Securing Customer Personal Data

Recently a Client was impacted by a data breach via a service provider, in the form of a compromised email account.  The breach involved information around names, addresses TFN’s & DOB etc.

The Australian Signals Directorate has an Information leaflet regarding the Securing of Customer Personal Data, for small to medium businesses.  The information includes the Legislative requirements for protection of personal data and Key data security practice.

Below is the Checklist for securing Customer Personal Data, from that information leaflet.

We encourage all our Clients to read the attached document and make sure their business is compliant and above all SAFE!

Checklist for securing customer personal data

·        Create a register of personal data: Know what data you collect from your customers and where you store it. Use a standardised template to collect data and always keep your register up to date.

·        Limit personal data collected: Only collect what data is necessary for your business. Be clear and accurate about why you need that data and how you will use it.

·        Delete unused personal data: Develop policies about when, why and how you should delete customer data. Keep data only for as long as you need and remove unnecessary duplication.

·        Consolidate personal data repositories: Store customer data in centralised locations with stronger security. If you use local and cloud databases, make sure both are secure.

·        Control access to personal data: Only give your staff access to the data they need to perform their role. Limit admin access, including to backups, and only give users the privileges they need.

·        Encrypt personal data: Turn on encryption for devices that access or store customer data. Encrypt files and any data you transfer online for extra security.

·        Back up personal data: Back up customer data, software and configuration settings. Store backups outside of business systems when not in use. If you have separate data repositories, sync all backups to a common time.

·        Log and monitor access to personal data: Use event logs to track unauthorised access to data and make sure they capture enough detail. Consider using centralised logging software to manage event logs.

·        Implement secure Bring Your Own Device practices: Create a policy on whether staff can use their personal devices for work. Have a plan to manage risks, including approved device types and secure ways to access data.

·        Report a data breach involving personal data: Be aware of your reporting duties. Notify all customers affected, and report the incident at cyber.gov.au/report or call 1300 CYBER1 (1300 292 371). You may also need to report eligible data breaches to the OAIC.

Read The Australian Signals Directorate leaflet HERE

For more information and assistance please reach out to us on 02 4337 0700 or email  reception@loyalit.com.au.