Data security checklist for NSW Councils – Technology | #corporatesecurity |



Data security checklist for NSW Councils

To print this article, all you need is to be registered or login on

As the COVID-19 pandemic unfolds, we are becoming increasingly
reliant on remote internet-connected workforces. With this shift to
remote working, comes heightened data sensitivity risks, including
an increase in the likelihood of cyber attacks and privacy

Specifically, there has been an uptick in COVID-19 themed
‘phishing’ emails and SMS messages. Hackers are taking
advantage of public fear associated with the virus and workers’
decreased security due to working from home arrangements and
increased dependence on networks. Recent examples include phishing
emails containing attachments or links claiming to offer access to
government benefits or safety information that either contain
malware which attempts to steal data and passwords or install
destructive files.

Like private sector organisations, Councils must be vigilant of
this heightened risk environment. Despite the extraordinary
environment in which we find ourselves, data security and privacy
obligations continue to apply.

This means that you should:

Get your remote security measures in place

  • evaluate all SaaS applications that your staff use while remote
    working to ensure adequate levels of protection and security;

  • ensure your systems capacity is adequate given the increased

  • ensure adequate encryption levels are applied to the data at
    rest and in transit;

  • implement virtual private networks and multifactor
    authentication measures;

  • undertake data back-ups regularly to prevent against data

  • maintain logs of equipment being used by staff at home;

  • provide information security refreshers to your staff working
    from home;

  • insist that staff only communicate through your official
    systems, not through publicly-available social media channels;

  • remind staff of their confidentiality obligations, including
    the need to store and dispose of hard-copy records securely.

Carefully manage your suppliers that have access to your

  • get sufficient comfort that the IT
    controls that your suppliers implement work and that they are
    effective in terms of protecting your data;

  • manage contractual liability with your suppliers around cyber
    incident and data breach issues – this includes having clear
    protocols in your contractual arrangements which deal with:

    • the communication of suspected breaches by your supplier;
    • the processes for conducting assessments into those breaches;
    • the allocation of responsibility for the containment,
      remediation and notification of the breach; and

  • ensure that you control any notifications to your customers,
    constituents and any regulators – this will help to manage
    any reputational fall-out.

Know what to do in the event you are hacked

  • have your crisis management team ready for immediate
    mobilisation and response – a team of multi-disciplinary
    specialists (including, as appropriate, IT, legal, risk and
    compliance, communications, corporate affairs, HR) which is known
    in advance and has full authority to act without permission;

  • ensure your data breach response plan has been updated to take
    account of the changed environment brought about by COVID-19
    – a plan which can be implemented immediately and which sets

    • your strategy for containing, assessing and managing a data
      breach from start to finish – with clear reporting lines,
      escalation paths and criteria for when to mobilise the crisis
      management team;
    • your strategy for dealing with the communication of the data
      breach internally and externally – including to affected
      individuals, the New South Wales (NSW) Information
      Privacy Commissioner and, where relevant, the Office of the
      Australian Information Commissioner (OAIC);
    • the roles and responsibilities of staff members; and
    • processes for dealing with a data breach involving another
      entity, such as your IT supplier;

  • make sure you get the facts of the data breach –
    don’t just rely on assumptions;

  • carefully manage communications to internal and external
    stakeholders – including setting the correct narrative for
    the data breach and your response from the outset;

  • build a stakeholder map, and consider the legal relationship
    you have with each stakeholder so as to ultimately guide you to a
    prioritised work plan for responding to the incident;

  • seek the protection that can be gained through legal
    professional privilege by engaging with your internal or external
    legal advisers – otherwise sensitive internal communications
    and documents about the breach (including forensics reports) could
    be exposed to regulators or those pursuing civil damages claims
    against you;

  • determine your notification obligations – to affected
    individuals and to regulators – see below for further
    details; and

  • consider your contracts that may be impacted by the cyber
    incident, including rights and obligations that may be

Comply with your legal obligations to report privacy

The NSW Information Privacy Commission Data Breach Policy
advises that NSW Government agencies, including Councils, should
notify the Information Commissioner and affected individuals where
there has been a ‘serious’ data breach.


In the case of a suspected data breach, you should undertake a
reasonable and expeditious assessment to determine whether there
are reasonable grounds to believe that there has been a
‘serious’ data breach that would fall within the NSW
voluntary data breach reporting scheme.

Serious data breach?

The key test for notification is whether there has been a
‘serious’ data breach.

Determining the seriousness of the breach affects what response
actions should be taken and whether the breach should be reported
or not.

There is no objective measure of seriousness so you should have
regard to the following:

  • the type of data breached – does it include financial,
    health or other sensitive categories of data? Are there other
    characteristics of the data that could pose a high risk (e.g.
    commercial information that could pose a reputational risk to
    Council or other organisation)?;

  • how easy would it be for individuals to be identified from this

  • the number of individuals affected; and

  • the risk of harm that could be caused to both individuals and
    the Council by the breach – for example, could the data
    create risks to individuals to whom it relates if used or
    improperly used? Was the data breach a single incident (e.g.
    forwarding an email to the wrong person) or a malicious attack that
    poses an ongoing risk?


Councils are not generally caught by the mandatory data breach
notification scheme under the Privacy Act 1988 ( Cth ).
Nonetheless, there is a voluntary notification scheme that applies
to NSW public sector agencies, including local Councils. The NSW
Government is also considering whether a mandatory reporting regime
should be implemented. The Department of Justice opened a
consultation on whether mandatory reporting is necessary in July

Because the scheme is currently voluntary in NSW, Councils will
need to decide in each case whether they report a data breach under
the voluntary scheme. In many cases, it may be best to err on the
side of caution and notify the Information Commissioner and any
affected individuals in order to effectively manage any
reputational fall out.

Additionally, your private sector suppliers are still likely to
be subject to the mandatory data breach notification regime under
the Privacy Act 1988 (Cth). If a supplier suffers a data
breach that involves the personal information of constituents, that
data breach may be reportable by the supplier under the mandatory
data breach notification regime. In these cases, as the entity with
the closest connection to affected constituents, you will want to
take control of that notification process from your supplier so
that you can best manage the reputational impact and ensure that
appropriate information is provided to the affected

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Technology from Australia


Click her for the original source of this story.

Leave a Reply

Your email address will not be published. Required fields are marked *