The Essential 8 and the Australian Privacy Act are both critical frameworks within Australia’s cybersecurity and data protection landscape. They interact in a way that helps organisations to better protect personal data, comply with legal obligations, and mitigate cyber risks.
Here’s a closer look at how they interact.
The Essential 8, developed by the Australian Cyber Security Centre (ACSC), is a set of eight strategies to help organisations improve their cybersecurity posture. By implementing the Essential 8 controls, organisations can reduce the risk of cyber incidents that may lead to data breaches. This, in turn, aligns with the Australian Privacy Act’s requirements for protecting personal information and mitigating the risk of unauthorised access or disclosure.
The Australian Privacy Act 1988 imposes obligations on entities to take “reasonable steps” to protect personal information from misuse, interference, and loss, as well as unauthorised access, modification, or disclosure. The Essential 8 serves as a practical guide for what those “reasonable steps” might include. By applying the strategies outlined in the Essential 8, such as restricting administrative privileges and patching applications, organisations can bolster their defences against potential privacy breaches that may otherwise violate the Privacy Act.
Under the Notifiable Data Breaches Scheme (NDBS), which is part of the Australian Privacy Act, entities are required to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) if they experience a data breach that is likely to result in serious harm.
Implementing the Essential 8 can significantly reduce the likelihood of a notifiable breach occurring by establishing strong security controls. For instance, measures such as daily backups, multi-factor authentication, and application whitelisting can help prevent, detect, or contain incidents that could otherwise lead to an NDB.
The Essential 8 provides specific, actionable guidance on data security practices that can be recognised as “reasonable steps” under the Privacy Act. For example:
By integrating these cybersecurity measures, organisations demonstrate adherence to “reasonable steps” as required under Australian Privacy Principle (APP) 11 of the Privacy Act, which focuses on data security.
The Essential 8 fosters a security-first mindset by encouraging consistent practices around system and data protection. This complements the Privacy by Design principle embedded in the Privacy Act, where organisations are expected to integrate privacy considerations into their business processes and systems. The Essential 8 helps to establish a culture of security that is inherently tied to privacy, promoting continuous improvement in both areas.
In summary, while the Essential 8 provides a structured approach to cybersecurity controls and risk management, the Australian Privacy Act sets out the legal obligations for protecting personal information. By aligning with the Essential 8 strategies, organisations are better equipped to meet their obligations under the Privacy Act, prevent data breaches, and respond effectively to security incidents. Together, they form a comprehensive framework for ensuring both data privacy and cybersecurity in today’s threat landscape.