Cybersecurity,Data,

Government opens discussion on collective responsibility for data security

22 April 2022

Our People
KWM Kinetic
Owl Advisory
AU | EN
Current site :    AU   |   EN
Australia
EN |
China
JP | ZH | EN |
China Hong Kong SAR
ZH | EN |
Japan
JP | ZH | EN |
Singapore
ZH | EN |
United States
EN |
Global
ZH | EN |

TL;DR

The Australian Government has released a discussion paper on data security for public comment, as part of the ongoing development of Australia’s National Data Security Action Plan (Action Plan). The paper indicates a need for a whole-of-economy approach to data security and a general uplift in data security practices. Its framing of data security as a ‘collective responsibility’ could have significant implications for organisations’ obligation to ensure the security of data they control.

The discussion paper in a nutshell

Definitions

The paper sets the scene by defining “data” and “data security”:

  • Data is defined as any information in a form capable of being communicated, analysed or processed (whether by an individual or by computer or other automated means). This includes personal information but is not limited to it.
  • Data security is a broad term that refers to protecting the information collected, processed, and stored on digital systems and networks.

Data security is a collective responsibility

The paper explains why we need to protect our data (data is a valuable resource and cyber attacks are on the rise) and states that data security is the collective responsibility of Australian governments, businesses (including small and medium sized) and individuals. This is a theme throughout the paper, and many of the questions are geared towards supporting businesses to uplift their data security posture. The paper recognises that the federal government needs to be an exemplar for the secure collection, use and sharing of its data. However, it also notes that government entities are already subject to particular legislative, regulatory and administrative policy standards that do not apply to private sector organisations, and that small businesses and local governments are particularly vulnerable to cyber security threats.

Harmonising data security obligations

Data security legislation and regulation differs between the Australian government, state and territory governments, and governments overseas. Some industries are also subject to additional regulation regarding security of data. The paper recognises that inconsistencies and complexities are barriers to exchanges of large data sets that could be leveraged to improve public sector performance. The paper says that it is essential that a baseline is established and raised across Australia to ensure that all Australian data is held to the same level of security regardless of jurisdiction. Raising the standard will also maximise trust and enable efficient collaboration.

Three pillars will underpin the Government’s plan to develop a consistent approach to data security across the Federal, state and territory governments and industry: data security, accountability and control.

The discussion paper in context

The Government’s proposed Action Plan sits alongside Australia’s Cyber Security Strategy 2020, and forms part of the Digital Economy Strategy. It should be read alongside the recent Security Legislation Amendment (Critical Infrastructure) Act 2022 (see our previous alert here) and the Security Legislation Amendment (Critical Infrastructure) Act 2021 (see here).

The Action Plan is also connected to other complementary Australian Government digital strategies, including the Data Availability and Transparency Act (see here) and the Consumer Data Right (see here).

Call for views

The discussion paper seeks public comment on 15 questions (see page 27-28 of the paper).

The questions can be broadly categorised as follows:

  • barriers to data security and ways to improve it;
  • the impact of international data protection and security frameworks, and whether Australia needs an explicit approach to data localisation;
  • how data security policy can be harmonised across jurisdictions;
  • how businesses can improve data security, including via government support and guidance; and
  • enhancing accountability mechanisms for government agencies and industry and improving public trust.

What next?

Submissions on the discussion paper are open until 10 June 2022. Submissions can be made here.

The Department of Home Affairs will be conducting consultations in each state and territory in April and May.

If you would like to discuss your submission or have any questions around the current data security landscape, please contact a legal practitioner in the team at KWM.

Categories

MEET THE AUTHORS

SHOW MORESHOW LESS
LATEST THINKING
Insight
A guide to Victoria’s planning reforms to boost housing growth in key activity centres
The Victorian Government is implementing a range of significant legislative and planning policy reforms to streamline planning approvals for residential development and increase housing supply to respond to Australia’s housing crisis.

20 May 2025

Insight
What effect do the words ‘for the avoidance of doubt’ or ‘without limitation’ have when used in an IT contract?
The language used in drafting IT contracts should be simple, clear and unambiguous. Sometimes use of common phrases can assist in this endeavour.

20 May 2025

Insight
Don’t get burnt! Fair Work Commission grills burger chain over inadequate enterprise agreement explanation
The Fair Work Commission (FWC) has refused to approve a proposed enterprise agreement (the Agreement) for burger chain Grill’d despite almost 94% of employees voting for the Agreement.

19 May 2025

EXPLORE LATEST THINKING
OUR PEOPLE
LOCATIONS
MEDIA CENTRE
CAREERS
ABOUT US
Explore Our Expertise
Explore insights
Explore Our Insights

Advertising and Targeting Cookies