Understanding Cyber Security, Privacy and Confidential Information: A Nonprofit (NGO) context

In today’s digital age, nonprofit organisations (NGOs) face an ever-increasing need to safeguard sensitive data, in order to protect their clients, donors, and stakeholders as well as their reputation within the community. This article, tailored specifically for nonprofits, delves into the intricate landscape of cyber security, privacy, and confidential information. It explores the nuanced distinctions between cyber security and privacy, shedding light on their unique significance and the legal frameworks underpinning them.

The difference between Cyber Security and Privacy

Cyber Security

Cyber security is a multifaceted approach to protecting an organisation’s computer systems, networks, and data (digital assets) from unauthorised access, disclosure, modification, or destruction. Cyber security components may include firewalls, which serve as a frontline defense, intrusion detection systems (IDS) for continuous monitoring, encryption to protect data, access control mechanisms to restrict unauthorised access, incident response plans to manage breaches effectively, antivirus and anti-malware software for threat mitigation, proactive patch management, secure authentication methods like multi-factor authentication (MFA), network segmentation, user education and training, regular security audits, penetration testing, data backup and disaster recovery plans, endpoint security solutions, vulnerability management procedures, and much, much more. Together, these components form a comprehensive cyber security strategy that fortifies an organisation against a wide array of cyber threats, ensuring the integrity, confidentiality, and availability of critical digital resources.

Privacy

Privacy on the other hand, deals with the protection of personal information and individual rights to control the collection, usage, and sharing of their data. Key aspects of privacy include:

  • Data Protection Policies: Developing policies that outline how personal and sensitive information will be handled, used and stored.
  • Data Minimisation: Collecting only the information necessary for a specific purpose and avoiding excessive data collection.
  • Access Controls: Implementing mechanisms to restrict access to personal data, ensuring that only authorised individuals can access it.

Importantly, ‘Privacy’ holds significant legal importance in Australia, defined and safeguarded under the Commonwealth Privacy Act of 1988, also known as the “Privacy Act.” This legislation establishes a comprehensive framework for the protection of personal information and individuals’ rights to control how their data is collected, used, and shared. Under the Privacy Act, organisations operating in Australia are bound by strict requirements regarding the handling of personal information. This includes obtaining informed consent for data collection, ensuring the secure storage and transmission of data, allowing individuals access to their own information, and providing mechanisms for correcting or deleting inaccurate data. For more information visit the Office of the Australian Information Commissioner (OAIC).

Written well-before the Internet age, the original Privacy Act was slated for review and on 16 February 2023, the Commonwealth Government Attorney-General’s Department, published the Privacy Act Review Report. This has been followed by the Australian Government publishing its response to the Privacy Act Review Report (28 September 2023). A general summary of the potentially far-reaching changes to the Privacy Act include:

  • Broadening of the Privacy Act: Broadening of the application of the Privacy Act, with respect to both the entities which may need to comply with the Privacy Act and the types of information captured by the Privacy Act.
  • Increased obligations: Increased obligations on entities seeking to collect, use, store and disclose personal information, including in relation to steps an entity will need to take before collecting personal information and additional measures if an entity wants to use or disclose information for certain purpose.
  • Expanded rights for individuals: Expanded individual rights with respect to their privacy and increase the enforcement powers under the Privacy Act.

As the Privacy Act undergoes revisions, nonprofits must remain abreast of these changes, and have a clear organisational-wide plan for how they will respond.

Private and Confidential Information… so what’s the difference?

Privacy and confidentiality are two separate concepts that refer to the protection of different types of information. ‘Privacy’ is used in relation to information that is protected under the “Privacy Act”, whereas ‘Confidentiality’ generally refers to different information contained in contracts and agreements, and is often of a commercial nature.

Confidential Information

Confidential information typically refers to data or knowledge that is intentionally kept secret and not disclosed to the public or third parties without proper authorisation. Confidential information is often defined by specific legal agreements or deeds and can encompass a wide range of sensitive material, including trade secrets, proprietary information, client records, financial data, and more. The legal protection of confidential information may involve obligations of confidentiality, non-disclosure agreements, and legal remedies in the event of unauthorised disclosure or breach of confidentiality.

Private Information

In Australia, the concept of Privacy is described in the “Privacy Act,” and provisions are made for:

Personal Information

As per the Privacy Act, information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not. In practice, Personal Information may include an individual’s names, home address, contact details, aliases, signature, date of birth, bank details, employment details, location, tax file number, credit information, demographics (age/DOB, ATSI, CALD, marital status, education level etc.), photos, driver’s licence images, IDs, bank/utility statements, login names, passwords etc. or other information that may be used to (reasonably) identify an individual. Broadly speaking, this information is also often referred to as ‘Personally Identifiable Information (PII)’.

