Research Papers

Download details

Protective data security in the Victorian public sector

Executive summary

Cyber crime is a rapidly evolving global threat to information and data security, and is estimated to cost the Australian economy around $1 billion each year.[1] According to the federal government’s Cyber Security Strategy, threat actors target Australian government networks on an almost daily basis,[2] compromising system security, service delivery and information access.

As the cyber threat environment evolves and becomes more sophisticated, it is critical to monitor and develop information security systems and capabilities to protect the privacy of individuals and their personal information, particularly in regard to sensitive data held by government agencies.[3] Such agencies rely on this data to provide frontline operations and services, and it is therefore central to their effective operation that data integrity is maintained.

The Victorian Protective Data Security Framework (VPDSF) was released on 28 June 2016, taking effect from 1 July 2016.[4] The VPDSF sets out its objectives as being to assist Victorian public service departments and agencies to ‘identify information and determine ownership, assess the value of information, identify and manage protective data security risks, apply security measures, create a positive security culture and mature their protective data security capability’.[5]

The VPDSF defines protective data security as ‘the practice of implementing security measures to protect Victorian government information’.[6] It aims to maintain the privacy of individuals without creating unnecessary barriers to the use and distribution of personal information within and between government agencies. While all Australian jurisdictions have some form of information security policy in place that governs public sector use of data, Victoria is the first state or territory to introduce an assurance model to complement its mandatory security standards.

The assurance model sets out certain compliance and assurance activities that public service organisations are required to undertake in order to assess their ongoing protective data security development in line with the VPDSF.

Each government organisation is required to develop, implement and maintain a Security Risk Profile Assessment and a Protective Data Security Plan.[7] Organisations must then submit these plans to the Office of the Victorian Information Commissioner (OVIC) within two years after the issue of the Victorian Protective Data Security Standards (VPDSS), and review the documents every subsequent two years, or whenever there is a significant change to their operating or security environment.[8]

In addition, organisations must report annually to the OVIC on their implementation of, and compliance with, the VPDSF, and also perform a maturity assessment in line with standard 12 of the VPDSS.

Introduction

The Victorian Government’s information security protections have undergone scrutiny in previous years from a number of state and federal government bodies and have received criticism for being considerably weak in relation to the existing threat environment. This was reinforced by the federal Cyber Security Operations Centre reporting in its Cyber Intrusion Activity Report, Australian State and Territory Governments: January–June 2013 that ‘The networks of the Victorian and West Australian state governments accounted for the highest proportion of cyber security incidents responded to … between January and June 2013’.[9] In response to this scrutiny, the Privacy and Data Protection Act 2014 (Vic) (PDP Act) was adopted and Victoria’s protective data security framework was subsequently developed.

This paper provides an overview of the VPDSF and the role it plays in protecting personal information held by government agencies.

Section 1 outlines the development of a protective data security framework in Victoria. Section 2 examines the structure of the VPDSF, its elements and responses to its introduction. Section 3 outlines the international and domestic context of issues surrounding protective data security, and how these have influenced, and contributed to, the development of Victoria’s own framework, and also offers a jurisdictional comparison of data security and privacy regimes within Australia at state and federal levels.

Background

In 2009, the Victorian Auditor-General undertook an investigation of the Victorian public sector’s information security framework. This examined the ways in which personal information was collected and stored by government agencies, the effectiveness of risk management and governance practices within individual agencies, and the sufficiency of central policy direction to ensure whole‑of‑government information security. The report, Maintaining the Integrity and Confidentiality of Personal Information, found that ‘central direction and effective coordination of the broad scope of information security risks remains weak’, and that in the absence of coordinated guidance and oversight, ‘the importance of protecting personal information has not been properly understood by the sector’.[10]

A number of recommendations were contained in the report, including that the Victorian Government:

  • expedite the release of a comprehensive, integrated suite of standards and guidance that address all aspects of information security including protective security, and which are based on risk and relevant to local conditions;
  • mandate that all public sector agencies adopt the whole-of-government information security policies and standards;
  • establish clear oversight to monitor implementation of information security policies and standards and compliance with the reporting requirements; and
  • establish a process to identify and communicate emerging information security risks to the sector.[11]

Subsequent to this report, the Victorian Government developed its Information Security Management Policy (ISMP),[12] which set out that specified departments and agencies must implement a revised set of policies, standards and guidelines relating to data privacy and information security. The revised framework centred on two documents created by the Australian Government: the Protective Security Policy Framework (PSPF),[13] and the Information Security Manual (ISM).[14] As part of the ISMP, specified agencies were each required to implement an Information Security Management Framework demonstrating that agency’s progress in complying with the Victorian adaptation of the PSPF and ISM as set out in SEC STD 01: Information Security Management Framework Standard.[15]

The Victorian Auditor-General undertook another related audit in 2013 titled WoVG Information Security Management Framework,[16] which examined the implementation of the Victorian Government’s ISMP and related standards within the specified public sector agencies, as well as the ongoing effectiveness of the regime. The report found that while the content of the ISMP was adequate, the mandatory implementation of the framework applied only to ‘inner’ and not ‘outer’ departments and agencies, meaning that over 500 ‘outer’ agencies were not required to adhere to any common security policy or standard.[17] In addition, it found that ‘Agencies have not effectively implemented Victorian Government information security policy and standards. Agencies are potentially exposed to cyber attacks, primarily because of inadequate ICT [information and communications technology] security controls and immature operational processes.’[18] Further, the report concluded that there had been ‘inadequate central oversight of the ability of public sector systems to resist cyber attack and the follow up of the status of emerging or known cyber threats’.[19] For example, Victorian public bodies experiencing significant cyber security threats were reporting these incidents directly to the federal Australian Signals Directorate, but not to any state‑level agencies.[20]

At the same time as the release of the report, the government announced the development of a new strategy targeting cyber security within its public sector framework.[21] The Privacy and Data Protection Bill 2014 was introduced into the Legislative Assembly on 11 June 2014 by the Attorney-General, the Hon Robert Clark MP.[22] The Bill passed both houses on 19 August 2014, and received Royal Assent on 2 September 2014. The Office for the Commissioner for Privacy and Data Protection (OCPDP) was subsequently established to administer the PDP Act and to develop a whole-of-government data security framework.

The VPDSF was released on 28 June 2016, taking effect from 1 July 2016.[23] The VPDSF sets out its objectives as being to assist Victorian public service departments and agencies to ‘identify information and determine ownership, assess the value of information, identify and manage protective data security risks, apply security measures, create a positive security culture and mature their protective data security capability’.[24]

On 1 September 2017 the OCPDP was amalgamated with the Office of the Freedom of Information Commissioner to create a combined OVIC, as per the Freedom of Information Amendment (Office of the Victorian Information Commissioner) Act 2017 (Vic) (FOI Amendment Act).[25] OVIC has responsibility for the functions previously assigned to the OCPDP (for further information on these changes, see Section 3).

