AICD submission on the National Data Security Action Plan

Consistent with previous submissions in the policy areas of cyber security and privacy, the AICD reiterated that the Government’s cyber and data reforms must be carried out in a coordinated manner that seeks to reduce existing regulatory complexity and helps to lift cyber security resilience.

Our key points on the Discussion Paper were:

1. The AICD does not support the Action Plan proposing any new regulatory obligations or standalone legislation until the Privacy Act Review is completed.
2. There are existing accountability mechanisms, including director duties, that are effective in driving behavioural change in the management and oversight of cyber security and data security risks
3. The AICD supports steps to harmonise existing regulatory requirements and obligations as they relate to data management and cyber security.
4. Assessing opportunities for international alignment should wait until the completion of the Privacy Act Review, particularly the final position on adequacy with the General Data Protection Regulation.
5. There should be caution in proposing expanded data localisation requirements without further examination of the evidence base for such a change. We note the potential for such a move to not only impose undue costs and complexity on organisations but also weaken Australia’s overall cyber security posture.
6. Greater government guidance and support for small and medium enterprises (SMEs) and NFPs represents a more effective approach to protecting data and building cyber resilience than imposing new obligations.