On 19 January 2015, the Australian data protection authority, the Office of the Australian Information Commissioner (OAIC), released an updated information security guide: ‘Guide to securing personal information.' The Guide aims to help organisations meet their data security obligations under the Australian Privacy Principles (APPS) that provide the framework for Australia’s Privacy Amendment (Enhancing Privacy Protection) Act 2012.
The Guide provides guidance and practical examples of the “reasonable steps” entities are required by law to protect personal information and dispose of it when no longer needed. While the Guide is not legally binding; the OAIC will refer to it when conducting its compliance assessment functions.
Amongst the proposed recommendations for organisations to incorporate a privacy framework are to:
- Conduct a Privacy Impact Assessment (PIA),
- Conduct an information security risk assessment to inform any PIAs, and
- Establish a privacy “governance body” that defines and implements information security measures.
Part A of the Guide recognises that there are a range of circumstances and factors which may affect the assessment of what constitutes “reasonable steps.” Such circumstances include the amount and sensitivity of personal information involved;for example, where there is a high volume of sensitive data being collected, the Guide recommends the deployment of higher levels of protection.
Steps and strategies that may be reasonable for an organisation to take are outlined in Part B of the Guide. The Guide proposes that organisations should consider the following steps to protect personal information: governance, culture and training; internal practices, procedures and systems; ICT security; access security; third party providers; data breaches; physical security; destruction or de-identification of personal information; and standards.
Perhaps nothing particularly new or innovative… but together with those guidelines published by other data protection authorities worldwide, this Guide can be a useful aid to those organisations looking to assess their security risks and take steps in planning, implementing, and reviewing measures to improve their data security.