In addition to these developments, the Victorian Government has created and supported a number of initiatives over recent years to see Victoria transition into a ‘cyber security state’.[26] In 2016, for example, the Victorian Government established a cyber security cluster in Melbourne at the Goods Shed, Docklands. This centre hosts the Data61 Cyber Security and Innovation Hub, the digital research arm of the Commonwealth Scientific and Industrial Research Organisation (CSIRO) alongside a new Oceania Cyber Security Centre. The Victorian Government has also signed agreements to establish within the hub a number of cyber security experts and organisations, including the University of Oxford’s Global Cyber Security Capacity Centre.[27] The government’s aim for this research hub is to keep Victoria ‘at the forefront of Australia’s cyber security expertise and capabilities’,[28] with these groups collaborating to undertake new research, reduce cyber security risks with assistance from private sector organisations, and perform audits at a national level of system capabilities and risks.[29] The rapid growth of cyber security experts establishing at the Goods Shed has resulted in its recognition as the largest cyber security cluster in Australia.[30]

Further, the Victorian Government has recently announced its Cyber Victoria program, which seeks to ensure that Victoria is home to the ‘most skilled cyber workforce in the Asia Pacific region’, and to provide resources to improve the cyber capacity of existing and emerging companies.[31] The Victorian Government’s emphasis on its own public sector’s data security is set within this context.

 

Victorian Protective Data Security Framework

The overarching purpose of the VPDSF is to ‘establish, monitor and assure security of information within the Victorian Government’.[32] The framework also aims to encourage a cultural shift in the way protective data security is considered on a day-to‑day basis, aiming to fortify it as a necessary element of any operating environment.[33]

The VPDSF consists primarily of the Victorian Protective Data Security Standards (VPDSS), the assurance model, and a number of supplementary security guides and supporting resources. Figure 1 provides an overview of the structure of the VPDSF, with the assurance model overlaying the framework.

Figure 1. VPDSF structural overview

protective framework


Source: Victorian Protective Data Security Framework, p. 17

A number of guiding principles set out the concepts supporting the general themes contained within the VPDSF. These relate to the establishment of:

  • strong governance arrangements to ensure protective data security requirements are reflected in organisational planning;
  • risk management;
  • an understanding of information value;
  • a positive security culture with clear personal accountability and a mature understanding of managing risk, responsibility and reputation;
  • a continuous improvement lifecycle model to facilitate opportunities to improve organisational practices; and
  • the ability of sound protective data security practices to assist an organisation to achieve its objectives.[34]

The guiding principles correlate to the VPDSS, which are implemented under plans set out within the assurance model. The former OCPDP (now OVIC), in addition, issued a number of supplementary security guides and supporting resources to assist organisations in fulfilling their obligations. These various elements are interrelated to establish an all-encompassing protective data security regime.

Where personal information held by a Victorian public sector agency has national interest, the requirements under the federal PSPF supersede those of the VPDSF.

Victorian Protective Data Security Standards (VPDSS)

The VPDSS comprise 18 standards, each of which are supported by four protocols, which together provide ‘a set of criteria for the consistent application of risk‑managed security practices across Victorian government information’.[35] The VPDSF sets out that these standards should be planned, implemented, monitored on an ongoing basis, and improved as necessary by Victorian public sector agencies. They are grouped into areas of security governance (12 standards) and the four security domains: information security (three standards), personnel security (one standard), ICT security (one standard) and physical security (one standard). Organisations are required to adhere to the VPDSS in line with the compliance requirements set out in section 88 of the PDP Act.

Organisations are also required to comply with the 10 Information Privacy Principles (IPPs) set out in Schedule 1 of the PDP Act, which govern the collection and use of personal information by public service bodies. The IPPs and the VPDSS are closely related. Under IPP 4.1, government agencies are required to ‘… take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure’.[36] The VPDSF sets out that organisations should use the VPDSS as the primary reference point in terms of ensuring compliance with this IPP.[37]

The VPDSS are consistent with the standards set out in the federal PSPF, but also contain a number of variances, which reflect the distinct operating requirements of Victoria’s public service. Many of the standards similarly refer to the implementation of International Organization for Standardization (ISO) standards, and measures contained within the Australian Signals Directorate’s ISM, in recommending adequate controls (these documents are discussed in the international and federal sections of Section 3 below).

Table 1 sets out the standards and the required output for implementation.

Table 1. Victorian Protective Data Security Standards

 

Victorian Protective Data Security Standards

 

Standard

Output

1

Security Management Framework

(Security governance)

An organisation must establish, implement and maintain a security management framework proportionate to their size, resources and risk posture.

2

Security Risk Management

(Security governance)

An organisation must utilise a risk management framework to manage security risks.

3

Security Policies and Procedures

(Security governance)

An organisation must establish, implement and maintain security policies and procedures proportionate to their size, resources and risk posture.

4

Information Access

(Security governance)

An organisation must establish, implement and maintain an access management regime for access to public sector data.

5

Security Obligations

(Security governance)

An organisation must define, document, communicate and regularly review the security obligations of all persons with access to public sector data.

6

Security Training and Awareness

(Security governance)

An organisation must ensure all persons with access to public sector data undertake security training and awareness.

7

Security Incident Management

(Security governance)

An organisation must establish, implement and maintain a security incident management regime proportionate to their size, resources and risk posture.

8

Business Continuity Management

(Security governance)

An organisation must establish, implement and maintain a business continuity management program that addresses the security of public sector data.

9

Contracted Service Providers

(Security governance)

An organisation must ensure that contracted service providers with access to public sector data, do not do an act or engage in a practice that contravenes the VPDSS.

10

Government Services

(Security governance)

An organisation that receives a government service from another organisation must ensure that the service complies with the VPDSS in respect to public sector data that is collected, held, used, managed, disclosed or transferred.

11

Security Plans

(Security governance)

An organisation must establish, implement and maintain a protective data security plan to manage their security risks.

12

Compliance

(Security governance)

An organisation must perform an annual assessment of their implementation of the VPDSS and report their level of compliance to the Victorian Information Commissioner.

13

Information Value

(Information security)

An organisation must conduct an information assessment considering the potential compromise to the confidentiality, integrity and availability of public sector data.

14

Information Management

(Information security)

An organisation must establish, implement and maintain information security controls in their information management framework.

15

Information Sharing

(Information security)

An organisation must ensure that security controls are applied when sharing public sector data.

16

Personnel Lifecycle

(Personnel security)

An organisation must establish, implement and maintain personnel security controls in their personnel management regime.

17

Information Communications Technology (ICT) Lifecycle

(ICT security)

An organisation must establish, implement and maintain Information Communications Technology (ICT) security controls in their ICT management regime.

