Australian Privacy Principle 11 requires agencies and organisations who are subject to the Privacy Act 1988 (Cth) (known as “APP entities”) to take active measures to ensure the security of personal information they hold, and to actively consider whether they are permitted to retain this personal information. In particular, Australian Privacy Principle 11.1 states that an APP entity that holds personal information must take “reasonable steps” to protect the information from misuse, interference and loss, as well as unauthorised access, modification or disclosure. Other Australian Privacy Principles also require an APP entity to ensure adequate security practices for personal information.
In April 2013 the Office of the Australian Information Commissioner (“OAIC”) published a “Guide to Information Security” which considered what was required by the term “reasonable steps” to protect personal information. This guide discussed some of the circumstances that the OAIC would take into account when assessing the reasonableness of the steps taken by entities to ensure information was kept secure, and also presented a set of non-exhaustive steps and strategies that may be reasonable for an entity to take in order to secure personal information. Nonetheless, the requirements of APP entities under Australian Privacy Principle 11 in relation to information security have been far from clear, particularly when organisations are considering what investment should be made to provide a level of information security in relation to personal information that is adequate to ensure compliance with Privacy Act.
On 7 August 2014 the OAIC released a consultation draft entitled Revised Guide to Information Security – “Reasonable Steps” to Protect Personal Information. The OAIC is inviting feedback on the draft before 27 August 2014. The guideline gives examples of key steps and strategies an APP entity should take in order to protect personal information and satisfy the security obligations and the Privacy Act. The guide acknowledges that it may not be necessary for all APP entities to take all the steps and strategies outlined, but says that the OAIC will refer to this guide when assessing an entity’s compliance with its security obligations in the Privacy Act. These steps and strategies include the following:
- Actively manage the information lifecycle, which will include planning and explaining how personal information will be handled, tracking the initial collection of the personal information, and coordinating how it will be handled, stored, and destroyed / de-identified.
- Conduct information security risk assessments for new acts or practices or changes in existing acts or practices that involve the handling of personal information.
- Regularly monitor and review the operation and effectiveness of information handling practices (and, we suggest, maintain a record of such monitoring and review in case it is necessary to demonstrate what has been done). For instance, what process does the entity use to verify the identity of an individual prior to giving access to their personal information? What measures does an entity have in place to protect personal information during a system upgrade? Is processing, storage or other handling of personal information outsourced to a third party and, if so, what measures has the entity taken to protect personal information in these circumstances?
- What is the entity’s policy on the destruction/de-identification of personal information?
- Does the entity have a governing body, committee or designated individual who is responsible for managing the entity’s personal information to ensure its integrity, security and accessibility, including defining information security measures and plans to implement and maintain those measures?
- Does the entity generally employ effective ICT security? This could include whitelisting and blacklisting entities, content or applications; software security; encryption; network security; testing; backing up; communication security; and, access security.
- In the event of a data breach does the company have a response plan that includes procedures and clear lines of authority that will assist the entity to contain the breach and manage their response?
- Human error can cause data breaches and undermine otherwise robust security practices. It is important that all staff members including contractors and service providers understand the importance of good information handling and security practices.
While some changes may be made following the consultation process, the draft guide is helpful instruction. In our experience in working with APP entities seeking to implement practices to ensure compliance with the amendments to the Privacy Act which came into force in March 2014, many do not realise that the security of personal information is a key issue. This can prompt a useful consideration of the organisation’s exposure as a whole to breaches of information security, in particular where personal information may be lost or compromised. The OAIC has now reiterated the importance of information security in relation to personal information and APP entities should consider carefully the contents of this guide when assessing what is required to ensure compliance.