Understanding your organisation’s obligations for protecting Personal Identifiable Information

With the Australian Government’s imminent introduction of new cyber security legislation, it’s becoming more important than ever to understand your organisation’s legal responsibilities for protecting Personal Identifiable Information (PII).

What is PII?

The Australian Signals Directorate (ASD) – Australia’s top government cyber security agency – says that personal data includes a broad range of information that could identify an individual. That may include an individual’s:

• Name
• Date of birth
• Address?
• Medical records
• Racial/ethnic origin
• Political opinion
• Religious beliefs
• Gender
• Sexual orientation or practices
• Criminal record
• Payment details
• Email address
• Password
• Licence
• Photo
• Video
• Phone number
• Passport
• Employment information
• Biometrics, such as voice prints and facial recognition

The Office of the Australian Information Commissioner (OAIC) extends that definition even further, saying it can include:

• Signatures
• Credit information
• IP addresses
• Trade union membership and associations
• Genetic information

The OAIC cautions that sensitive information has a higher level of privacy protection than other personal information.? It includes in that definition race and ethnicity, political opinions and associations, religious and philosophical beliefs, trade union membership and associations, sexual orientation and practices, criminal record, health or genetic information and some aspects of biometric information.

Importantly, personal data is often greater than the sum of its parts.? When seemingly innocuous data is aggregated or combined, it can be used to form a more complete picture about an individual.

What Existing Laws Require

The?Privacy Act 1988?sets out how organisations must handle personal information, and applies to organisations with an annual turnover of more than $3 million, unless they’re a small business operator, registered political party, state or territory authority or a prescribed instrumentality of a state.

?

Some small business operators do have obligations under the Act. These include:

• private sector health service providers
• businesses that sell or purchase personal information
• credit reporting bodies,
• contracted service providers for the Australian Government
• employee associations
• businesses accredited under the?Consumer Data Right?System
• businesses that have?opted-in to the Privacy Act
• businesses related to a business covered by the Privacy Act
• businesses prescribed by the?Privacy Regulation 2013.

New Obligations Imminent

In October 2024, The Australian Government introduced to parliament the Cyber Security Act 2024, Australia’s first standalone cyber security legislation. If passed as expected, this new Act will impose new compliance and reporting requirements on Australian businesses.

The Act is designed to address seven initiatives within the 2023-2030 Australian Cyber Security Strategy, including:

• Mandating minimum cyber security standards for smart devices
• Mandatory ransomware reporting for certain businesses to report ransom payments
• A ‘limited use’ obligation for the National Cyber Security Coordinator and the Australian Signals Directorate
• Establishment of a Cyber Incident Review Board.

The legislation will also progress and implement reforms under the Security of Critical Infrastructure Act 2018 (SOCI Act):

• Clarifying existing obligations in relation to systems holding business critical data
• Simplifying information sharing across industry and Government
• Introducing Government powers to direct entities to address serious deficiencies within their risk management programs
• Moving regulation for the security of telecommunications into the SOCI Act.

Legal firm A&O Shearman cautioned that the new Cyber Bill will introduce several new critical areas of compliance and reporting.? It advised businesses to take heed of these new obligations, and ensure they put in place robust cyber security measures.

• Ransomware Reporting Obligations: Entities impacted by cyber security incidents and making ransomware payments must report these payments within 72 hours.
• Security Standards for Smart Devices: The Cyber Bill mandates that manufacturers and suppliers of smart devices comply with specified security standards.
• Protected or Limited Use of Incident Information: The Cyber Bill includes provisions to ensure that information provided about cyber security incidents is used or disclosed only for permitted purposes, with strict limitations on using this information for civil or regulatory actions against the reporting entity.
• Cyber Incident Review Board: The new Board will review certain cyber security incidents and make recommendations. It will have the authority to require documents.

A&O Shearman said organisations should make sure they implement security standards in compliance with the specified security measures currently provided for in the Cyber Bill, and make sure they can comply with the ransomware reporting obligations, including the timelines foreseen in the Cyber Bill.

ASD Advice on Data Security Practices

ASD says that, for businesses to be confident they’re employing appropriate data security practices, they should consider implementing these measures:?

1. Create a register of personal data
2. Limit personal data collected
3. Delete unused personal data
4. Consolidate personal data repositories
5. Control access to personal data
6. Encrypt personal data
7. Back up personal data
8. Log and monitor access to personal data
9. Implement secure Bring Your Own Device practices
10. Report a data breach involving personal data

ASD warned that “businesses cannot afford to forgo investing in their security, and risk compromising the security of their customers’ personal data. The prevalence of data breaches and ransomware attacks underscores the importance of sound security practices. Businesses cannot afford to assume that they will not be targeted. Investing in security proactively can be far more cost effective than having to manage the repercussions and costs of a major data breach”.

Solutions to Help Meet PII Obligations

Cyber criminals succeed when organisations don’t adequately protect their data transfers and systems access. Keeping the thieves at bay requires a multi-layered strategy, including robust data transfer protection, multifactor authentication and employee training.

Managed File Transfer (MFT) solutions such as the class-leading GoAnywhere MFT encrypt data at rest and in transit, complying with the highest data security standards. MFT manages inbound and outbound file transfers across an organisation, using industry-standard file transfer protocols such as SFTP, FTPS, and AS2 to send files securely, and encryption standards such as Open PGP and AES to protect data in transit and at rest.

GoAnywhere MFT also provides audit reports, which will help organisations meet the new reporting and compliance needs. All file transfer and administrator activity is stored and easily searchable. To help organisations report on file transfer activity and remain compliant with the new legislation, these audit logs can be automatically generated and provided as PDFs.

Advanced Threat Protection adds a further layer of defence. SFT Threat Protection enables safe collaboration with external parties, preventing malware from entering an organisation, and reducing the risk of employees losing or mishandling sensitive data.

Local Experts Here to Help

Generic Systems Australia are your local experts in Managed File Transfer solutions.? We’ve assisted dozens of organisations across the Asia-Pacific region to secure their data and keep cybercriminals at bay.

If you’d like to discuss improving your cybersecurity, please feel welcome to contact me, Bradley Copson. I’m always happy to have an obligation-free discussion, explain how simply we can transition you to the latest software and approaches, and even offer you a zero-cost Proof of Concept.