18

Physical Lifecycle

(Physical security)

An organisation must establish, implement and maintain physical security controls in their physical management regime.

Source: Information sourced from Victorian Protective Data Security Framework, pp. 32-49

 

Assurance model

The assurance model sets out certain compliance and assurance activities that public service organisations are required to undertake in order to assess their ongoing protective data security development in line with the VPDSF. The OVIC plays a core role within the assurance model in working with organisations to ensure continuing capability development and best practice security resilience and effectiveness. In this way, organisations are able to provide assurance to the OVIC, which then reports to the Victorian Government on the broader security of information held within its public sector.

Security planning

Each government organisation is required to develop, implement and maintain a Security Risk Profile Assessment (assessing the organisation’s data security risks) and a Protective Data Security Plan (including action items to address identified data security risks).[38]

Organisations are required to submit these documents to the OVIC within two years after the issue of the above VPDSS. Every organisation to whom the protective data security provisions under Part 4 of the PDP Act applies will then be required to review these documents every subsequent two years, or whenever there is a significant change to their operating or security environment.[39] Organisations may also seek customised protective data security standards where certain operating conditions or requirements necessitate a departure from the standard VPDSS.[40]

Development of a Security Risk Profile Assessment and Protective Data Security Plan is also set out as a requirement in standards 2 and 11 of the VPDSS. These documents will assist the OVIC in conducting its security monitoring and assurance activities.

Organisational compliance

Organisations must report annually to the OVIC on their implementation of, and compliance with, the VPDSF, and also perform a maturity assessment in line with standard 12 of the VPDSS.

Risk-based assurance

The OVIC will implement its obligations under the assurance model by assessing each organisation’s implementation of the VPDSF, and the broader development of Victoria’s overall protective data security. Organisations must assist the OVIC by providing requested information or documents where necessary, as well as access to data systems to ensure a full assessment.

Assurance reporting

The OVIC has a number of reporting obligations, including reporting annually to the Special Minister of State on the ongoing maturity of the Victorian public sector with the protective data security model.

Supplementary security guides and supporting resources

The former OCPDP produced a number of additional materials to assist public sector organisations to comply with their obligations under the PDP Act and VPDSF, which are now publicly available under the ‘data security resources’ section of the OVIC webpage.[41] This includes the VPDSF Information Security Management Collection,[42] which provides guidance on the implementation of the VPDSS and how to identify and manage information assets and value.

Responses to the VPDSF

The VPDSF has received a generally favourable response. In particular, it has been described as ‘showing determined cyber security leadership from central government while offering a progressive information assurance framework that can be used as a benchmark for all other states’.[43] In relation to the previous Victorian Auditor-General’s reports, which revealed weak security practices within a number of Victorian Government agencies, the inclusion of an assurance model now ensures that government bodies will have to demonstrate their compliance with, and implementation of, information security policies for the first time.[44] The various elements of the assurance model, including requirements for annual reporting, encourage a cultural shift to consider data security as an integral part of each agency’s business model. Looking forward, Victorian Auditor-General’s Office announced in its Annual Plan 2017–18 that it will commence a review into the effectiveness of the VPDSF and the VPDSS, and their ability to improve public sector cyber resilience, in 2018–19.[45]

The VPDSF has further been described as being ‘light on prescriptive or practical demands on how agencies should actually build security into their systems and operations’.[46] Instead, it lists a number of external policies and standards to be employed. For example, many of the VPDSS implement elements of the internationally accepted ISO suite of standards, the use of which will allow for a ‘much more flexible approach to implementation’ as information security professionals will already be familiar with these standards.[47] Noting the breadth of organisations to which the framework applies, the VPDSF also provides caveats that internal procedures should be proportionate to each agency’s specific situation, affording space for flexible implementation as required.[48]

On a broader level, the various privacy and information security regimes across Australia remain complex to navigate, creating difficulties for the private sector in terms of having to comply with diverse obligations when engaging in business or contractual arrangements across multiple jurisdictions.[49] Neither South Australia nor Western Australia, for example, have enacted specific privacy legislation (see the jurisdictional comparison in Section 4). Stronger collaboration and coordination across federal and state governments could assist the growth of data security capability within Australia as new cyber threats emerge.[50]

Victoria’s legislation and agency roles

Legislation

Privacy and Data Protection Act 2014 (Vic)

The PDP Act came into effect on 17 September 2014, and repealed and replaced the Information Privacy Act 2000 (Vic) (Information Privacy Act) and the Commissioner for Law Enforcement Data Security Act 2005 (Vic). In doing so, the PDP Act merged the two separate roles of Privacy Commissioner and Commissioner for Law Enforcement Data Security into one Commissioner for Privacy and Data Protection, to administer the new data protection regime.[51] These roles were again amended by the FOI Amendment Act (see ‘other legislation’ below).

While many of the provisions relating to privacy in the PDP Act are similar to those previously contained in the Information Privacy Act, the PDP Act also contains a number of new measures and mechanisms to provide for a more comprehensive whole-of-government framework specifically targeted at protecting data held by Victorian public sector agencies.

Purpose

The PDP Act creates a framework for the responsible collection and handling of personal information within the Victorian public sector; provides remedies for interferences with such information; and provides for the establishment of a protective data security regime for the Victorian public sector.

According to the former OCPDP, the PDP Act is ‘the first piece of legislation in Australia to combine privacy and data protection regimes into a single regulatory framework’.[52]

Application

In regard to the information privacy aspects of the PDP Act, Victorian public sector bodies must adhere to the 10 IPPs set out in Schedule 1, which govern the collection and use of personal information by government agencies, and which are based on the Organisation for Economic Co-operation and Development’s (OECD) Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (OECD Guidelines).[53] Organisations must not commit an act, or engage in a practice, that contravenes an IPP in respect of personal information collected, held, managed, used, disclosed or transferred by it, unless otherwise permitted to do so.[54] Alongside permitted departure from some IPPs for law enforcement purposes, bodies are also able to depart from IPPs in conjunction with certain mechanisms where it is determined to be in the public interest.[55]

The protective data security provisions under Part 4 of the PDP Act apply to Victorian public service organisations and agencies, but do not apply to local councils, universities, public hospitals or health services, or ambulance services.[56] The provisions are also binding on service providers performing a contract with a Victorian public service body.

Part 4 also sets out that the Victorian Information Commissioner (previously the Commissioner for Privacy and Data Protection) is required to develop a protective data security framework for monitoring and assuring the security of public sector data. In addition, it establishes that the Victorian Information Commissioner may issue protective data security standards for the security, confidentiality and integrity of public sector data and access to public sector data.[57]

Other legislation

Freedom of Information Amendment (Office of the Victorian Information Commissioner) Act 2017

The FOI Amendment Act received Royal Assent on 16 May 2017. This Act provided for the amalgamation of the OCPDP with the Office of the Freedom of Information Commissioner to create the OVIC. Attorney‑General Martin Pakula MP stated during the second reading speech on the Bill that this merger would bring Victoria’s privacy and information regimes into line with the systems established in New South Wales, Queensland and the Commonwealth.[58] Despite these changes, the privacy and data protection obligations of public sector agencies as set out within the PDP Act remain the same.

