Big data 'honey pots’ and cyber hacking risk: the OAIC issues draft guidance

30 June 2016

The Office of the Australian Information Commissioner (OAIC) last month issued a consultation draft of its ‘Guide to big data and the Australian Privacy Principles’.

The OAIC notes in the draft Guide the increasing use of big data, noting this has ‘come about from a fundamental shift in analytical processes, together with large data sets, increased computational power and storage capacity’. The OAIC notes the potential for big data to ‘bring about enormous social and economic benefits’.

The context for the involvement of the OAIC as a relevant regulator is that data used for big data analytics will often include personal information and, therefore, be regulated by the Privacy Act 1988 (Ch) and the Australian Privacy Principles (APPs). The draft Guide, therefore, aims to set out, in a non-legally binding manner, how the OAIC might undertake its functions under the Privacy Act with respect to the application of the APPs to big data.

The draft Guide touches on numerous aspects of appropriately managing big data at each stage of the information life-cycle (including as to collection and notice). A comprehensive review of all the steps recommended in the draft Guide is beyond the scope of this update. Of most relevance from a cyber risk perspective is what the draft Guide has to say about APP 11 which deals with security of personal information. Specifically, APP 11 provides that entities must take reasonable steps to protect personal information they hold from misuse, interference and loss and from unauthorised access, modification or disclosure.

The OAIC notes that entities engaging in big data activities will often hold larger amounts of data and for a longer duration. In assessing what security risks exist, therefore, entities need to be cognisant of such ‘honey pots’ of large volume, valuable data which may increase the risk of that entity’s information systems being hacked.

The OAIC therefore suggests that entities handling such honey pots of data should conduct an information security risk assessment, or threat risk assessment, to assist the entity in identifying reasonable steps it should take to protect personal information it holds. The Guide suggests that such reasonable steps might include:

  • Limiting internal access to personal information on a ‘need to know’ basis only;
  • Maintaining a chronological record (such as an audit log) of all ICT system activities to be able to detect and investigate any privacy incidents;
  • Implementing network security measures, such as intrusion prevention and detection systems and penetration testing to identify internal and external vulnerabilities;
  • Utilising encryption for information that is stored; and
  • Having a response plan in place to deal with data breaches to assist the entity in containing the breach and manage its response.

The OAIC is seeking public comment on the draft Guide, with the closing date for comments being Monday 26 July 2016.

This article was written by Andrew Miers, Partner.

Subscribe to HWL Ebsworth Publications and Events

HWL Ebsworth regularly publishes articles and newsletters to keep our clients up to date on the latest legal developments and what this means for your business.

To receive these updates via email, please complete the subscription form and indicate which areas of law you would like to receive information on.

Contact us