Security of information for personal insolvency practitioners

Security of information for personal insolvency practitioners (IGPG2)

Print this page

  1. INTRODUCTION

    1. Financial assets are not the only items of value held on trust by personal insolvency practitioners. In the course of their work, practitioners will obtain and retain sensitive data and information, including from debtors and creditors, as well as about their financial affairs.
    2. The purpose of this guideline is to outline the Inspector-General in Bankruptcy’s expectations about data and information management, and to provide practitioners with a set of principles to use in their decision making about the security and storage of information and administration records.
    3. This guideline is relevant for trustees, controlling trustees and debt agreement administrators. The requirements and expectations about the period of retention of administration records can be found in Trustees’ guidelines relating to handling funds (IGPD5) and Debt agreement administrator guide to proper accounts (IGPD15).[1]
  2. INFORMATION IS AN ASSET THAT MUST BE PROTECTED

    1. The public’s focus on privacy and the security of their data and information held by organisations has increased, and it is now widely understood that proper systems and processes help to mitigate security risks and ensure sensitive information is kept safe.
    2. Technology is providing new ways to manage information and data, which creates a new set of risks and legal obligations that need to be managed. It is important that practitioners clearly understand and manage these risks, and comply with their obligations, including those under the Privacy Act 1988 and the Australian Privacy Principles.
    3. The security threat posed to Australian businesses of all sizes is very real. Malicious attempts to gain access to data and information are increasing in frequency, and it is vital that practitioners are taking appropriate steps to protect the information they hold – regardless of the systems they choose to use.
    4. The Inspector- General strongly encourages awareness of and adherence to the principles of Cyber Resilience, as promoted by the Australian Cyber Security Centre (ACSC). This concerns the ability to adapt to disruptions caused by cyber security incidents while maintaining continuous business operations. This includes the ability to detect, manage and recover from cyber security incidents. Practitioners are also encouraged to subscribe to ACSC alerts, which can be done through their website (Subscribe to the ACSC alert service | Cyber.gov.au).
  3. REGULATORY APPROACH

    1. The Bankruptcy Act 1966 does not specify how practitioners must maintain records. It is open to a practitioner whether their system is paper-based, digital with in-house computer servers, digital with cloud-based systems or a combination.
    2. Regardless of the method a practitioner uses for storage and transmission of information, the security of that information is critical to protect the privacy of debtors and creditors, to comply with statutory information retention requirements and to prevent misuse of information.
    3. The Inspector-General places a strong focus on data and information management and security in compliance activities. It is expected practitioners will have robust systems in place that can clearly demonstrate the following:
      • Information is accessed on a strictly ‘need to know’ basis
        • For example, access is limited to specialist insolvency staff only, with an available audit trail, and there is regular staff training about handling private information and the importance of good record keeping.
      • There is a clear understanding of where data is held
        • For example, the practitioner can clearly identify the systems and locations where data and information are held. For digital and cloud-based systems, there is a clear understanding of where data resides, and these arrangements comply with relevant domestic and foreign jurisdictional requirements.
      • Only secure and up-to-date systems are used
        • For example, the practitioner can demonstrate that appropriate protections are in place, any software used is the current version, and that appropriate structures are in place to review and update controls.
      • An awareness of the Notifiable Data Breach Scheme
        • Please note, this only applies to firms subject to the Privacy Act 1988.
      • A documented security risk assessment is in place and refreshed regularly.
    4. The responses to these statements will change from practitioner to practitioner, depending on the systems used.
  4. ADDITIONAL CONSIDERATIONS FOR DIGITAL AND CLOUD-BASED SYSTEMS

    1. Digital and cloud-based systems can help reduce inefficiencies and ensure more effective legislative compliance, but they can also pose additional security risks.  Where a practitioner uses digital storage options, they must be able to clearly demonstrate the following:
      • Agreements with cloud service providers are in place and clearly outline where data is stored, how legislative obligations are met, and that backups are in place.
      • Information is shared using only commercially appropriate levels of protection and encryption, including multi-factor authentication.
      • Cyber detection systems and processes are implemented to detect any breaches of data.  Processes are in place to notify those affected by breaches, as required under legislation.  Proper audit trails are in place to track data changes.
      • Computer software is up to date, and commercial anti-virus measures are in place.
      • Staff are trained on the common types of cyber scams and attacks (for example, phishing and malware) and know where to report suspicious activity.
      • Business continuity and data recovery plans are in place.
  5. Reporting a cyber breach to the Inspector- General

    1. In addition to the reporting requirements mandated under the Notifiable Data Breach Scheme (as applicable), Practitioners are also expected to notify the Inspector-General if a data breach has occurred in their practice.  The notification can be lodged by email to practitionersupervision [at] afsa.gov.au; and should include details of the breach, and relevant actions taken after the event. 

  6. RESOURCE

[1] IGPD5 and IGPD15 also outline requirements and expectations to keep proper accounts, books and records and allow access to relevant third parties