OVIC assumed the functions of the above two offices from 1 September 2017.

Health Records Act 2001 (Vic)

Health information is excluded from the provisions of the PDP Act. Instead, the Health Records Act 2001 (Vic) (the HRA) sets out how data pertaining to health is collected and handled by public agencies in Victoria.[59] The Health Services Commissioner administers the HRA, and it includes a number of Health Privacy Principles which are similar in nature to the IPPs.

Charter of Human Rights and Responsibilities Act 2006 (Vic)

Section 13 of the Charter of Human Rights and Responsibilities Act 2006 (Vic) (the Charter) confers a right to privacy, which provides that an individual’s personal information cannot be unlawfully or arbitrarily interfered with.[60]

The Victorian Government, public authorities and local councils must consider the rights contained in the Charter, including the right to privacy, when drafting new laws, and set out the compatibility of the draft legislation with those rights in a statement of compatibility presented to the Victorian Parliament.

The Parliament’s Scrutiny of Acts and Regulations Committee is required to scrutinise all Bills and Statutory Rules for their compatibility with human rights as set out in the Charter, and report to the Parliament on their findings. This committee’s functions are set out in section 17 of the Parliamentary Committees Act 2003 (Vic), and include a requirement to report to the Parliament on whether any bill ‘unduly requires or authorises acts or practices that may have an adverse effect on personal privacy within the meaning of the Privacy and Data Protection Act 2014’.[61]

Agency roles

Office of the Victorian Information Commissioner

The OCPDP was established in September 2014, and Part 6 of the PDP Act as passed set out one of its functions as the administration of that Act. Within that office, the Commissioner for Privacy and Data Protection’s functions included to issue protective data security standards and law enforcement data security standards; develop the Victorian protective data security framework and to promote the uptake of the standards by the public sector; and conduct monitoring and assurance activities, including audits, to ascertain compliance with data security standards.

From 1 September 2017, the OVIC commenced operations.[62] The OVIC is headed by the Information Commissioner, and supported by the Privacy and Data Protection Deputy Commissioner and Public Access Deputy Commissioner. The role previously performed by the Commissioner for Privacy and Data Protection, in relation to the regulation of activity concerning information privacy, protective data security and law enforcement data security, was conferred upon the Information Commissioner.[63]

Department of Premier and Cabinet

The Department of Premier and Cabinet (DPC) is the central coordination agency for issues relating to cyber security and information technology, and is responsible for coordinating critical hazard responses, including in relation to cyber attacks. DPC also supports the administrative functions of the OVIC.

As part of the Victorian Government’s Information Technology Strategy for the Victorian Government, 2016 to 2020, DPC committed to creating a state strategy for cyber security.[64] This strategy was developed by the Cyber Security Strategy Group, composed of experts from both the federal and Victorian governments as well as major enterprises. The Victorian Cyber Security Strategy was launched by the Special Minister of State on 25 August 2017.[65] Within this framework, the Victorian Government has committed to a number of actions relating to public engagement, planning, partnering, service maturity and capability, with the purpose of developing and implementing cyber security capabilities across government.[66] These actions include:

  • appointment of a Chief Information Security Officer for the Victorian Government within DPC who will be responsible for implementing the Victorian Cyber Security Strategy;
  • standardised reporting and communication requirements across all departments and agencies;
  • development and operation of a communication and engagement program for cyber security awareness within the Victorian Government;
  • establishment of formal channels and mechanisms to engage with Australian Government cyber security services and strategic planning; and
  • development of emergency governance structures, such as with Emergency Management Victoria.[67]

The initiatives contained in this strategy are intended to support the principles and approach of the VPDSF.[68]

 

International and domestic approaches to data security

This section will broadly examine the structure and development of information security and data privacy frameworks—including the main policy guidance and standards issued at international and federal levels, and a jurisdictional comparison of the comparable data privacy regimes of the states and territories—and how these have influenced Victoria’s own framework.

International

International standards and guidelines

Organisation for Economic Co-operation and Development

The OECD developed its OECD Guidelines in 1980, which constituted the first collaborative international privacy framework.[69] These guidelines were developed by an Expert Group consisting of representatives of the OECD member countries, chaired by then‑Chairman of the Australian Law Reform Commission, the Hon. Justice Michael Kirby. They set out a number of basic principles which could be incorporated into existing or draft legislation, with the aim of enabling the free flow of information across borders while protecting fundamental rights and liberties, such as privacy. The OECD recommended the cooperation and collaboration of member states in their implementation of the guidelines and the creation of specific procedures of consultation for their application.

Specifically, the OECD Guidelines set out eight basic principles (to be considered as minimum standards) as agreed by the Expert Group, which relate to data collection, use, disclosure, quality, security, transparency and accountability.[70] These were updated in 2013 to respond to a rapidly changing digital environment, including in relation to the volume of personal data being collected, used and stored, the extent of threats to privacy, and the number and variety of actors capable of either putting privacy at risk or protecting privacy.[71] While the basic principles remained the same, new concepts were introduced which included national privacy strategies (with co-ordination at the highest level of government) and data security breach notification (covering both notice to an authority and notice to an individual affected by a security breach).[72]

The Australian Privacy Principles (APPs) set out in the Privacy Act 1988 (Cth) (Privacy Act),[73] and the IPPs contained in the PDP Act, are largely based on the OECD Guidelines.

International Organization for Standardization

The ISO is an international non-governmental organisation that brings together the national standards organisations of 163 countries. The ISO develops collaborative international standards aimed at ensuring the quality, safety and efficiency of services and systems across a variety of industries and technologies, assisting the facilitation of international trade.

The ISO 27000 series of standards ‘provide best practice recommendations on risks and controls within the context of an overall information security management system’.[74] These are widely accepted as the global standards for information security policy, and they inform the development of security frameworks within both the public and private sectors, including the VPDSF.

International law

Article 17 of the International Covenant on Civil and Political Rights (ICCPR) provides for certain protections relating to privacy (including information privacy), and prohibits any unlawful or arbitrary interference with this right.[75] The United Nations Human Rights Committee, the treaty monitoring body for the ICCPR, has set out that ‘The obligations imposed by this article require the State to adopt legislative and other measures to give effect to the prohibition against such interferences and attacks as well as to the protection of this right.’[76] Australia, as a party to this covenant, therefore has an obligation under international law to ensure that individuals’ right to privacy is protected, and only limited in certain circumstances.

