At Shearwater, we help organisations understand their obligations and comply with privacy standards set under the: Australian Privacy Principles (APPs) listed in the Privacy Act 1988; the Notifiable Data Breaches (NDB) scheme; and the European Union (EU) General Data Protection Regulation (GDPR).
The APPs are contained within the Privacy Act, and are designed to ensure that organisations dealing with Personally Identifiable Information (PII) and sensitive information behave responsibly and protect these assets.
The APPs provide an outline on how organisations collect, use and disclose PII and sensitive information, as well as maintain sufficient controls to prevent unauthorised access, disclosure or use of this information.
The APPs put forward 13 principles covering:
Consideration of personal information privacy
Collection of personal information
Dealing with personal information
Integrity of personal information
Access to, and correction of, personal information
“Agencies and organisations have obligations under the Privacy Act 1988 (Cth) to put in place reasonable security safeguards and to take reasonable steps to protect the personal information that they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure.”
Source: Data breach notification – A guide to handling personal information security breaches,
The NDB scheme came into effect in February 2018. It requires disclosure and reporting of data breaches when a breach is likely to result in serious harm to those whose information were impacted.
The NDB scheme is a subset of the Privacy Act, and sets out definitions and requirements for the identification and assessment of potential eligible data breaches, and for reporting of those breaches to those affected and the Office of the Australian Information Commissioner (OAIC).
The objective of the EU GDPR is to protect all EU citizens and their data from privacy and data breaches through the provision and regulation of data privacy principles and requirements. These cover more in-depth aspects of privacy management, such as strengthened consent requirements, detailed rights of data subjects, and privacy by design.
The Privacy Act and its subsequent APPs apply to most Australian and Norfolk Island Government agencies and some private sector organisations.
The NDB scheme applies to all organisations applicable under the Privacy Act.
The EU GDPR applies to organisations within the EU, and any organisation that offers goods and services or monitors the behaviour of EU data subjects. This also means that if an organisation holds and/or processes personal information of data subjects residing in the EU they must meet the GDPR requirements.
We help organisations become compliant and maintain their position with the Privacy Act and EU GDPR provisions and regulations.
By taking a strong stance with proactive management of PII and sensitive information, your organisation can build a strong foundation of trust that your stakeholders can rely on you to manage risk.
Compliance also extends its influence within industry and at the workplace, with many organisations experiencing greater workforce engagement when it comes to responsible practices as well as efficient cost management through avoidances.
When you engage Shearwater, you have the assurance that our team is tackling privacy management and potential threats with the right structured approach – managing risks and protecting the information of your customers and organisation around the clock.
A privacy gap analysis is ideal for customers who need to understand their current level of risk and create a plan for improving their compliance.
Our team can assist in establishing a clear understanding of your current privacy profile and provide a detailed outline of what needs to be done to meet required privacy compliance standards. This can be completed against the Privacy Act or the EU GDPR.
The Privacy Impact Assessment (PIA) is essential when an organisation is intending to implement a large project – such as a new system or merger/acquisition – that may affect business practices and the handling of personal information. The intent of the PIA is threefold:
· To determine the current privacy profile
· To estimate the privacy profile after the change; and
· To complete a compliance check to identify where privacy practices may be negatively impacted by the change
We can work with your team to conduct or support privacy audits that review your organisation’s business environment and practices against a specific set of privacy requirements, such as the APPs or the EU GDPR. Going further than a privacy gap analysis, the audit includes sample testing to help determine the effectiveness of privacy controls currently in place.
Your organisation may be subject to the NDB scheme, obliging you to notify stakeholders whose personal information were compromised due to a data breach. We can help you plan your actions and responses and integrate these into your incident response plan and processes.
Our team can review and align your existing policy frameworks and policies with the Privacy Act, the EU GDPR, and other security standards. In addition, we can undertake the full development of all policies in partnership with your internal resources.
We chose to engage an Australian company called Shearwater to lead that (IRAP) assessment because of their reputation for rigour and expertise.
James Kavanagh
CTO, Microsoft Australia
Our Security & Privacy Consultants will be happy to assist you.
Call us on 1300 228 872 or submit the form below
