On the 19 January 2015 the Office of the Australian Information
Commissioner (OAIC) released a 'guide to securing personal
information'. The guide provides 'reasonable steps'
that organisations should take to ensure they are acting in
accordance with requirements under the Privacy Act 1988. The
Privacy Act regulates the way an individuals' information is
dealt with. The Privacy Act includes 13 'Australian Privacy
Principles' (APPs) that specifically deal with the handling of
personal information. This guide is a supplement to these
principles and will be used by the OAIC in the assessment of a
Who is liable under the Privacy Act?
Australian Government agencies, not-for-profits and business
that have an annual turnover exceeding 3 million dollars are
subject to the Privacy Act. Organisations that are not subject to
the Privacy Act include universities; state government agencies;
political parties; media organisations and small business
What is in the guide?
The guide begins with a recap of what is 'personal
information' and why it is important. Section 6 of the Privacy
Act defines 'personal information' as 'information or
an opinion about an identified individual, or an individual who is
reasonable identifiable'. 'Sensitive information' is a
subset of 'personal information,' this type of information
requires a higher level of privacy and is generally health
Part A and B contain the practical components of the guide. Part
A deals with circumstances that affect the assessment of what is
'reasonable' in determining the 'reasonable steps'.
These circumstances include the nature of the collecting entity;
the amount of information held; the adverse consequences for people
holding information; the practicality of implementing security
measures; and whether or not the privacy measures itself is
invasive. Looking at the scope of the circumstances considered, it
is clear that a holistic approach is taken by the OAIC to define
what is reasonable for an organisation. Although this allows for
individual situations to be factored in, it also creates ambiguity
for those trying to formulate and manage privacy procedures. To
help with clarification, an explanation of each of these
circumstances is accompanied by a case example in the guide.
Part B is concerned with the actual steps and strategies an
organisation can employ. This part is essentially a non exhaustive
summary of suggested methods aimed at stimulating entities to think
critically about their current practises and how they can improve
them. The guide suggests that privacy practices begin within the
organisation's culture and governance. It also includes
internal practices and systems; ICT security; access security;
third party providers such as
cloud services; data breaches; physical security; destruction
or de-identification of person information; and finally industry
and national standards.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Those types of personal disclosure may still be permitted under the Privacy Act as long as your house is in order.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).