Cyber Security: Know the Basics

Increasingly data and cyber security needs to be considered by everyone as it affects us all in our professional and personal lives.  We are constantly communicating via devices, commonly mobiles and computers.  These devices store the information we exchange and this information, or data, needs to be protected and managed.  The rapid pace of the development of technology surrounding data management and around the risks of being hacked is startling.  The laws to protect cyber security haven’t caught up yet and indeed perhaps can’t keep up.

We are all open to being hacked or inadvertently caught by a scam and there are a number of common sense things we can do about this on a technical and personal level.  These strategies aren’t foolproof, and they may even seem trite in some ways, but they will greatly reduce the risk of having your data accessed.  These are things the staff of the organisation need to be aware of:

• Don’t open an email or an attachment if you’re unsure about the source.
• Check the email address matches with who the party says they are.
• Have strong password security and don’t reuse passwords.
• Switch on multi-factor authentication wherever possible.
• Make sure you have up to date software security and install the updates (patches) as soon as they’re available.
• Make sure everyone is conscious of the Australian Privacy Principles and your organisation’s privacy policy.

The Australian Privacy Principles in the Privacy Act set out the requirements for individuals and businesses to comply with the principles designed to protect personal information of others that we may hold.  While these currently only apply to entities (individuals and organisations) with an annual turnover of over $3M, if you receive funding from a government body, one of the terms of the funding agreement may well be that you need to comply with the Australian Privacy Principles and have a privacy policy.  Furthermore, the Privacy Act is currently being reformed and one of the things the government is looking at is doing away with the exception for any entity under $3M, either so that there is no threshold and everyone is subject to the Act, or to reduce the threshold down to a very low bar such as $60,000.   It is wise to follow the principles even if you’re not legally bound to.

In the workplace both the employer and all the staff have a responsibility as does the Board of Directors.  It is wise to appoint a Privacy Officer in the workplace who is responsible for cyber security and for ensuring compliance with the privacy policy and Privacy Act.

Compliance with the Australian Privacy Principles (APP) will reduce the risk of a data breach. Your Privacy Officer should be familiar with the APPs and determine what principles apply to your organisation but the principles most likely to apply to arts organisations include:

Privacy policy (APP 1 & 5)

• Require a privacy policy to be in place which is clear and up to date about how the organisation manages personal information and has taken steps to comply with the APPs and the privacy policy.
  • Ensure the organisation manages personal information in an open and transparent way
  • An organisation, should (must if they’re subject to the APPs) take such steps as are reasonable in the circumstances to notify individuals how and why their personal information is being collected, and how you will deal with their personal information

Storing and using information properly (APP 11)

• The organisation must take reasonable steps to protect information from ‘misuse, interference and loss’, as well as from ‘unauthorised access, modification or disclosure’

Consents (APP 3)

• Organisations cannot collect personal information unless the information is reasonably necessary for its functions or activities – so collecting basic details to record the sale of an artwork is necessary, but if you start to ask for information that’s not ‘reasonably necessary’ it isn’t eg ethnic background.
  • Individuals must consent to the collection of sensitive information

Sensitive personal information (APP 6)

• Sensitive information covers things like an individual’s health information, race or ethnic origin, political opinions, membership of a political or professional association or union, religious beliefs or affiliations, philosophical beliefs, sexual orientation and practices and criminal record.  Generally, sensitive information has a higher level of privacy protection than other personal information. 

If there has been a breach of data security which has the potential to cause serious harm to an individual(s) the Privacy Act requires this to be notified to the Office of the Australian Information Commission as part of its notifiable data breach scheme.

There are 4 steps to take when there’s been a data breach within your organisation:

•  Contain the breach.  For example, if it’s an email sent to the wrong address, immediately notify and ask to delete.  If they respond saying they’ve deleted it, you’ve found a good human solution. If the person you write to doesn’t respond to you, the risk is higher that you’ve got problems. This step is about risk management and you should inform your Privacy Officer or manager. 
• Evaluate the associated risks. This would be done by the Privacy Officer or a supervisor. You need to evaluate the breach to determine if the individual affected needs to be notified eg if their credit card details are released, they would want to change their password, freeze the account, etc.  Consider if the information could be used in identity theft.
• Consider notifying the affected individual.  This should be a low threshold.
• Prevent a repeat.  Conduct staff training and remind staff of policies and procedures and assess if you need to implement new procedures.

Following these steps and complying with the APPs will minimise risk to your organisation, and to yourself personally. Remember everyone in your organisation has a role to play in keeping your data safe and secure.

For more information about cyber security and data management see our podcast Lock the Doors and Check the Windows.