The Office of the Australian Information Commissioner (OAIC) has released a Revised Guide to Information Security: Reasonable steps to protect personal information. The Guide is an updated version of a 2013 Guide to information security which was published before the amendments to the Privacy Act 1988 (Cth) (Act) were introduced in March. The updated Guide aims to help entities comply with their personal information security obligations under the Act.
Although the Guide is not binding, and is still subject to public consultation (with comments open until 27th August), it can be referred to by the OAIC when assessing whether an entity has complied with its obligations.This is relevant for all entities who are subject to information security obligations under the Act (being government agencies or organisations with turnover of more than $3 million a year and/or health service providers) as the Guide can be referred to by the OAIC when assessing whether an entity has complied with its obligations.
Many of the concepts discussed in the earlier guide are still relevant and are repeated. For example, the importance of the concept of ‘privacy by design’ and using Privacy Impact Assessments (PIAs) and information risk assessments (IRAs) to achieve it, is not new. Conducting PIAs and IRAs are important because their outcomes will inform an entity how to design their risk management processes so that privacy of personal information can be ‘built’ into a project or process from the start, rather than ‘bolted on’ at a later stage.
More importantly, the new Guide provides entities with guidance on how to comply with their obligations under new Australian Privacy Principle (APP) 11 ‘Security of Personal Information’. APP 11 imposes more extensive obligations than its predecessor, National Privacy Principle 4 ‘Data Security’, because in addition to requiring entities to take ‘reasonable steps’ to protect personal information they hold from misuse, loss, unauthorised access, modification or disclosure, APP 11 also requires entities to protect the personal information from ‘interference’.
Interference includes, amongst other things, hacking leading to exposure of personal information.
When investigating a possible breach of the information security obligations under the Act the OAIC will consider two factors:
- the steps that the entity took to protect the information; and
- whether those steps were reasonable in the circumstances.
‘Reasonableness’ will be assessed in terms of practicability. For example, the Guide gives context to the ‘interference’ to personal information threat by discussing how to manage cyber-safety risks. It may be reasonable for entities who store information remotely or in the Cloud to take additional steps to protect it.
The importance of adopting privacy security measures to suit the infrastructure and processes of a business is also important in the context of outsourced obligations. The Guide makes the important clarification that where an organisation ‘holds’ personal information, APP 11 applies so that it extends beyond physical possession of a record to include a record that an entity has the right or power to deal with. For example, an entity that outsources the storage of personal information to a third party, but retains the right to deal with that information. The threat of ‘interference’ to that personal information also extends to the outsourcing situation and the Guide makes it clear that if entities outsource their obligations to a third party, they must satisfy themselves that the third party has adequate security measures in place, especially if the third party is not subject to the Act (e.g it might be an organisation turning over less than $3 million a year or is outside Australia).
In particular, there is an emphasis in the Guide on entities integrating privacy into their governance and risk management strategies. Human error is regularly claimed as the cause of privacy incidents, however according to the OAIC, it usually only occurs where entities do not have a privacy culture, training and appropriate practices, procedures and systems.
Privacy by design and the other concepts discussed above are examples of useful protection mechanisms which can be used in the design and implemention of robust internal information-handling practices, procedures and systems. The Guide makes it clear that the aim of information security measures should be to:
- prevent a breach of APP 11;
- detect breaches promptly; and
- be ready to respond to potential privacy breaches in a timely and appropriate manner.
Governance arrangements should be in writing and the OAIC expects that entities will also regularly monitor the operation and effectiveness of the steps and strategies they have taken to protect the personal information. This means that you should not create a policy and then leave it lingering on some obscure part of your intranet. Instead, you should be regularly reviewing it in light of changes to your business’ infrastructure and processes. Staff should also be trained and tested on their understanding of privacy and information security policies to minimise the risk of human error causing data breaches which can undermine otherwise robust security processes.
Disappointingly, other than noting the importance of having policies in place, the Guide does not provide much clarity on the further obligation of non-government entities under APP 11 to take reasonable steps to destroy or de-identify the personal information they hold once the personal information is no longer ‘needed’. The ambiguity and confusion caused by the obligation to independently decide how long a record is ‘needed’ if it is not covered by a time period prescribed by financial, accounting or other industry specific legislation is an ongoing issue of concern for organisations, especially if they are operating in an industry that may be susceptible to judicial proceedings and investigations.
The OAIC will be disbanded after 31 December 2014 so the Guide may prove to be one of its final publications on privacy issues. From 2015 the Privacy Commissioner will administer the Act. It will be interesting to see if the final version of the Guide varies significantly from the current draft, especially if substantial public feedback is received.
Have you reviewed your information security policies recently?