Information security obligations for Australian businesses under the Privacy Act: A reminder from the OAIC

Privacy Update

За
  • Reyhaneh Saadati

At the launch of this year's Privacy Awareness Week on 29 April 2013, the OAIC released its new 'Guide to Information Security: 'Reasonable steps to protect personal information' ("Guide").  The Guide aims to assist Australian businesses and those carrying on business in Australia to interpret the continuing requirement under the Privacy Act (both under the current and the amended law) to "take reasonable steps" to protect the personal information they hold.

Current obligations
Under the current Privacy Act there is an obligation to take "reasonable steps" to protect information from misuse, loss, unauthorised access, modification or disclosure.  This obligation is continued in the new APP 11 (effective from 12 March 2014) with the addition of a new obligation to protect the information from 'interference'.  Given the obligations under the new APP 11 remain largely unchanged, information security obligations should be "old news" to those carrying on business in Australia. 

However, in the media release accompanying the Guide the OAIC warned that "information security is now the major issue affecting consumer privacy", with 100% of the high profile investigations completed by the Australian Privacy Commissioner in 2011-2012 involving data security issues. Our experience confirms the current general lack of awareness among Australian businesses of their information security obligations under the Privacy Act.

Recent OAIC activity
The Guide follows a number of other recent guidances and documents issued by the OAIC, showing the OAIC is becoming a very active regulator and is gearing up for the new APPs (and its new powers) which become effective from 12 March 2014.  This heightened activity from the OAIC also confirms the significant shift in approach of the regulator (in line with its new powers from 12 March 2014) from a "toothless tiger" (as previous incarnations of the regulator have often been referred to in the past) to a regulator more akin to the European style regulators.

It is clear that the areas of recent guidance from the OAIC, de-identification/destruction of information, privacy compliance in apps and the mobile environment and this latest guidance on information security, are areas of compliance focus for the OAIC in the immediate future.

"Reasonable steps"
The Guide acknowledges that "reasonable steps" to protect personal information will depend on the particular circumstances including the nature of the entity holding the information, the nature and quantity of the personal information (or sensitive information) held by the entity, the ease of implementation of security measures and the risk to individuals if their personal/sensitive information is not secure.  However, the Guide does detail numerous steps and strategies that are likely, in most cases, to be considered the minimum "reasonable steps" and to which the OAIC will refer when assessing whether businesses are complying with their information security obligations under the Privacy Act.

While some of the steps and strategies suggested in the Guide are commonsense and should have (although probably have not) already been implemented in most Australian businesses, there is no doubt that the Guide "raises the bar" as to the lengths that companies must go to in order to be considered to have "taken reasonable steps" to secure the personal information that they collect.  Of particular note, and we expect largely not considered to date by Australian businesses outside of financial services, the Guide suggests:

  • Governance: A dedicated body or individual within an organisation should be responsible for managing the personal information and ensuring arrangements to implement and maintain security plans and measures and to promote awareness of such within the organisation.
  • ICT security: Protection of both computer hardware and the data that the hardware holds, for example by implementing user authentication, point of access logs, audit trails, encryption and system penetration testing.
  • Data breach: Companies should develop a data breach response plan and train staff as to how to respond to data breaches.
  • Physical security: Storage, movement of files and access to general workspaces must be secured, audited and monitored.
  • Personnel security and training: Implement appropriate security clearances for relevant staff and ensure staff receive training regarding their privacy obligations.
  • Workplace policies: Implement a conflict of interest policy addressing handling of personal information for persons known to staff members and policies addressing use of portable/mobile devices, the staff member's own device (ie BYOD) and working offsite.
  • Information lifecycle: Policies for data retention and destruction should be implemented and Privacy Impact Assessments and information security risk assessments are to be conducted for new or changed acts or practises within the organisation to enable development of informed steps and strategies for securing personal information.  Also, collection practices should be reviewed periodically to ensure that unnecessary personal information is not being collected or retained.
  • Monitoring and review: Operation and effectiveness of information security measures must be monitored and reviewed regularly.

Please do not hesitate to contact a member of our dedicated privacy team if we can assist with the review/audit of your current practices and policies relating to information security or if you require assistance to ensure compliance with the new privacy regime to become effective on 12 March 2014.