In addition, the Human Rights Committee has stated that ‘every individual should have the right to ascertain in an intelligible form, whether, and if so, what personal data is stored in automatic data files, and for what purposes. Every individual should also be able to ascertain which public authorities or private individuals or bodies control or may control their files.’[77] This confers an obligation on State Parties to the ICCPR to ensure that relevant domestic privacy laws enable individuals to ascertain from public bodies the private information held about them by those bodies.

While the ICCPR does not operate as a direct source of law in Australia (meaning that it has not been wholly incorporated into domestic law), Australia has voluntarily committed to adhere to the rights set out in the covenant, and is required to report periodically to the Human Rights Committee on its progress in implementing those rights.[78] Certain provisions of the various treaties and conventions to which Australia is a party are, however, reflected in domestic legislation, including in relation to domestic privacy law.

International collaboration

Australia collaborates internationally on issues relating to data privacy and cyber security through membership of international organisations and working groups, defence and security exercises, and information sharing. Australia is, for example, a member of the Asia-Pacific Economic Cooperation (APEC) Data Privacy Sub Group that developed the APEC Privacy Framework in 2004,[79] and the federal Office of the Australian Information Commissioner (OAIC) is a participant of the APEC Cross-border Privacy Enforcement Arrangement,[80] which promotes regional cooperation on information privacy legislation and its enforcement. The APEC privacy framework also contains nine core privacy principles representing a minimum standard for its members (and was developed in accordance with the OECD Guidelines discussed above). Australia has also, for example, cooperated with Canada, New Zealand, the United Kingdom and the United States as part of the International Computer Network Defence Coordination Working Group, which promotes information sharing on international cyber security issues.[81]

Federal

Legislation

Privacy Act 1988 (Cth)

The Privacy Act came into operation on 1 January 1989, and gave effect to Australia’s commitment to implement into domestic law the OECD Guidelines, as well as its obligations in relation to the right to privacy as contained in article 17 of the ICCPR.

The Privacy Act regulates how information is stored, used and protected by federal public sector agencies, and some large Australian companies. It contains 13 APPs which are based on the principles established in the OECD Guidelines.[82] Federal government bodies are required to adhere to these APPs when interacting with personal information.

Policies and guidance

Protective Security Policy Framework (PSPF)

The Attorney-General’s Department (AGD) manages the PSPF, which is the overarching Australian Government policy regarding data privacy and security.[83] The individual information security procedures of each federal agency are required to adhere to this framework, which contains 36 mandatory requirements to assist those bodies to manage security risks, provide assurance to the government and public, and assist the growth of a protective data security culture.[84]

The PSPF also includes a mandatory audit, review and reporting process, with each department or agency preparing a self-assessment report that is submitted to the relevant portfolio minister. The PSPF is currently under review, in response to recommendations from the Independent Review of Whole-of-Government Internal Regulation.

Information Security Manual (ISM)

The ISM is the standard governing the security of Australian Government ICT systems and supplements the PSPF.[85] The ISM supports the strategic priorities set out in the federal government’s Cyber Security Strategy (CSS) by ‘providing detailed information about the cyber security threat, as well as assisting agencies in determining appropriate controls to protect their information and systems’.[86] The Australian Signals Directorate issues the ISM.

The ISM also provides further detail regarding required implementation of the Strategies to Mitigate Cyber Security Incidents,[87] also known as the ‘Top 4’ Strategies (updated in 2017 to replace the former Strategies to Mitigate Targeted Cyber Intrusions).[88] The Australian Signals Directorate has estimated that implementation of the Top 4 Strategies will mitigate ‘at least 85% of the adversary techniques used in targeted cyber intrusions’ that it has observed.[89]

Cyber Security Strategy (CSS)

The Department of Prime Minister and Cabinet published its most recent CSS in 2016.[90] The CSS introduces five main priorities for Australia’s cyber security development leading up to 2020, including emphasis on a national cyber partnership and strong cyber defences.[91] Further, it establishes an operational model for joint cyber security centres in key capital cities to promote information sharing between federal and state governments and the private sector.[92] The first such centre opened in Brisbane in February 2017,[93] with centres planned to open in Sydney, Melbourne and Perth by the end of 2017.[94] The first annual update to this report was released in April 2017.[95]

Agency roles

A number of federal departments and agencies have roles relating to the implementation of data privacy and information security policies, guidelines and strategies. The leading agencies are briefly outlined below.

Office of the Australian Information Commissioner (OAIC)

The OAIC is a federal independent statutory agency administered by the AGD, which was established in 2010 by the Australian Information Commissioner Act 2010 (Cth) (AIC Act). The OAIC houses the Australian Information Commissioner, who is required under the AIC Act to report to the Attorney‑General on ‘the collection, use, disclosure, management, administration or storage of, or accessibility to, information held by the Government’, and the systems used to provide for these activities.[96] One of the OAIC’s primary functions is in relation to privacy law and policy, conferred upon it by the Privacy Act and other laws. The OAIC administers the APPs discussed above, and provides advice and guidance to agencies and organisations on the application and requirements of the Privacy Act.

The OAIC announced in May 2017, together with the Department of Prime Minister and Cabinet, the joint development of a new Privacy Code to ‘enhance the capability of Commonwealth agencies to deliver data innovation that integrates personal data protection’.[97] The new Privacy Code is expected to be implemented in 2018.

Australian Cyber Security Centre (ACSC)

The Australian Cyber Security Centre (ACSC) (previously the Cyber Security Operations Centre) is the Australian Government’s lead agency for operational responses to cyber attacks, as well as the central hub for collaboration between the public and private sector on issues relating to cyber security. In addition, it reports on the nature and extent of emerging and existing threats. The ACSC coordinates cyber security capabilities from across the Australian Government, including the Australian Signals Directorate, AGD, Australian Security Intelligence Organisation, Australian Federal Police and the Australian Criminal Intelligence Commission. On 18 July 2017, it was announced that the ACSC would establish 24/7 capability to respond to ‘serious cyber incidents’.[98]

Department of Prime Minister and Cabinet

The Department of Prime Minister and Cabinet is the lead federal government department for developing cyber security policy, and implements the CSS. It also hosts a Public Data Branch, which has a number of functions relating to data capability, privacy and accessibility.[99]

Attorney-General’s Department (AGD)

The AGD coordinates a number of initiatives relating to protective security policy and cyber security through its Cyber Crime and Security Branch. This includes the National Computer Emergency Response Team, who are the first point of contact within government for non‑government bodies experiencing cyber threats, and who coordinate with the ACSC to share data on cyber incidents. The AGD also manages the Trusted Information Sharing Network for Critical Infrastructure Resilience, which provides a secure environment for the sharing of information across sectors to address critical security issues. In addition, the AGD will coordinate the new joint cyber security centres.

