*This article was originally written for Defence Connect.
In February 2023, the Privacy Act Review Report 2022 was released by the Attorney-General's Department. This review is timely, given several large-scale data breaches impacted millions of Australians’ personal information in 2022.
The Attorney-General's Department states: “The proposed reforms included in the report are aimed at strengthening the protection of personal information and the control individuals have over their information. Stronger privacy protections would support digital innovation and enhance Australia’s reputation as a trusted trading partner.”
The Australian Privacy Act Review has put forward recommendations to ensure more stringent processes are in place for the collection and retention of personal information and to enforce stricter requirements on responsible disclosure of breaches, along with larger potential repercussions when they occur.
How can Gallagher Security help?
Gallagher’s experience meeting privacy law requirements in other countries means we are already well-equipped to help our customers comply with proposed changes from this Privacy Act Review that may become law.
At Gallagher, we understand the importance of data protection, data privacy, and responsible disclosure. We are committed to providing our customers with the solutions necessary to meet these requirements. By leveraging our security technology and implementing best practices, our customers can be assured that their data is protected with solutions that help adhere to regulations outlined in the Australian Privacy Act and new proposals in the recent Privacy Act Review.
Continue reading below for some frequent questions we receive regarding The Australian Privacy Act Review and how your Gallagher system can help.
Is the personal data contained within my Gallagher access control system safe?
Command Centre is the powerful software at the heart of Gallagher’s access control system. Whilst optional, Command Centre can store a significant amount of cardholder information within the database’s personal data fields. This includes but is not limited to phone number, email address, driver license details, and photographs.
The information can be entered directly into Gallagher Command Centre or automatically imported from upstream data sources (such as HR or Contractor Management systems), ensuring the integrity of data and minimising dual data entry. This information proves useful to assist with tasks such as cardholder searches, reporting, and event or broadcast notification functionality.
Command Centre supports the encryption of all database information using Transparent Data Encryption (TDE) from Microsoft SQL Server (being data-at-rest). To ensure only appropriate personnel can access sensitive information, operator privileges can be configured to restrict access to view and/or edit certain records and even specific fields within a given cardholder record.
All client connections are securely authenticated, and the transfer of information is secured via data-in-transit encryption. Moreover, clients cryptographically verify the authenticity of the server machine and client machines can be securely enrolled to prevent and alert attempted man-in-the-middle attacks or forged devices.
Gallagher has already introduced several features to Command Centre to help our customers comply with privacy regulations in other countries. The system supports automated and ad-hoc data cleansing of Personally Identifiable Information (PII) to meet the Privacy Act Review’s "right to erasure" recommendation, ensuring no sensitive data remains in a system for longer than it needs to.
Personal Data Fields storing sensitive information can be configured to be hidden by default. Privileged operators who need to view a particular value must “Click to Reveal,” which then creates a logged event of the operator viewing a particular field from that cardholder’s record, the device it was viewed from, and when it was viewed.
This level of protection ensures that data is not only protected from malicious actors but also hidden from unprivileged operators and only shown to privileged personnel when absolutely necessary. Collectively, these measures help an organisation demonstrate a duty of care to their workforce and limit the likelihood of sensitive information being leaked.
If my system implements features using the Gallagher Cloud, is this data secure?
Gallagher Command Centre’s cloud services hold System and Organisation Controls (SOC2 Type 2) certification. This standard provides reassurance that client data is securely processed and stored, demonstrating stringent internal controls for information security and privacy.
All data transferred via cloud infrastructure is authenticated and encrypted, with data only held temporarily as required. Moreover, Digital ID issuance and over-the-air updates employ end-to-end-encryption (E2EE) using the ECIES standard – ensuring not even Gallagher can read sensitive PII data traversing through its cloud infrastructure.
I am using Gallagher visitor management, how is this data managed?
Visitor Management provides electronic audits of all visitors in the system, with the same level of data protection available to ordinary system cardholders.
The system supports the automatic purge of visits and cardholders older than a certain age, allowing administrators to comply with internal data retention policies whilst ensuring no data is kept longer than is required.
Visitor Management Kiosks can be used to require acceptance of privacy policies and other conditions of entry before arriving visitors are marked on-site, with an appropriate audit trail created for all arrivals and departures.
What if my access control application is subject to a targeted attack?
The Gallagher access control system resides on a standard IT infrastructure and therefore can be subject to attack in the same way as other corporate systems or applications.
Gallagher implements a Secure by Design approach to product development, with cybersecurity being at the forefront of all development, rather than an afterthought. Internal and external penetration testing and general security audits are regularly conducted, with a Responsible Disclosure Policy publicly available.
Gallagher provides comprehensive hardening guides to ensure robust IT policies and practices are implemented in terms of network routers and firewalls, control of privileges, access and security updates in the Windows environment, and strong password policies.
In addition, within each six-monthly feature release and Maintenance Release, Gallagher includes security enhancements that address potential cyber vulnerabilities. Having a Software Maintenance Agreement in place and performing regular system updates will ensure that your site remains well protected.
Better protection, transparency, and control of personal information in Australia are all outcomes the proposed changes to the Privacy Act aim to achieve. Moreover, the review proposes to significantly increase organisational fines. Therefore, it is crucial for organisations to understand the potential impact of this review.
Gallagher’s Command Centre system helps ensure organisations will be better positioned to protect and securely handle personal information, meet compliance with the proposed regulation changes, and ultimately maintain the trust and confidence of their customers and stakeholders.
If you have any questions about how you can maximise your Gallagher system to prepare your business for the proposed changes, please contact Gallagher’s Australian High Security team.