Data Security Project

What to do?

Start by assessing whether:

• Do you encrpyt, pseudonymise, or anonymise personal information whereever possible?

• Do you have IT policies (BYOD, password, data management, IT procurement, network access) in place? Are they up to date and being complied with?

• Have you taken the necessary steps to protect personal information under your organisation's control? Do you use encryption for all personal information in transit and at rest?

• Consider the benefits of conducting data privacy impact assessments (DPIA), and put a process in place to carry it out. Be sure to train relevant employees on the established process.

• Is personal information secured in locations with limited (or just-in-time) access? Are user, application and backend access controls correct and up to date?

• Does your organisation test local & cloud-based and third party controlled applications for security suitability and approved for use?

• Do you ensure that your entity has "fit for purpose" security software and hardware to help with the prevention, detection and response to security incidents? Examples of this include multi-factor authentication on critical systems, anti-virus/mal-ware suites, actively managed proxy firewalls, intrusion detection systems, enterprise incident response applications).

• Are proactive steps in place to build a holistic privacy culture and awareness (e.g. training, education, phishing and social engineering exercises)?

• Are relevant security information and performance metrics are being reported to executives and the board?

• Do you have a process in place to notify the Office of the Privacy Commissioner (PrivCom) and affected individuals in the event of a data breach?