 

Jurisdictional comparison—states and territories

 

Relevant legislation governing use of personal data by public sector agencies

Privacy principles contained in legislation

Existence of a relevant Commissioner

Right to privacy legislated

Commonwealth

Privacy Act 1988 (Cth)

Australian Privacy Principles (APPs), Privacy Act 1988 (Cth) sch 1.

Contains 13 principles

Australian Information Commissioner

No

ACT

Information Privacy Act 2014 (ACT)


(Replaced the previously used Privacy Act 1988 (Cth))

Territory Privacy Principles (TPPs), Information Privacy Act 2014 (ACT) sch 1. Contains 13 TPPs which are similar to the APPs, but have been reworded and have excluded APP 7 and 9 as not relevant to ACT public sector processes

Australian Information Commissioner (under arrangement between the ACT government and the federal government)

Human Rights Act 2004 (ACT) s 12

NT

Information Act 2002 (NT)

Information Privacy Principles (IPPs), Information Act 2002 (NT) sch 2.

Contains 10 principles which are similar to the Victorian IPPs

NT Information Commissioner

No

NSW

Privacy and Personal Information Protection Act 1998 (NSW).

NSW was the first state to enact public sector privacy laws

Information Protection Principles (IPPs), Privacy and Personal Information Protection Act 1998 (NSW) pt 2 div 1.

Contains 12 principles

NSW Privacy Commissioner

No

QLD

Information Privacy Act 2009 (QLD)

Information Privacy Principles (IPPs), Information Privacy Act 2009 (QLD) sch 3.

Contains 11 principles

QLD Privacy Commissioner

No

TAS

Personal Information and Protection Act 2004 (Tas)

Personal information protection principles (PIPPs), Personal Information and Protection Act 2004 (Tas) sch 1.

Contains 10 principles

None. The Tasmanian Ombudsman is responsible for complaints-handling

No

SA

None. SA has a non-legislative administrative scheme

Information Privacy Principles (IPPs), set out in the  Information Privacy Principles Instruction (also known as Cabinet Administrative Instruction 1/89, and Premier and Cabinet Circular 12, as amended by Cabinet 20 June 2016).

None. The IPPs are overseen by a Privacy Committee

No

WA

None. The Information Privacy Bill 2007 (containing a number of Information Privacy Principles and seeking to establish a  Privacy and Information Commissioner) never passed the Legislative Council

None. Some principles are broadly enshrined within the  Freedom of Information Act 1992 (WA)

WA Information Commissioner, dealing only with freedom of information issues

No

VIC

Privacy and Data Protection Act 2014 (Vic)

Information Privacy Principles (IPPs), Privacy and Data Protection Act 2014 (Vic) sch 1. Contains 10 principles

Victorian Information Commissioner, and Privacy and Data Protection Deputy Commissioner

(previously the Commissioner for Privacy and Data Protection)

Charter of Human Rights and Responsibilities Act 2006 (VIC) s 13

References

Asia-Pacific Economic Cooperation (2009) APEC Cross-border Privacy Enforcement Arrangement, Singapore, APEC.

Asia-Pacific Economic Cooperation Secretariat (2005) APEC Privacy Framework, Singapore, APEC.

Attorney-General’s Department (2014) Protective Security Policy Framework, Canberra, AGD.

Australian Law Reform Commission (2008) For Your Information: Australian Privacy Law and Practice (ALRC Report 108), Sydney ALRC.

Australian Signals Directorate (2016) Information Security Manual, Canberra, ASD.

Australian Signals Directorate (2016) Information Security Manual: Executive Companion, Canberra, ASD.

Australian Signals Directorate (2017) Strategies to Mitigate Cyber Security Incidents, Canberra, ASD.

Bailey, S. (2014) ‘A new privacy and data protection law for Victoria’, Clayton Utz website, 4 September.

Brandis, G., Attorney-General, and D. Tehan, Minister Assisting the Prime Minister on Cyber Security (2017) Turnbull Government launches first Joint Cyber Security Centre, media release, 24 February.

Brangwin, N. (2013) ‘Cyber security’, Parliamentary Library Briefing Book: Key Issues for the 44th Parliament, Parliamentary Library, Parliament of Australia, Canberra, pp. 120-121.

Burton, T. (2017) ‘New threats sees Victoria embrace all-of-government cyber resilience’, The Mandarin, 29 August.

Campbell, T. (2016) ‘WA should take note of Victoria's new security framework’, iTnews, 12 July.

Clark, R. Attorney-General (2014) ‘Second reading speech: Privacy and Data Protection Bill 2014’, Debates, Victoria, Legislative Assembly, 12 June, pp. 2107-09.

Commissioner for Privacy and Data Protection (2016) Information sheet: Privacy legislation in Victoria, Melbourne, OCPDP.

Commissioner for Privacy and Data Protection (2015) Privacy legislation in Victoria, Melbourne, OCPDP.

Commissioner for Privacy and Data Protection (2016) Victorian Protective Data Security Framework, Melbourne, OCPDP.

Commissioner for Privacy and Data Protection (2017) VPDSF Information Security Management Collection, Melbourne, OCPDP.

Cowan, P. (2016) ‘Vic govt gets new cyber security rules’, iTnews, 30 June.

Coyne, A. (2016) ‘Victoria opens cyber security mega-hub’, iTnews, 6 October.

Dalidakis, P., Minister for Small Business, Innovation and Trade (2017) Israeli Cyber Security Leader Chooses Victoria for HQ, media release, 4 April.

Dalidakis, P., Minister for Small Business, Innovation and Trade (2017) Melbourne well on its way to being ‘cyber ready’, media release, 23 May.

Dalidakis, P., Minister for Small Business, Innovation and Trade (2016) Victoria Welcomes Federal Boost To Cyber Security, media release, 21 April.

Dalidakis, P., Minister for Small Business, Innovation and Trade (2016) World-Class Cyber Security Hub Opens in Victoria, media release, 16 October.

Department of Premier and Cabinet (2017) Cyber Security Strategy, Melbourne, DPC.

Department of Premier and Cabinet (2016) ICT Network and Cyber Security Statement of Direction for the Victorian Public Service, Melbourne, DPC.

Department of Premier and Cabinet (2016) Information Technology Strategy for the Victorian Government, 2016 to 2020, Melbourne, DPC.

Department of Premier and Cabinet (2012) SEC STD 01: Information Security Management Framework Standard, Melbourne, DPC.

Department of the Prime Minister and Cabinet (2017) Press Conference with the Prime Minister, the Hon. Malcolm Turnbull MP, Attorney-General, Senator the Hon. George Brandis QC, Minister for Immigration and Border Protection, the Hon. Peter Dutton MP and Minister for Justice, the Hon. Michael Keenan MP, Canberra, 18 July.

Department of the Prime Minister and Cabinet (2017) ASD releases Essential Eight Maturity Model, media release, Canberra, DPMC, 7 July.

