-
Introduction
- Financial assets are not the only items of value held on trust by personal insolvency practitioners. In the course of their work, practitioners will obtain and retain sensitive data and information, including from debtors and creditors, as well as about their financial affairs.
- The purpose of this guideline is to outline the Inspector-General in Bankruptcy’s expectations about data and information management, and to provide practitioners with a set of principles to use in their decision making about the security and storage of information and administration records.
- This guideline is relevant for trustees, controlling trustees and debt agreement administrators. The requirements and expectations about the period of retention of administration records can be found in Trustees’ guidelines relating to handling funds (IGPD5) and Debt agreement administrator guide to proper accounts (IGPD15).[1]
-
Information is an asset that must be protected
- The public’s focus on privacy and the security of their data and information held by organisations has increased, and it is now widely understood that proper systems and processes help to mitigate security risks and ensure sensitive information is kept safe.
- Technology is providing new ways to manage information and data, which creates a new set of risks and legal obligations that need to be managed. It is important that practitioners clearly understand and manage these risks, and comply with their obligations, including those under the Privacy Act 1988 and the Australian Privacy Principles.
- The security threat posed to Australian businesses of all sizes is very real. Malicious attempts to gain access to data and information are increasing in frequency, and it is vital that practitioners are taking appropriate steps to protect the information they hold – regardless of the systems they choose to use.
- The Inspector- General strongly encourages awareness of and adherence to the principles of Cyber Resilience, as promoted by the Australian Cyber Security Centre (ACSC). This concerns the ability to adapt to disruptions caused by cyber security incidents while maintaining continuous business operations. This includes the ability to detect, manage and recover from cyber security incidents. Practitioners are also encouraged to subscribe to ACSC alerts, which can be done through their website (Subscribe to the ACSC alert service | Cyber.gov.au).
-
Regulatory approach
- The Bankruptcy Act 1966 does not specify how practitioners must maintain records. It is open to a practitioner whether their system is paper-based, digital with in-house computer servers, digital with cloud-based systems or a combination.
- Statutory file and administration retention obligations and guidelines are described in both
- Regardless of the method a practitioner uses for storage and transmission of information, the security of that information is critical to protect the privacy of debtors and creditors, to comply with statutory information retention requirements and to prevent misuse of information.
- The Inspector-General places a strong focus on data and information management and security in compliance activities. It is expected practitioners will have robust systems in place that can clearly demonstrate the following:
- Information is accessed on a strictly ‘need to know’ basis
- For example, access is limited to specialist insolvency staff only, with an available audit trail, and there is regular staff training about handling private information and the importance of good record keeping.
- There is a clear understanding of where data is held
- For example, the practitioner can clearly identify the systems and locations where data and information are held. For digital and cloud-based systems, there is a clear understanding of where data resides, and these arrangements comply with relevant domestic and foreign jurisdictional requirements.
- Only secure and up-to-date systems are used
- For example, the practitioner can demonstrate that appropriate protections are in place, any software used is the current version, and that appropriate structures are in place to review and update controls.
- An awareness of the Notifiable Data Breach Scheme
- Please note, this only applies to firms subject to the Privacy Act 1988.
- A documented security risk assessment is in place and refreshed regularly
- Information is accessed on a strictly ‘need to know’ basis
- The responses to these statements will change from practitioner to practitioner, depending on the systems used.
-
Additional considerations for digital and cloud-based systems
- Digital and cloud-based systems can help reduce inefficiencies and ensure more effective legislative compliance, but they can also pose additional security risks. Where a practitioner uses digital storage options, they must be able to clearly demonstrate the following:
- Agreements with cloud service providers are in place and clearly outline where data is stored, how legislative obligations are met, and that backups are in place
- Information is shared using only commercially appropriate levels of protection and encryption, including multi-factor authentication
- Cyber detection systems and processes are implemented to detect any breaches of data. Processes are in place to notify those affected by breaches, as required under legislation. Proper audit trails are in place to track data changes
- Computer software is up to date, and commercial anti-virus measures are in place
- Staff are trained on the common types of cyber scams and attacks (for example, phishing and malware) and know where to report suspicious activity
- Business continuity and data recovery plans are in place
- Digital and cloud-based systems can help reduce inefficiencies and ensure more effective legislative compliance, but they can also pose additional security risks. Where a practitioner uses digital storage options, they must be able to clearly demonstrate the following:
-
Reporting a cyber breach to the Inspector-General
- In addition to the reporting requirements mandated under the Notifiable Data Breach Scheme (as applicable), Practitioners are also expected to notify the Inspector-General if a data breach has occurred in their practice. The notification can be lodged by email to PractitionerSurveillance@afsa.gov.au; and should include details of the breach, and relevant actions taken after the event.
-
Resource
- Small Business Cyber Security Guide: Australian Cyber Security Centre
- Cyber resilience
- Australian Privacy Principles: Office of the Australian Information Commissioner
- Debt agreement administrators’ guide to proper accounts
- Trustees' guidelines relating to handling funds and keeping records
[1] IGPD5 and IGPD15 also outline requirements and expectations to keep proper accounts, books and records and allow access to relevant third parties