In today’s digital age, nonprofit organisations (NGOs) face an ever-increasing need to safeguard sensitive data, in order to protect their clients, donors, and stakeholders as well as their reputation within the community. This article, tailored specifically for nonprofits, delves into the intricate landscape of cyber security, privacy, and confidential information. It explores the nuanced distinctions between cyber security and privacy, shedding light on their unique significance and the legal frameworks underpinning them.
The difference between Cyber Security and Privacy
Cyber Security
Cyber security is a multifaceted approach to protecting an organisation’s computer systems, networks, and data (digital assets) from unauthorised access, disclosure, modification, or destruction. Cyber security components may include firewalls, which serve as a frontline defense, intrusion detection systems (IDS) for continuous monitoring, encryption to protect data, access control mechanisms to restrict unauthorised access, incident response plans to manage breaches effectively, antivirus and anti-malware software for threat mitigation, proactive patch management, secure authentication methods like multi-factor authentication (MFA), network segmentation, user education and training, regular security audits, penetration testing, data backup and disaster recovery plans, endpoint security solutions, vulnerability management procedures, and much, much more. Together, these components form a comprehensive cyber security strategy that fortifies an organisation against a wide array of cyber threats, ensuring the integrity, confidentiality, and availability of critical digital resources.
Privacy
Privacy on the other hand, deals with the protection of personal information and individual rights to control the collection, usage, and sharing of their data. Key aspects of privacy include:
- Data Protection Policies: Developing policies that outline how personal and sensitive information will be handled, used and stored.
- Data Minimisation: Collecting only the information necessary for a specific purpose and avoiding excessive data collection.
- Access Controls: Implementing mechanisms to restrict access to personal data, ensuring that only authorised individuals can access it.
Importantly, ‘Privacy’ holds significant legal importance in Australia, defined and safeguarded under the Commonwealth Privacy Act of 1988, also known as the “Privacy Act.” This legislation establishes a comprehensive framework for the protection of personal information and individuals’ rights to control how their data is collected, used, and shared. Under the Privacy Act, organisations operating in Australia are bound by strict requirements regarding the handling of personal information. This includes obtaining informed consent for data collection, ensuring the secure storage and transmission of data, allowing individuals access to their own information, and providing mechanisms for correcting or deleting inaccurate data. For more information visit the Office of the Australian Information Commissioner (OAIC).
Written well-before the Internet age, the original Privacy Act was slated for review and on 16 February 2023, the Commonwealth Government Attorney-General’s Department, published the Privacy Act Review Report. This has been followed by the Australian Government publishing its response to the Privacy Act Review Report (28 September 2023). A general summary of the potentially far-reaching changes to the Privacy Act include:
- Broadening of the Privacy Act: Broadening of the application of the Privacy Act, with respect to both the entities which may need to comply with the Privacy Act and the types of information captured by the Privacy Act.
- Increased obligations: Increased obligations on entities seeking to collect, use, store and disclose personal information, including in relation to steps an entity will need to take before collecting personal information and additional measures if an entity wants to use or disclose information for certain purpose.
- Expanded rights for individuals: Expanded individual rights with respect to their privacy and increase the enforcement powers under the Privacy Act.
As the Privacy Act undergoes revisions, nonprofits must remain abreast of these changes, and have a clear organisational-wide plan for how they will respond.
Private and Confidential Information… so what’s the difference?
Privacy and confidentiality are two separate concepts that refer to the protection of different types of information. ‘Privacy’ is used in relation to information that is protected under the “Privacy Act”, whereas ‘Confidentiality’ generally refers to different information contained in contracts and agreements, and is often of a commercial nature.
Confidential Information
Confidential information typically refers to data or knowledge that is intentionally kept secret and not disclosed to the public or third parties without proper authorisation. Confidential information is often defined by specific legal agreements or deeds and can encompass a wide range of sensitive material, including trade secrets, proprietary information, client records, financial data, and more. The legal protection of confidential information may involve obligations of confidentiality, non-disclosure agreements, and legal remedies in the event of unauthorised disclosure or breach of confidentiality.
