.

*This is expected to change following the Privacy Act Review.
Is it mandatory? Not mandatory for Australian businesses, but highly recommended.

 

 Mandatory for Australian businesses that meet the criteria of APP entities.

 

 

What Your Cyber Security Strategy Should Look Like

In the end, your organisation should aim for the level of cyber protection that is best suited and ensure full compliance with laws and regulations. You can approach it with a combination of the 8 mitigation strategies and the 13 principles.

ADITS CyberShield solution takes cyber protection to a whole new level where security is at the core of everything we do. Our offering includes managed services and compliance & governance measures as well as security measures and monitoring to ensure your business is industry compliant. Whether you’re based in Brisbane, Townsville, or elsewhere, ADITS has you covered with tailored solutions to safeguard your organisation.

 

Your Cyber Security Journey

Compliance does not automatically translate to strong cyber security. Likewise, cyber security is not “set and forget”. It is a continuing process that needs your attention and effort if you want to ensure that your systems and data are always protected.

Understanding the Essential Eight and the Privacy Act is important. Since cyber security is complex and ever-evolving, it’s also vital to keep up-to-date with cyber security solutions, trends, and best practices. Though cyber security may seem mostly technical, it is in fact a business matter.

Executives and board members are personally liable in the event of a breach so instilling a cyber security culture throughout the organisation should be a priority.

With this in mind, ADITS is launching a half-day certified C-Suite training workshop where we’ll go through:

  • Data security and privacy compliance
  • Potential risks to your business and how to address them
  • Personal liabilities
  • Reporting
  • Crisis management recommendations
  • Best practices for policies and procedures

Register Your Interest For Our C-Suite & Board Training