Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Privacy Commissioner launches Guide to Information Security

Hamish Barwick | May 2, 2013
Guide covers governance, ICT security, data breaches, physical security and standards

The Office of the Australian Information Commissioner's Privacy Week has begun in earnest with the unveiling of a Guide to Information Security in Sydney today."

Privacy Commissioner Timothy Pilgrim told delegates at a breakfast briefing that the Guide includes a list of non-exhaustive steps which would be reasonable for an entity to take before new Australian Privacy Principles (APP) reforms take place in March 2014.

The reforms update the Privacy Act 1988 and include changes to how personal information is handled, such as when it can be used for direct marketing and sent overseas.

Commenting on the Guide, Pilgrim said that if an organisation mishandles the personal information of its customers it risks loss of trust and considerable harm to the company's reputation.

"This can also lead to loss of customers and an impact on the organisation's ability to function," he said.

The Guide includes a number of steps including robust information asset management, white list or black list entities, up-to-date security software, user authentication and policies to prevent inappropriate access. It also recommends that organisations develop a data breach response plan and train staff about how to respond to data breaches.

In addition to information security, the Guide has some tips on improving physical security including access logs, alarm systems and audits of paper files.

Turning to the Guide's privacy aspects, Pilgrim recommended that people look at privacy by design. This involves building privacy into processes, systems, products and initiatives at the design stage.

"Privacy by design is also the focus of Australian Privacy Principle One which requires entities to take reasonable steps to implement systems to show compliance," Pilgrim said.

"Taking privacy by design will be the best insurance your organisation will have against data breaches."

While the Guide is "not binding" he said it sends a clear message about what organisations need to do in the area of information security.


Sign up for CIO Asia eNewsletters.