Definition
Privacy protection involves safeguarding information that identifies who we are, what we do, and what we believe. It encompasses regulations, processes, and technologies used to secure personally identifiable information about individuals and businesses, which is collected, processed, and stored on digital and ICT systems and networks.
Purpose
Appropriate privacy protections support digital innovation, enhance trust in Commonwealth entities, and meet regulatory obligations.
The Privacy Protection capability is realised through:
- understanding the reason for collecting private information
- defining the management and use of private information
- planning for the impact of breaches in privacy by an entity
- strategic technology investments, by supporting a scalable approach to privacy that balances innovation with the need to satisfy regulatory requirements
- implementation of structured protocols and procedures, which put privacy first
- considering the capability as part of a complementary suite of Cyber Security Capabilities, including Application Security, Information Asset Security, Network Security, and Permissions.
Objective
The objectives of this content are to:
- align digital and ICT solutions with privacy laws to ensure the secure and responsible handling of personal information
- ensure that entities are familiar with privacy best practice, allowing them to make informed decisions on investment in this capability
- ensure the adoption of best practices in privacy protocols and procedures to mitigate risks associated with the handling of personal information.
Whole-of-government applicability
On 22 November 2023, the Australian Government released the 2023-2030 Australian Cyber Security Strategy, a roadmap that will help realise the Australian Government’s vision of becoming a world leader in cyber security by 2030. The capability of privacy supports its agenda through:
- ensuring that privacy considerations are incorporated into the design, development, and deployment of applications across the Australian Public Service
- preventing vulnerabilities, reducing the risk of security breaches, and protecting sensitive data and systems.
The Data and Digital Government Strategy (DDGS) sets a vision for 2030 to deliver simple, secure and connected public services for all people and business, through world class data and digital capabilities.
Maturity in the capability of privacy protection will be of critical importance to the DDGS missions:
- Trusted and secure: The Australian Government commits to improving and maintaining trust in its use of data and digital technologies including through adopting robust and appropriate privacy and security settings to keep peoples’ information safe.
- Simple and seamless services: The Australian Government commits to ensuring technology is scalable, secure, resilient and interoperable, with new systems and infrastructure that supports data access and discoverability.
Policy Elements
-
Comply with legislation
Entities must comply with the Privacy Act (1998), which governs all Australian government entities. This includes adherence with the Australian Privacy Principles.
-
Align to guidelines and standards
Entities are required to comply with the Protective Security Policy Framework, and any other relevant mandatory frameworks, policies, and standards.
-
Be private-by-design
Privacy must be integrated as a core element of digital products and services from the design phase through to deployment and beyond. This approach ensures privacy considerations are embedded throughout the lifecycle of the investment.
-
Take a proactive approach to privacy risks and incident responses
Proactive development of overarching as well as programme-specific approaches to privacy, proactively assess and manage risk, enables both confidence in the system, and response to incidents in a considered and timely manner.
-
Adhere to reuse principles
Entities must give priority to the adoption of reuseable digital and ICT solutions, patterns, or knowledge, and, where necessary, design new solutions with a focus on future reuse.