List of Regulatory and Security Laws That Apply To Uprise
Artefacts that commonly apply to all private organizations and government agencies are:
· Australian Privacy Principles (APP) – The new APPs are part of the amendment to Privacy Act 1988 (Cth) which has ended the complexity and confusion in the applications of privacy laws by creating a set of APPs that will apply to both federal government agencies and private sector organizations. These APPs will regulate the collection, holding, use and disclosure of personal information that is included in records. They apply to government and private organizations having more than $3 AUD million annual turnover.
· Cybercrime Act – This Act offers more comprehensive regulation of computer and Internet related offences such as unlawful access and computer trespass, damaging data and impeding access to computers, theft of data, computer fraud, cyber-stalking and harassment and possession of child pornography. It created a number of investigation powers and criminal offenses designed to protect the security, reliability, and integrity of computer data and electronic communications. Further, it enhances the applicability of the existing search-and- seizure provisions relating to electronically stored data.
· Spam Act – This Act establishes a scheme for the regulation of commercial email and other types of electronic messages. It restricts unauthorized, unsolicited electronic messages with some exemptions. Rules for consent, identification of the sender and the unsubscribe features are explained in this Act. This Act is regulated by the “Australian Communications and Media Authority.”
· Telecommunications (Interception and Access) Act – The primary objective of this Act is to protect the privacy of individuals who use the Australian telecommunication systems. Another purpose is to specify the circumstances under which it is lawful for interception of, or access to, communications to take place. This Act covers both stored and real time communications.
Royal Australian College of General Practitioners (RACGP) Computer and Information Security Standards, National Health and Medical Research Council’s “The regulation of health information privacy in Australia”. Additionally recommended to follow ISO 27001/2, and COBIT 5.
Sections 135AA, 135 AB and 135AC of National Health Act 1953 specifically address privacy rules, breach of privacy rules and authorization of collection of health information respectively.
These sections very clearly explain the obligations under the Privacy Act 1988, but, apart from this Act, there are no other regulatory obligations in relation to cybersecurity.
The Royal Australian College of General Practitioners
(RACGP) has released three guidance documents to help health care providers to implement appropriate cybersecurity controls to safeguard patient data and secure IT systems.
The first document “Computer and information security standards for general practices” consists of twelve domains.In each domain there are specific actions and controls aligned in line with five levels of compliance maturity indicators (initial, repeatable, defined, managed and optimised).
· Depending on the critical domain, the minimum compliance requirements is either Level 3-defined or Level 4-managed.
The second document is “Standards for general practice - fourth edition” and in section four – Practice Management, standard 4.2 “Management of health information” provides guidance on information security and confidentiality & privacy of health information.
The third document “Compliance indicators for the Australian Privacy Principles” specifically addresses the indicators of compliance with the Australian Privacy Principles. These documents can be accessed at:
· http://www.racgp.org.au/your-practice/standards/computer-and- information-security-standards/
· http://www.racgp.org.au/download/Documents/Standards/CIS- APPcompliance.pdf