Put the OAIC’s Guide to Securing Personal Information into Action for Privacy Awareness Week 2015 #2015PAW

Post Date: 05/06/2015
feature image

As many Australia-based organisations already know, the Australian Government introduced the Privacy Amendment (Enhancing Privacy Protection) Act of 2012 to regulate the handling of personal information by Australian Government agencies as well as specific private sector organisations. At the core of the Act are 13 new privacy principals known as the Australian Privacy Principals (APPs). Each of those principals can be reviewed in depth on the Office of the Australian Information Commissioner (OAIC) website.

Recently, in order to help organisations comply with these new regulations, the OAIC released its “Guide to Securing Personal Information”. At the core of the guide are three “reasonable steps” that organisations throughout the country can take to secure their sensitive data:

  • Conduct a Privacy Impact Assessment (PIA),
  • Conduct an information security risk assessment to inform any PIAs, and
  • Establish a privacy “governance body” that defines and implements information security measures.

While they are helpful, guidelines alone will only get you so far. At AvePoint, we offer the tools in order to put these steps into action across the organisation to comply with all of the APPs. With Australian Privacy Awareness Week taking place from May 3-9, now is a great time to understand how the right technology can help you make a change at your organization.

Conduct a Privacy Impact Assessment (PIA)

While PIAs have long been a practice of organisations looking to comply with privacy regulations, the process of carrying them out has traditionally been a manual and labor-intensive one. Fortunately, that is no longer the case. Exclusively distributed by the International Association of Privacy Professionals (IAPP), the AvePoint Privacy Impact Assessment (APIA) system is an enterprise software solution that brings the power of automation to your PIAs and streamlines the process of evaluating, assessing, and reporting on the ways your enterprise IT systems process sensitive information. With APIA you can:

  • Comply with Privacy Regulations: Analyse how personal information is handled by enterprise IT systems to comply with global privacy legislation-mandated PIAs.
  • Automate Privacy Impact Assessments: Utilise APIA’s form based survey system, built-in workflows as well as configurable questions and answers to simplify the way privacy, security, IT, and business owners interact and communicate during PIAs.
  • Report on PIAs for Stakeholder Review: Automatically generate organisation-specific PIA reports to distribute to Chief Privacy Officers for review.
  • Extend to Security and Vulnerability Assessments: Extend and customise APIA for security and vulnerability assessments as well as requirements from other quality assurance and/or records management review.

Even better, APIA is available right now as a free download! More than 2,200 privacy practitioners across 62 industries and in 79 countries have downloaded the system. Want to see how APIA can benefit your organisation? Visit the IAPP site to download it for free today.

For a visual understanding of how APIA works, watch the video below:

Conduct an Information Security Risk Assessment

Similar to PIAs, the process of assessing risk across the organisation is also traditionally a complex one. It involves constant collaboration and input from security, compliance, and privacy officers in cooperation with IT professionals and business executives to carry out tasks and implement controls to mitigate risk on an ongoing basis.

With this in mind, we recently unveiled the AvePoint Risk Intelligence System (ARIS), which allows organisations to address the complete lifecycle of risk across the enterprise. Leveraging the templates and question banks created for APIA, ARIS extends risk identification to provide meaningful action to assessments, including quantifying, lowering, and monitoring instances.

With ARIS, organizations will be able to address risk through the following functions:

  • Assess: Based upon the organisation’s industry and geography, take inventory of sensitive information to learn specific compliance best practices to put in place. Derive answers from the privacy assessments created with APIA and identify where risk may live within an organisation.
  • Validate: Prove how closely aligned the organisation is with industry regulations and privacy impact assessments. Automatically pull reports to better understand where risk lives and quantify its impact to the business.
  • Control: Learn best practices for controlling risk and create checklists to guide IT to the right solutions. Protect sensitive information with controls for security, geography, retention, and classification – reducing risk across the enterprise.
  • Report: Provide executive reports on Key Performance Indicators (KPIs) or Key Control Indicators (KCIs) to highlight areas in the business that need to be addressed to reduce risk, or report on progress made throughout the lifecycle.

To learn more about ARIS, please visit our website.

Define and Implement Information Security Measures

Your organisation’s governance body should bring together key stakeholders from compliance, IT, and the business to determine the rules for handling data in accordance with both external and internal regulations. In order for the decisions of this governance body to be effective, however, you need a way to understand what kind of sensitive information already lives in your environment (including unknown “dark data”) as well as the ability to not only take corresponding actions, but also prove that you’ve done so.

This is where AvePoint Compliance Guardian comes in. As a full Data Loss Prevention (DLP) and Governance, Risk and Compliance (GRC) platform, AvePoint Compliance Guardian mitigates privacy, information security, and compliance risks across your information gateways with a comprehensive risk management process:

  • Scan enterprise content wherever it is, whatever it is, against pre-defined regulatory policies based on AvePoint Compliance Guardian’s out-of-the-box and/or customisable checks. Report on data to identify and prioritize vulnerabilities, and flag false positives with human review.
  • Implement data protection and compliance policies with scheduled or real-time scanning, tagging, and action. AvePoint Compliance Guardian provides automated context-aware actions to block, move, delete, quarantine, encrypt, redact, or restrict access to sensitive data based upon its classification.
  • Prove policy compliance with ongoing monitoring, detailed reporting, and granular incident tracking. Quickly and easily describe your controls, processes and progress to business users, regulators, and auditors with exportable reports that demonstrate how you have documented, addressed, and plan to continue to enforce policy compliance.

For a visual understanding of how the platform works, please watch the video below:

With the right combination of people, processes, and technology, your organisation can comply with Australia’s latest privacy regulations – winning trust from your constituents and customers as well as avoiding potentially damaging fines. At AvePoint, we’re here to help you connect those elements so you can put a system in place that ensures information is accessible to the people who should have it and unavailable to the people who should not. With offices in Melbourne and Sydney as well as coverage across the rest of Australia, our team is ready to share methodology and expertise to ensure your organisation has an effective compliance program in place.

Have a data privacy question? Leave a comment on this post and we’ll be more than happy to help!


During his tenure as a Senior Compliance Technical Specialist at AvePoint, Esad was responsible for research, technical and analytical support on current as well as upcoming industry trends, technology, standards, best practices, concepts and solutions for information security, risk analysis and compliance.

View all posts by Esad I.
Share this blog

Subscribe to our blog