Poor IT security can expose personal information to hacking and disclosure and result in fines and damage to an organisation’s reputation. The Privacy Commissioner announced yesterday that a failure to keep software up-to-date had allowed a security breach to occur which was also a breach of the Privacy Act. Under new laws to come into force in March 2014, this kind of IT security breach could result in investigations and hefty penalties.
Yesterday, the Privacy Commissioner (OAIC) released a media statement stating that he had found that AAPT Limited had breached the Privacy Act 1988 (Cth).
In July 2012, personal information held by AAPT, and hosted by external IT contractor Melbourne IT, was hacked by members of the Anonymous collective. The hackers accessed and published the personal information online. After launching an investigation, the Privacy Commissioner determined that Melbourne IT had not updated the software used to manage the personal information held by AAPT, and that the out-dated software exposed the personal information to an unreasonable amount of risk. The Commissioner also found that AAPT was holding personal information that was no longer needed by AAPT, in breach of the Privacy Act’s requirements to delete information that is no longer required.
Extensive amendments to the Privacy Act will come into force on 12 March 2014. In general, private and public organisations with an annual turnover of greater than AU$3 million will need to comply with the 13 new Australian Privacy Principles (APPs) which set out detailed obligations about how personal information should be collected, handled and disclosed under the Privacy Act. The APPs also contain requirements relating to IT security. APP 11 requires organisations to take reasonable steps to protect personal information they hold from misuse, interference, loss and unauthorised access, regardless of who may have collected that information or who may be storing it on your organisation’s behalf. APP 11 also requires organisations to take reasonable steps to destroy or de-identify personal information that is no longer needed, subject to other record keeping requirements.
Currently, the Commissioner has no powers to impose fines. However, from March 2014 the Privacy Act will give the Commissioner enhanced powers which include the power to conduct an assessment of whether personal information is being held by an organisation in accordance with the APPs and, if not, the power to enforce financial penalties of up to $1.7 million. While APP 11 requires organisations to take reasonable steps to protect personal information they hold, the exact requirements vary according to the circumstances in each case.
In order to provide some guidance on this issue, in April 2013 the Privacy Commissioner released the Guide to Information Security: Reasonable Steps to Protect Personal Information. The Guide sets out what the Commissioner considers to be “reasonable steps” in the protection of personal information as required under APP 11 and the Privacy Act in general. The Guide serves as a good starting point for considering your own organisation’s security requirements.
The Australian Government is also considering introducing mandatory data breach notification laws. These laws would require organisations to notify individuals and the Privacy Commissioner if personal information is disclosed as a result of a serious data breach. Currently, the Privacy Act contains no such requirements.