Sensitive Information

A subset of Personal Information, includes information such as racial or ethnic origin, political opinions, religious beliefs or affiliations, philosophical beliefs, certain memberships and associations, financial situation (income amount, frequency, savings etc.), medical and health information (NDIS & Medicare numbers, disabilities, diagnoses, medications, clinical notes etc), criminal record/ convictions, or sexual preferences or practices. Additionally, Sensitive Information may also include case notes and client issues etc.

The Significance of Private Information to Cyber criminals

A recent survey conducted by the NSW Government Department of Communities and Justice (DCJ) revealed that a staggering 85.9% of nonprofits (NGOs) entrusted with client data, including personal and health information. This statistic likely mirrors the situation across all states and territories, underscoring the sheer volume of personal information entrusted to the sector.

When assessing risk, a critical concern arises from the fact that the Personally Identifiable Information (PII) and Sensitive Information managed by nonprofits are precisely the kinds of information highly coveted by cyber criminals. Beyond the realm of mere identity theft, the sensitive nature of this information allows for the possibility of ransom, presenting a significantly more lucrative incentive for cyber criminals. It is for this primary reason that nonprofits must understand the difference between Cyber Security and Privacy and remain vigilant to the many emerging threats. In our article Enhance your Nonprofit’s Information Security: How to Safeguard against Cyber Criminal Attacks – we describe some strategies you can take to reduce your cyber risk.

What are my reporting obligations in the event of an information security breach?

Depending on your jurisdiction and types of information you manage, your organisation may have an obligation to notify the Office of the Australian Information Commission (OAIC), under relevant Commonwealth privacy laws. Justice Connect, Not-for-profit Law, provides resources to help you understand your obligations. In NSW, DCJ’s notifiable policy for service providers, has a detailed section on your responsibilities when you detect an actual or suspected information security incident.  This explains all the steps for notifying DCJ, including completing an online notification form.  It also details who at DCJ to contact and when.

Other links and resources

You can also find the following policies and legislation online:

In addition to the resources provided online by DCJ, you may find the following useful:

In summary, in order to protect their clients, donors, and stakeholders, nonprofits are confronted with an escalating need to safeguard the sensitive data entrusted to them. As the Privacy Act undergoes revisions, nonprofits must remain abreast of these changes, and must also take measures to understand and implement necessary cyber security controls and practices. By grasping these fundamental concepts, nonprofits can navigate the digital landscape securely and responsibly, guaranteeing data security, regulatory compliance, and the continued trust of their stakeholders and communities.

 

Martin Scicluna

Partner & Principal Consultant

With over two decades of experience in transforming nonprofits (NGOs), government agencies, and educational providers by using smart data systems, Martin is a seasoned veteran. Possessing qualifications in engineering, his goal is to empower organisations to liberate their time and resources, boost capability, and achieve greater control and visibility over their teams and operations. Passionate about reducing waste and inefficiency, Martin and his team are committed to transforming clients' concepts into robust systems that deliver enduring, positive impacts and flexibility for the future. As a Partner in SmarterSoft, Martin takes a very hands-on approach to leadership. While overseeing the consulting and sales teams, he often dives into the work himself, driven by his enthusiasm for problem-solving. Beyond his professional life, Martin is an all-round sports enthusiast. Whether it's yoga, swimming, car racing, running, gyming, or hiking, he's always encouraging (and often demanding) the team to get out and enjoy some exercise!

Share this article

Case & Client Management Nonprofit (NGO) Technology
Why choosing systems like Salesforce or Microsoft for your Nonprofit Client and Case Management System (CCMS) can be riskier than you think

As someone working in the nonprofit sector, you might have heard the term “CRM” thrown around often. Perhaps you’ve even found yourself saying, “We need a CRM for our organisation.” But what you really need might not be a CRM at all. Instead, you likely require a Client and Case Management System (CCMS). For a […]

Martin Scicluna 29 August 2024
Government Nonprofit (NGO) Privacy
Australia’s response to Privacy Act review: A pathway to digital age compliance

The Australian government’s response to the Privacy Act Review Report, led by the Attorney-General’s Department, marks a significant stride in modernising privacy laws for the digital era. The comprehensive review, incorporating stakeholder inputs, yielded 116 recommendations aimed at bolstering data privacy and addressing emerging cyber threats. The government’s acceptance of 106 proposals, including 38 “agreed” […]

Martin Scicluna 29 November 2023
Cyber Security Government Legal & Compliance Privacy
QLD and NSW lead the charge in Data Privacy: A new era of Public Sector accountability and protection

The recent passage of the Information Privacy and Other Legislation Amendment Bill 2023 in Queensland, closely following New South Wales, marks a pivotal step in data privacy and protection in Australia’s public sector. This legislation compels state and local government entities to promptly notify individuals and the state’s privacy watchdog of data breaches that pose […]

Martin Scicluna 29 November 2023
View more articles