Australia: Protecting personal information: what is reasonable?

Introduction

The Office of the Australian Information Commissioner (OAIC) has released a revised consultation draft of its Guide to information security: 'Reasonable steps' to protect personal information (Guide) and is seeking comments by 27 August 2014.¹ The Guide was first released in April 2013, and the OAIC has indicated that its proposed revisions take into account recent privacy law reform and its own information security learnings.

Why has the Guide been amended?

In March this year the Privacy Act 1988 (Cth) was extensively amended. The amendments included the introduction of 13 new Australian Privacy Principles (APPs). APP 11 specifically deals with information security. APP 11.1 requires an entity subject to the Privacy Act to "take such steps as are reasonable in the circumstances" to protect the personal information it stores from misuse, interference and loss, and from unauthorised access, modification or disclosure. The Guide explores what the OAIC would consider to be "such steps as are reasonable in the circumstances".

What are reasonable steps?

In the original April 2013 release of the Guide, the OAIC indicated that reasonable steps will always depend on the circumstances, including the following:

• the nature of the entity holding the personal information;
• the nature and quantity of the personal information held;
• the risk to individuals if the personal information is not secured;
• data handling practices of the entity holding the personal information; and
• the ease of implementation of security measures.

What is changing in the revised Guide?

In the proposed revisions to the Guide, the OAIC focuses on the following additional issues that entities are expected to consider and address when taking the required reasonable steps:

• Entities should have governance structures in place to deal with information security and privacy measures. It is important that entities have clear lines of authority and committees/individuals who are responsible for managing the security and accessibility of personal information held by an entity.
• The OAIC expects that entities will consider ICT security measures as a part of any decision to use, purchase or upgrade ICT systems, rather than attempting to address it all later. Consideration of ICT measures, such as network security and encryption, is expected.
• It is important that entities continue to review and monitor their information security controls. Change is inevitable and regular testing is required to ensure that ICT security is kept current.
• Entities are expected to have documented internal practices, procedures and systems relevant to the handling of personal information in a secure manner.
• An entity should take steps to destroy or de-identify information where necessary and have in place a documented procedure for determining whether personal information should be destroyed or de-identified.
• Entities should also have in place procedures governing the transmission of personal information via email, telephone and fax systems.
• Entities should ensure that they integrate privacy into their risk management strategies from the start.

Of particular interest, the OAIC has stated that information is only 'destroyed' when it can no longer be retrieved. Disposing of personal information by throwing it out or simply moving personal information to the trash bin on your computer is unlikely to meet this requirement. In addition to this, the OAIC suggests it would be advisable to actively monitor the destruction of personal information by third parties and not simply rely on contractual obligations.

Is the Guide binding?

The Guide will not be binding, however it does give a good indication of the reasonable steps an organisation or Commonwealth Government agency that is subject to the Privacy Act should take. The OAIC is raising the bar when it comes to the security of personal information, especially in light of some recent well publicised privacy breaches in Australia and overseas.

When will the Guide be finalised?

The OAIC is seeking comments on the consultation draft Guide up to 27 August 2014.² The Guide will likely then be finalised towards the end of this year.

Footnotes

¹The consultation draft Guide is available at http://www.oaic.gov.au/privacy/privacy-engaging-with-you/current-privacy-consultations/revised-guide-to-information-security-reasonable-steps-to-protect-personal-information/revised-guide-info-security.
²Submissions may be made by email to consultation@oaic.gov.au or by post to OAIC, GPO Box 5218, Sydney NSW 2001.