Securing the future: cybersecurity and privacy in record-keeping

In Australia, cybersecurity and privacy are critical aspects of record-keeping due to increasing reliance on digital systems and the sensitivity of the data being stored and processed such as employee and patient records. Practices are subject to robust legal frameworks and face growing cyber threats.

The challenges we face in Australia today regarding record-keeping include:

• Cyber threats
   - Australia faces significant cyber threats which target sensitive records like healthcare
• Data sovereignty concerns
   - Practices must ensure data is stored and processed in compliance with Australian laws, particularly when using international cloud services
• Balancing access and privacy
   - maintaining accessibility for legitimate purposes while protecting sensitive data remains a significant challenge
• Third-party risks
   - dependence on vendors and service providers increases the risk of indirect cybersecurity breaches

How do we face these challenges whilst ensuring compliance, following best practice and maintaining trust in a rapidly digitalising environment? 

There are various legal and regulatory frameworks in Australia subject to records maintenance, including:

1. Privacy Act 1988
   The Privacy Act regulates the handling of personal information by federal government agencies and certain private sector organisations. Key principles include:
     - Australian Privacy Principles (APPs): A set of 13 principles governing the collection, use, storage, and disclosure of personal information.
     - Data Breach Notification: Organisations must notify individuals and the Office of the Australian Information Commissioner (OAIC) if a data breach is likely to result in serious harm.
2. Australian Cyber Security Strategy 2020
   Aims to enhance national security, deter cybercrime and protect businesses and individuals. Key initiatives include investment in cybersecurity capabilities and   fostering partnerships between government, business and academia.
3. Records Management Standards
     - ISO 15489: Provides guidance on records management practices to ensure integrity and accessibility.
     - State and Territory Legislation: Public sector organisations must comply with specific state or territory laws regarding record-keeping.
4. Critical Infrastructure Legislation
   The Security of Critical Infrastructure Act 2018 imposes obligations on operators to protect systems and data integral to national security.
5. Cybersecurity Standards
     - Essential Eight Framework: Developed by the Australian Cyber Security Centre (ACSC) to help organisations prioritise cybersecurity actions.
     - ISO/IEC 27001: An international standard for information security management systems, widely adopted in Australia.

It is important that we align these regulations by adopting best practices used on a daily basis such as:

1. Adherence to Essential Eight
   Implement the strategies recommended by the ACSC, including:
     - application control
     - patching applications and operating systems
     - configuring Microsoft Office macros
     - implementing MFA
2. Privacy Impact Assessments (PIAs)
   Conduct PIAs to identify and mitigate privacy risks in projects or systems that involve handling personal information.
3. Data encryption
   Use strong encryption standards for data at rest and in transit to ensure security against unauthorised access.
4. Compliance with APPs
   Align record-keeping practices with the Australian Privacy Principles to ensure lawful and secure data handling.
5. Secure Cloud adoption
   When using cloud services, ensure providers comply with Australian data protection laws and security standards.
6. Regular training
   Educate staff on privacy regulations, cybersecurity threats, and best practices to reduce human errors and insider risks.
7. Incident Response Plan
   Develop and regularly test a comprehensive incident response plan to minimise the impact of breaches.

If you have any questions relating to any issues around record-keeping please call us on 07 3872 2264 or email us at workplacerelations@amaq.com.au