The Office of the Australian Information Commissioner
(OAIC) has released a revised consultation draft
of its Guide to information security: 'Reasonable
steps' to protect personal information
(Guide) and is seeking comments by 27 August
2014.1 The Guide was first released in April 2013, and
the OAIC has indicated that its proposed revisions take into
account recent privacy law reform and its own information security
Why has the Guide been amended?
In March this year the Privacy Act 1988 (Cth) was
extensively amended. The amendments included the introduction of 13
new Australian Privacy Principles (APPs). APP 11
specifically deals with information security. APP 11.1 requires an
entity subject to the Privacy Act to "take such steps as are
reasonable in the circumstances" to protect the personal
information it stores from misuse, interference and loss, and from
unauthorised access, modification or disclosure. The Guide explores
what the OAIC would consider to be "such steps as are
reasonable in the circumstances".
What are reasonable steps?
In the original April 2013 release of the Guide, the OAIC
indicated that reasonable steps will always depend on the
circumstances, including the following:
the nature of the entity holding the personal information;
the nature and quantity of the personal information held;
the risk to individuals if the personal information is not
data handling practices of the entity holding the personal
the ease of implementation of security measures.
What is changing in the revised Guide?
In the proposed revisions to the Guide, the OAIC focuses on the
following additional issues that entities are expected to consider
and address when taking the required reasonable steps:
Entities should have governance structures in place to deal
with information security and privacy measures. It is important
that entities have clear lines of authority and
committees/individuals who are responsible for managing the
security and accessibility of personal information held by an
The OAIC expects that entities will consider ICT security
measures as a part of any decision to use, purchase or upgrade ICT
systems, rather than attempting to address it all later.
Consideration of ICT measures, such as network security and
encryption, is expected.
It is important that entities continue to review and monitor
their information security controls. Change is inevitable and
regular testing is required to ensure that ICT security is kept
Entities are expected to have documented internal practices,
procedures and systems relevant to the handling of personal
information in a secure manner.
An entity should take steps to destroy or de-identify
information where necessary and have in place a documented
procedure for determining whether personal information should be
destroyed or de-identified.
Entities should also have in place procedures governing the
transmission of personal information via email, telephone and fax
Entities should ensure that they integrate privacy into their
risk management strategies from the start.
Of particular interest, the OAIC has stated that information is
only 'destroyed' when it can no longer be retrieved.
Disposing of personal information by throwing it out or simply
moving personal information to the trash bin on your computer is
unlikely to meet this requirement. In addition to this, the OAIC
suggests it would be advisable to actively monitor the destruction
of personal information by third parties and not simply rely on
Is the Guide binding?
The Guide will not be binding, however it does give a good
indication of the reasonable steps an organisation or Commonwealth
Government agency that is subject to the Privacy Act should take.
The OAIC is raising the bar when it comes to the security of
personal information, especially in light of some recent well
publicised privacy breaches in Australia and overseas.
When will the Guide be finalised?
The OAIC is seeking comments on the consultation draft Guide up
to 27 August 2014.2 The Guide will likely then be
finalised towards the end of this year.
Those types of personal disclosure may still be permitted under the Privacy Act as long as your house is in order.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).