Department of the Prime Minister and Cabinet (2017) Australia’s Cyber Security Strategy: 2017 Update, Canberra, DPMC.

Department of the Prime Minister and Cabinet (2016) Australia’s Cyber Security Strategy, Canberra, DPMC.

Department of the Prime Minister and Cabinet (2017) Press Conference with the Prime Minister, the Hon. Malcolm Turnbull MP, Attorney-General, Senator the Hon. George Brandis QC, Minister for Immigration and Border Protection, the Hon. Peter Dutton MP and Minister for Justice, the Hon. Michael Keenan MP, Canberra, 18 July.

Department of the Prime Minister and Cabinet and Office of the Australian Information Commissioner (2017) Developing an APS-wide Privacy Code, media release, Canberra, DPMC & OAIC.

Draudins, V. (2017) ‘Harmonising Australia’s privacy regime’, The Mandarin, 1 August.

Gordon, J. (2015) ‘Melbourne to become regional cyber-security hub’, The Age, December 15.

Hendry, J. (2017) ‘Victoria wants a whole-of-govt CISO’, iTnews, 30 June.

International Covenant on Civil and Political Rights, opened for signature 16 December 1966, 999 UNTS 171; [1980] ATS 23 (entered into force 23 March 1976) article 17.

Invest Victoria (2017) Victoria to become Australia’s first cyber ready state, media release, 29 May.

Jennings, G., Special Minister of State (2017) Improving Transparency and Access to Information, media release, 29 August.

Jennings, G., Special Minister of State (2017) Tackling The Cyber Security Threat To Victorian Services, media release, 25 August.

Lawbook (2011) 4 International Instruments, ‘International Covenant on Civil and Political Rights’, The Laws of Australia, Pyrmont, Thomson Reuters, 1 April [legal encyclopaedia].

LexisNexis (2017) 80 Civil and Political Rights, ‘Privacy and Reputation’, Halsbury’s Laws of Australia, 6 July [legal encyclopaedia].

Organisation for Economic Co-operation and Development (1980) Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data, Paris, OECD.

Organisation for Economic Co-operation and Development (2013) The OECD Privacy Framework, Paris, OECD.

Redrup. Y. (2017) ‘States on attack for Israeli investment’, Australian Financial Review, 21 February.

Rich-Phillips, G., Minister for Technology (2013) State to lead on Cyber Security Strategy, media release, 20 November.

Swan, D. (2015) ‘Victoria to open cyber security hub with Oxford University’, The Australian, 15 December.

Trade Victoria (2017) Cyber Victoria – fostering a cyber-ready workforce, media release, 27 May.

UN Human Rights Committee (1988) CCPR General Comment No. 16: Article 17 (Right to Privacy), The Right to Respect of Privacy, Family, Home and Correspondence, and Protection of Honour and Reputation, 8 April, Geneva, HRC.

UN Human Rights Council, Resolution 28/16 (2015), The right to privacy in the digital age, A/HRC/RES/28/16, 1 April.

Victorian Auditor-General’s Office (2017) Annual Plan 2017–18, Melbourne, VAGO.

Victorian Auditor-General’s Office (2009) Maintaining the Integrity and Confidentiality of Personal Information, Melbourne, VAGO.

Victorian Auditor-General’s Office (2013) WoVG Information Security Management Framework, Melbourne, VAGO.

Victorian Government CIO Council (2012) Information Security Management Policy, Melbourne, CIO Council.

 

[1] Department of the Prime Minister and Cabinet (2016) Australia’s Cyber Security Strategy, Canberra, DPMC, p. 15.

[2] ibid., p. 36.

[3] In this research paper, the terms public service or public sector ‘agencies’, ‘departments’, ‘bodies’ and ‘organisations’ will be used interchangeably to represent government bodies.

[4] Commissioner for Privacy and Data Protection (2016) Victorian Protective Data Security Framework, Melbourne, OCPDP.

[5] ibid., p. 12.

[6] ibid., p. 11.

[7] Privacy and Data Protection Act 2014 (Vic) (PDP Act), s 89(1).

[8] ibid., s 89(4).

[9] As quoted in Victorian Auditor-General’s Office (2013) WoVG Information Security Management Framework, Melbourne, VAGO, p. 2.

[10] Victorian Auditor-General’s Office (2009) Maintaining the Integrity and Confidentiality of Personal Information, Melbourne, VAGO, p. viii.

[11] ibid., p. x.

[12] Victorian Government CIO Council (2012) Information Security Management Policy, Melbourne, CIO Council.

[13] Attorney-General’s Department (2014) Protective Security Policy Framework, Canberra, AGD. For further discussion of this document see Section 3 of this paper.

[14] Australian Signals Directorate (2016) Information Security Manual, Canberra, ASD. For further discussion of this document see Section 3 of this paper.

[15] Department of Premier and Cabinet (2012) SEC STD 01: Information Security Management Framework Standard, Melbourne, DPC, p. 3.

[16] Victorian Auditor-General’s Office (2013) op. cit.

[17] ibid., p. x.

[18] ibid.

[19] ibid., p. vii.

[20] ibid., p. x.

[21] G. Rich-Phillips, Minister for Technology (2013) State to lead on Cyber Security Strategy, media release, 20 November.

[22] Privacy and Data Protection Bill 2014 (Vic).

[23] Commissioner for Privacy and Data Protection (2016) Victorian Protective Data Security Framework, op. cit.

[24] ibid., p. 12.

[25] Freedom of Information Amendment (Office of the Victorian Information Commissioner) Act 2017 (Vic) (FOI Amendment Act).

[26] See J. Gordon (2015) ‘Melbourne to become regional cyber-security hub’, The Age, December 15.

[27] P. Dalidakis, Minister for Small Business, Innovation and Trade (2017) Israeli Cyber Security Leader Chooses Victoria for HQ, media release, 4 April; and D. Swan (2015) ‘Victoria to open cyber security hub with Oxford University’, The Australian, 15 December.

[28] P. Dalidakis, Minister for Small Business, Innovation and Trade (2016) World-Class Cyber Security Hub Opens in Victoria, media release, 16 October.

[29] A. Coyne (2016) ‘Victoria opens cyber security mega-hub’, iTnews, 6 October.

[30] Invest Victoria (2017) Victoria to become Australia’s first cyber ready state, media release, 29 May.

[31] See P. Dalidakis, Minister for Small Business, Innovation and Trade (2017) Melbourne well on its way to being ‘cyber ready’, media release, 23 May; and Trade Victoria (2017) Cyber Victoria – fostering a cyber-ready workforce, media release, 27 May.

[32] Commissioner for Privacy and Data Protection (2016) Victorian Protective Data Security Framework, op. cit., p. 12.

[33] ibid., p. 9.

