Australian Privacy Principle 11 requires agencies and organisations who are subject to the Privacy Act 1988 (Cth) (known as “APP entities”) to take active measures to ensure the security of personal information they hold, and to actively consider whether they are permitted to retain this personal information. In particular, Australian Privacy Principle 11.1 states that an APP entity that holds personal information must take “reasonable steps” to protect the information from misuse, interference and loss, as well as unauthorised access, modification or disclosure. Other Australian Privacy Principles also require an APP entity to ensure adequate security practices for personal information.
In April 2013 the Office of the Australian Information Commissioner (“OAIC”) published a “Guide to Information Security” which considered what was required by the term “reasonable steps” to protect personal information. This guide discussed some of the circumstances that the OAIC would take into account when assessing the reasonableness of the steps taken by entities to ensure information was kept secure, and also presented a set of non-exhaustive steps and strategies that may be reasonable for an entity to take in order to secure personal information. Nonetheless, the requirements of APP entities under Australian Privacy Principle 11 in relation to information security have been far from clear, particularly when organisations are considering what investment should be made to provide a level of information security in relation to personal information that is adequate to ensure compliance with Privacy Act.
On 7 August 2014 the OAIC released a consultation draft entitled Revised Guide to Information Security – “Reasonable Steps” to Protect Personal Information. The OAIC is inviting feedback on the draft before 27 August 2014. The guideline gives examples of key steps and strategies an APP entity should take in order to protect personal information and satisfy the security obligations and the Privacy Act. The guide acknowledges that it may not be necessary for all APP entities to take all the steps and strategies outlined, but says that the OAIC will refer to this guide when assessing an entity’s compliance with its security obligations in the Privacy Act. These steps and strategies include the following:
While some changes may be made following the consultation process, the draft guide is helpful instruction. In our experience in working with APP entities seeking to implement practices to ensure compliance with the amendments to the Privacy Act which came into force in March 2014, many do not realise that the security of personal information is a key issue. This can prompt a useful consideration of the organisation’s exposure as a whole to breaches of information security, in particular where personal information may be lost or compromised. The OAIC has now reiterated the importance of information security in relation to personal information and APP entities should consider carefully the contents of this guide when assessing what is required to ensure compliance.
The content of this publication is for reference purposes only. It is current at the date of publication. This content does not constitute legal advice and should not be relied upon as such. Legal advice about your specific circumstances should always be obtained before taking any action based on this publication.