Australian Privacy Law Reforms – Deep Content Inspection Down Under with Tax File Numbers

By Jeeven Jayanathan. 

Following on from last week’s post by Kevin Bailey, Head of Market Strategy, regarding the EU Regulation reforms and how it will affect cyber security, including how businesses need to adapt, the Australian Government has since passed amendments to the Privacy Act 2012, changing the Australian landscape, which will affect the way in which privacy within the country is regulated from 12th March 2014. There will be 13 new principles introduced and a number of these principles are significantly different from the current existing standards.

These new principles called the Australian Privacy Principles (APPs), will replace the existing Information Privacy Principles (IPPs) and National Privacy Principles (NPPs). The new Privacy Amendment Act principles will regulate the handling of personal information by Australian government agencies and businesses, which include the collection, use, storage, security, disposal and disclosure of personal information such as individuals’  tax file numbers (TFN).

A TFN is an exclusive number that establishes an individual’s identity when they start a new job, open a bank account or apply for government benefits. It’s therefore crucial for entities to take reasonable steps to protect these TFNs from misuse, loss or even accidental disclosure. Complying with these new and complex privacy standards creates an added burden for entities and risk-averse parties should start preparing now.

With enhanced powers provided to the Office of the Australian Information Commissioner, in the event of significant and serious breaches, a business which is unable to swiftly demonstrate a program for compliance to the Privacy Amendment Act may experience painful investigations and hefty penalties.

Why is it important to protect the privacy of TFNs?

Even though there are strict rules of who can ask and collect TFNs, it is important to protect the privacy of TFNs because they are unique identifiers which are issued to individuals for life. Some of the privacy concerns associated with TFNs include:

  • They could potentially be used by all government agencies and businesses as part of a national identification system
  • They could be used to link records of personal information held by many different entities, which could:
    - enable these organisations to look up detailed information about a person
    - increase the risk of serious breaches of personal privacy if data is lost, misused or accidentally disclosed
    - increase the risk of identity theft

How can organisations protect the security of TFNs?

Under the TFN guidelines and protection of TFN information, recipients must take reasonable steps to safeguard TFN information stored from misuse, interference and loss, unauthorised access or disclosure.

In today’s digitally-connected world, it‘s vital for individuals to establish logical barriers and measures to protect computer systems and networks from illegal access and misuse of these TFNs such as creating access controls.

However, these controls don’t protect individuals from inadvertent human errors and the introduction of malware via personal devices, which can also cause serious harm to individuals’ personal privacy. Many organisations are focussed on managing external security threats but admit data breaches most likely to come from internal threats.

According to the Clearswift 'The Enemy Within’ research report; 44% of those surveyed believe data security breaches are most likely to come from their own employees. Therefore is important to know what your risks are and then address them. If one of those risks is the possibility of a huge fine from the Privacy Commissioner arising from loss of TFNs, then it’s essential to take note of the issue and response to overcome it.

How can Clearswift help remove the unintentional leak of TFNs?

By automatically detecting sensitive information such as TFNs from your internet and email traffic with Adaptive Redaction organisations can protect sensitive information from misuse, loss and even unintentional leaks to avoid breaching the privacy act. These defences can be put in place without becoming a barrier to business processes.

Clearswift has created pre-defined lexical expressions for TFNs, which means organisations can implement these policies on demand and quickly and effectively. In addition, the lexical qualifiers allow you to input your own dataset to avoid false positives – in other words, the company can tailor the setting of the technology to suit their particular information sensitivities.

We’ve spoken a lot about the unique technology involved in Adaptive Redaction, and how to integrate it into the organisation’s policies, but essentially, it has a continuous collaboration approach, so the data that breaches the policy is prevented from leaving the organisation; whereas the remaining content is allowed to pass to the recipient, without compromising the TFNs. This reduces outbound data loss and the resources required to reactively retrieve the TFNs and corporate response actions. Unlike traditional data loss prevention (DLP) programs, where it stops and blocks communication when it breaches the rules, contributing to increased false positives and delays in commercial communications.

Simply ask your IT administrator to switch on the policy to search for TFNs and redact these specified content rules. Once you’ve told the gateways what you want to redact, it will scan your entire internet and email traffic including attachments looking for these TFNs. In the event of any TFNs being found, the system will replace them with a series of asterisks but allow the underlying business communication to continue.

Find out more information on this redaction feature - review this video on Data Loss Prevention That Works For You.