[34] ibid., p. 25.

[35] ibid., p. 31.

[36] PDP Act, sch 1 s 4(1).

[37] Commissioner for Privacy and Data Protection (2016) Victorian Protective Data Security Framework, op. cit., p. 12.

[38] PDP Act, s 89(1).

[39] ibid., s 89(4).

[40] ibid., s 86.

[41] Commissioner for Privacy and Data Protection (2015) Data Security Resources, OVIC website, accessed 12 September 2017.

[42] Commissioner for Privacy and Data Protection (2017) VPDSF Information Security Management Collection, Melbourne, OCPDP.

[43] T. Campbell (2016) ‘WA should take note of Victoria's new security framework’, iTnews, 12 July.

[44] P. Cowan (2016) ‘Vic govt gets new cyber security rules’, iTnews, 30 June.

[45] Victorian Auditor-General’s Office (2017) Annual Plan 2017–18, Melbourne, VAGO.

[46] P. Cowan (2016) op. cit.

[47] T. Campbell (2016) op. cit.

[48] P. Cowan (2016) op. cit.

[49] For a discussion of the harmonisation of these varying policies, see V. Draudins (2017) ‘Harmonising Australia’s privacy regime’, The Mandarin, 1 August.

[50] For example, through the ongoing establishment of Joint Cyber Security Centres. See G. Brandis, Attorney‑General, and D. Tehan, Minister Assisting the Prime Minister on Cyber Security (2017) Turnbull Government launches first Joint Cyber Security Centre, media release, 24 February.

[51] PDP Act as originally passed, pt 6.

[52] Commissioner for Privacy and Data Protection (2016) Information sheet: Privacy legislation in Victoria, Melbourne, OCPDP, pp. 2-3.

[53] See Section 3 for more information on this document.

[54] PDP Act, s 20(1).

[55] These mechanisms are set out in the PDP Act as public interest determinations, temporary public interest determinations, and information usage arrangements. See PDP Act, divs 5-6.

[56] PDP Act, s 84. It is not explained in this Act nor in its explanatory materials why these bodies are exempt from compliance with the VPDSF.

[57] ibid., pt 4.

[58] M. Pakula, Attorney-General (2016) ‘Second reading speech: Freedom of Information Amendment (Office of the Victorian Information Commissioner) Bill 2016’, Debates, Victoria, Legislative Assembly, 23 June, p. 2868.

[59] Health Records Act 2001 (Vic).

[60] Charter of Human Rights and Responsibilities Act 2006 (Vic).

[61] Parliamentary Committees Act 2003 (Vic), s 17(a)(iv).

[62]  G. Jennings, Special Minister of State (2017) Improving Transparency and Access to Information, media release, 29 August.

[63] PDP Act, s 8A.

[64] Department of Premier and Cabinet (2016) Information Technology Strategy for the Victorian Government, 2016 to 2020, DPC, Melbourne, p. 29.

[65] Department of Premier and Cabinet (2017) Cyber Security Strategy, Melbourne, DPC; G. Jennings, Special Minister of State (2017) Tackling The Cyber Security Threat To Victorian Services, media release, 25 August.

[66] ibid., p. 2.

[67] ibid., pp. 23-25.

[68] ibid., p. 6.

[69] Organisation for Economic Co-operation and Development (1980) Guidelines governing the Protection of Privacy and Transborder Flows of Personal Data, Paris, OECD.

[70] ibid.

[71] Organisation for Economic Co-operation and Development (2013) The OECD Privacy Framework, Paris, OECD.

[72] ibid., p. 4.

[73] Privacy Act 1988 (Cth) (Privacy Act).

[74] Victorian Auditor-General’s Office (2013) op. cit., p. 1.

[75] International Covenant on Civil and Political Rights, opened for signature 16 December 1966, 999 UNTS 171; [1980] ATS 23 (entered into force 23 March 1976) article 17.

[76] UN Human Rights Committee (1988) CCPR General Comment No. 16: Article 17 (Right to Privacy), The Right to Respect of Privacy, Family, Home and Correspondence, and Protection of Honour and Reputation, 8 April, Geneva, HRC, p. 1.

[77] ibid., p. 3.

[78] Lawbook (2011) 4 International Instruments, ‘International Covenant on Civil and Political Rights’, The Laws of Australia, Pyrmont, Thomson Reuters, 1 April, [1.7.630].

[79] Asia-Pacific Economic Cooperation Secretariat (2005) APEC Privacy Framework, Singapore, APEC.

[80] Asia-Pacific Economic Cooperation (2009) APEC Cross-border Privacy Enforcement Arrangement (CPEA), Singapore, APEC.

[81] N. Brangwin, (2013) ‘Cyber security’, Parliamentary Library Briefing Book: Key Issues for the 44th Parliament, Canberra, Parliamentary Library, Parliament of Australia, pp. 120-121.

[82] Privacy Act, sch 1.

[83] Attorney-General’s Department (2014) op. cit.

[84] Attorney-General’s Department (2016) Mandatory requirements, Attorney-General’s Department website, accessed 11 September 2017.

[85] Australian Signals Directorate (2016) Information Security Manual, op. cit.

[86] Australian Signals Directorate (2016) Information Security Manual: Executive Companion, Canberra, ASD, p. 16.

[87] Australian Signals Directorate (2017) Strategies to Mitigate Cyber Security Incidents, Canberra, ASD.

[88] Department of the Prime Minister and Cabinet (2017) ASD releases Essential Eight Maturity Model, media release, Canberra, DPMC, 7 July.

[89] Australian Signals Directorate (2017) op. cit.

[90] Department of the Prime Minister and Cabinet (2016) op. cit.

[91] ibid., p. 5.

[92] ibid., p. 59.

[93] G. Brandis, Attorney‑General, and D. Tehan, Minister Assisting the Prime Minister on Cyber Security (2017) op. cit.

[94] Department of the Prime Minister and Cabinet (2017) Australia’s Cyber Security Strategy: 2017 Update, Canberra, DPMC, p. 15.

[95] ibid.

[96] Australian Information Commissioner Act 2010 (Cth), pt 2 div 3(7).

[97] Department of the Prime Minister and Cabinet and Office of the Australian Information Commissioner (2017) Developing an APS-wide Privacy Code, media release, Canberra, DPMC & OAIC.

[98] Department of the Prime Minister and Cabinet (2017) Press Conference with the Prime Minister, the Hon. Malcolm Turnbull MP, Attorney-General, Senator the Hon. George Brandis QC, Minister for Immigration and Border Protection, the Hon. Peter Dutton MP and Minister for Justice, the Hon. Michael Keenan MP, Canberra, 18 July.

[99] For more information on these functions, see the Department of Prime Minister and Cabinet’s website at https://www.pmc.gov.au/cyber-security and https://www.pmc.gov.au/public-data.