Private Information
In Australia, the concept of Privacy is described in the “Privacy Act,” and provisions are made for:
Personal Information
As per the Privacy Act, information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not. In practice, Personal Information may include an individual’s names, home address, contact details, aliases, signature, date of birth, bank details, employment details, location, tax file number, credit information, demographics (age/DOB, ATSI, CALD, marital status, education level etc.), photos, driver’s licence images, IDs, bank/utility statements, login names, passwords etc. or other information that may be used to (reasonably) identify an individual. Broadly speaking, this information is also often referred to as ‘Personally Identifiable Information (PII)’.
Sensitive Information
A subset of Personal Information, includes information such as racial or ethnic origin, political opinions, religious beliefs or affiliations, philosophical beliefs, certain memberships and associations, financial situation (income amount, frequency, savings etc.), medical and health information (NDIS & Medicare numbers, disabilities, diagnoses, medications, clinical notes etc), criminal record/ convictions, or sexual preferences or practices. Additionally, Sensitive Information may also include case notes and client issues etc.
The Significance of Private Information to Cyber criminals
A recent survey conducted by the NSW Government Department of Communities and Justice (DCJ) revealed that a staggering 85.9% of nonprofits (NGOs) entrusted with client data, including personal and health information. This statistic likely mirrors the situation across all states and territories, underscoring the sheer volume of personal information entrusted to the sector.
When assessing risk, a critical concern arises from the fact that the Personally Identifiable Information (PII) and Sensitive Information managed by nonprofits are precisely the kinds of information highly coveted by cyber criminals. Beyond the realm of mere identity theft, the sensitive nature of this information allows for the possibility of ransom, presenting a significantly more lucrative incentive for cyber criminals. It is for this primary reason that nonprofits must understand the difference between Cyber Security and Privacy and remain vigilant to the many emerging threats. In our article Enhance your Nonprofit’s Information Security: How to Safeguard against Cyber Criminal Attacks – we describe some strategies you can take to reduce your cyber risk.
What are my reporting obligations in the event of an information security breach?
Depending on your jurisdiction and types of information you manage, your organisation may have an obligation to notify the Office of the Australian Information Commission (OAIC), under relevant Commonwealth privacy laws. Justice Connect, Not-for-profit Law, provides resources to help you understand your obligations. In NSW, DCJ’s notifiable policy for service providers, has a detailed section on your responsibilities when you detect an actual or suspected information security incident. This explains all the steps for notifying DCJ, including completing an online notification form. It also details who at DCJ to contact and when.
Other links and resources
You can also find the following policies and legislation online:
- NSW Privacy and Personal Information Protection Act 1998
- NSW Health Records and Information Privacy Act 2020
- DCJ’s notifiable policy for service providers on maintaining information security and advising on any information security breaches
In addition to the resources provided online by DCJ, you may find the following useful:
- Cyber Security NSW – Cyber security awareness resources
- Australian Cyber Security Centre – Cyber security campaign resources
- Justice Connect, Not-for-profit Law – National privacy guide and resources to assist your organisation comply with privacy laws
- Information and privacy commission (IPC) – Data breach guidance for NSW Agencies
- Office of the Australian Information Commissioner – Data breach preparation and response
- Association of Children’s Welfare Agencies (ACWA) – Cyber security archives
- CHIA/ACHIA also have some privacy and cyber security resources in their members section online.
In summary, in order to protect their clients, donors, and stakeholders, nonprofits are confronted with an escalating need to safeguard the sensitive data entrusted to them. As the Privacy Act undergoes revisions, nonprofits must remain abreast of these changes, and must also take measures to understand and implement necessary cyber security controls and practices. By grasping these fundamental concepts, nonprofits can navigate the digital landscape securely and responsibly, guaranteeing data security, regulatory compliance, and the continued trust of their stakeholders and communities.