APRA's new draft guide; "Managing Data Risk"
– how does your business manage its risk?
The Australian Prudential Regulation Authority (APRA) has
recently released a draft "Prudential Practice Guide PPG 235
Managing Data Risk" (Guide) article which is open for
discussion until 29 March 2013. The Guide seeks to assist the
organisations APRA regulates, being authorised deposit-taking
institutions (ADIs), insurers and super funds, in "managing
data risk" by outlining what APRA regards to be sound
information management practices.
The Guide is complementary to APRA's 2009 "Prudential
Practice Guide 234 Management of security risk in information and
information technology" guide and goes further to address
issues which APRA has identified as areas of potential weakness in
Whilst being deliberately non-prescriptive, the Guide highlights
APRA's expectations and provides an insight into what is being
considered by the body. For instance, the Guide highlights that
APRA considers outsourcing and offshoring activities exacerbate
risks with data management and therefore APRA expects regulated
institutions to ensure they are able to: comply with legislative
and prudential requirements, continue operating after loss of
services, retain the ability to maintain critical or sensitive
information and allow regulators unimpeded access to fulfil their
Whilst these are important factors to consider, and it can be
said that to a degree, offshoring and outsourcing information can
exacerbate risks, these are just two of the risk factors in a
considered approach to the management of information risk. Jeffrey
Bleich, the US Ambassador to Australia, writing in The Age
on 11 December 2012, cautioned against the fear of global
information management, labelling it "cloud
protectionism", whose followers he analogised to those who
keep their money hidden under mattresses in fear of the banks.
The reality is, irrespective of the location of information, the
primary risks facing businesses are still significant. For
instance, risks posed by the possible theft of a company laptop or
employee misuse of information remain and hackers don't care
where the data is held when they attack websites, but these are
risks which businesses may be more accustomed to when compared to
the comparatively recent risks and relative unknowns involved in
outsourcing and offshoring. Ultimately, there are a range of
factors that businesses need to take into account when managing
their information; outsourcing and offshoring are only part of the
risk matrix to be considered.
Information management strategies continue to evolve reactively
to new business practices or technological advancements. Whilst
APRA has taken steps, with the draft Guide, to address what has
been currently perceived as information management weaknesses in
the industry, businesses should also be aware that the Australian
Government has introduced new restrictions, through recent
amendments to the Privacy Act 1988 (Cth) (Privacy Act
The Privacy Act Amendments include the introduction of the
Australian Privacy Principles (APPs) and a wide range of provisions
dealing with credit reporting. Relevantly, the APPs will restrict
the ways businesses use or disclose personal or sensitive
information and will have ramifications for the international
disclosures of information. Businesses should start preparing now
in order to be compliant with the Privacy Act Amendments, which
will come into force in March 2014. More information about the APPs
can be found
APRA's latest draft Guide turns the spotlight onto
information management, which is an ever present issue for many
responsible businesses and one that needs appropriate attention. It
would be unfortunate, however, if the Guide is interpreted to
unduly stress that offshoring and outsourcing are the greatest
risks to data security. Businesses should be aware that in house
measures are just as at risk. Proper engagement with your
outsourcing and offshoring providers should identify and address
the risks and manage your information with potentially better
expertise than your business' in house expertise. For
assistance with your information management, contact the Middletons
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Middletons has been awarded a 2012 EOWA Employer of Choice for
Women citation acknowledging our commitment to workplace
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Those types of personal disclosure may still be permitted under the Privacy Act as long as your house is in order.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).