Australia: New Guides On Personal Information Security Breaches, Privacy Complaint Handling And Spam

Key Point

• The guides are not legally binding, but do set out best practice strategies.

The Privacy Commissioner has issued new guidance on a number of issues to assist organisations and agencies to comply with their obligations under the Privacy Act 1988 (Cth).

On 25 August 2008, the Privacy Commissioner released a "Guide to Handling Personal Information Security Breaches" to assist agencies and organisations prevent and, if necessary, respond to a data breach.

On 26 August 2008, the Privacy Commissioner issued new guidance to assist organisations who seek to engage in electronic marketing through the sending of electronic messages. On the same day, the Privacy Commissioner also launched a new guide to assist organisations and agencies in investigating privacy complaints they receive.

While the guides are not legally binding, they provide organisations and agencies with particular information about their responsibilities under the Privacy Act and set out "best practice" strategies that agencies and organisations can adopt when dealing with issues relating to the handling of personal information.

We briefly consider the three new guides issued by the Privacy Commissioner below.

Guide to handling personal information security breaches - August 2008

The Privacy Act requires organisations and agencies to take reasonable steps to protect the personal information they hold from misuse, loss and from unauthorised access, modification or disclosure. The Privacy Act, however, does not require agencies or organisations to notify individuals when and if a breach of the Privacy Act has occurred.

In the event that a breach does occur, the Guide provides clear steps that an organisation or agency can take to minimise the impact of the breach on those individuals affected by the breach. While compliance with the Guide is not mandatory, it is recommended as the Privacy Commissioner considers that notifying affected persons of a breach in appropriate circumstances is consistent with good privacy practices.

The Guide notes that it is important to recognise that apart from external malicious actions, such as theft or hacking, personal information security breaches may also involve internal errors and failures to follow established information handling procedures. Although no harm may be intended in these circumstances, these types of breaches may affect individuals' privacy as much as malicious actions.

The Guide sets out four key steps that organisations and agencies should consider when responding to a breach:

Step 1: Contain the breach and do a preliminary assessment

Step 2: Evaluate the risks associated with the breach

Step 3: Consider notification

Step 4: Prevent future breaches.

The Guide notes that notification of a breach of the Privacy Act can be an important mitigation strategy that has the potential to benefit the organisation or agency and the affected individual. However, the Guide cautions that providing notification will not always be the appropriate response to a breach as notification of low risk breaches can cause undue anxiety and may desensitise individuals to notice. The Guide recommends that each incident should be considered on a case-by-case basis to determine whether breach notification is required.

The Privacy Commissioner noted in her media release launching the Guide that its operation could inform the Government's response to the Australian Law Reform Commission's recommendation in its recent report, "For Your Information: Australian Privacy Law and Practice", that mandatory breach notification be introduced into law.

Public Sector Information Sheet 2 - A step-by-step guide to internal investigations of privacy complaints by Australian and ACT government agencies

Private Sector Information Sheet 27 - A step-by-step guide to internal investigations of privacy complaints by organisations

The two new guides provide organisations and agencies with a step-by-step checklist which they can work through in dealing with complaints received regarding alleged breaches of the Privacy Act. The Privacy Commissioner hopes that the checklists will help organisations and agencies "develop efficient and effective processes to address complaints" made under the Privacy Act.

In launching these guides, the Privacy Commissioner noted in her media release that her Office had found that many of the privacy complaints that it had received "could have been resolved successfully by the organisation or agency that was the subject of the complaint".

The Privacy Act provides that a complainant should take their complaint to the relevant organisation or agency before making a complaint to the Privacy Commissioner.

The checklists, presented as ready-to-use forms, guide organisation and agency decision-makers through identifying complaints about privacy, identifying the National Privacy Principle or Information Privacy Principle that has been alleged to have been breached, appointing an investigating officer, communicating with the complainant, making a decision on the complaint and, if necessary, addressing systemic issues raised by the complaint.

Public Sector Information Sheet 2 is here and Private Sector Information Sheet 27 is here.

Private Sector Information Sheet 26 - Interaction between the Privacy Act and the Spam Act

This Information Sheet explains, amongst other things, areas of overlap between the Privacy Act and the Spam Act 2003 (Cth).

In launching the Information Sheet, the Privacy Commissioner noted that "the Privacy and Spam Acts provide Australians with protections against receiving unsolicited emails, and that it is in business' best interests to familiarise themselves with their obligations [under those Acts] to ensure they are not in breach of the law".

The Information Sheet notes that the Spam Act requires that commercial electronic messages, except where exempt, must be sent with the consent of the recipient, identify the sender and include a functional unsubscribe mechanism. Exempt messages can be from government bodies, registered political parties, religious organisations, registered charities and educational institutions in certain circumstances.

The Information Sheet further notes that the Privacy Act may also regulate the sending of commercial electronic messages where it involves the use of personal information by private sector organisations that fall within its jurisdiction.

Where both the Spam Act and Privacy Act apply, both sets of obligations would need to be met. For example, the use of personal information for the purposes of sending commercial electronic messages is likely to raise issues of compliance with both the Privacy Act and the Spam Act.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.