In January 2015, the Office of the Australian Information Commissioner released a new ‘Guide to Securing Personal Information.’ Although the Guide is not legally binding, the Commissioner will refer to it when assessing compliance with personal information security obligations, so entities should take note of the recommendations outlined there.
Who should use the Guide?
The Guide is designed to be used by entities bound by the provisions of the Privacy Act 1988 (Cth). This includes:
- Australian government (and Norfolk Island administration) agencies;
- all businesses with an annual turnover of more than $3 million;
- credit providers;
- credit reporting bodies;
- tax file number recipients; and
- certain small businesses (with an annual turnover of $3 million or less) such as private health sector providers, businesses that buy or sell personal information, Commonwealth contracted service providers, employee associations or businesses that have opted in to the Privacy Act.
However, other entities may also find the Guide to be useful for planning and implementing effective systems for personal information security.
What does the Guide cover?
The Guide outlines a series of steps that entities should take in order to comply with the Privacy Act and protect any personal information they may have within their possession.
‘Personal information’ is defined in section 6 of the Privacy Act to mean “information or an opinion about an identified individual, or an individual who is reasonably identifiable whether the information or opinion is true or not and whether the information or opinion is recorded in a material form or not.” Examples of personal information include contact details, bank account details, employment details or medical records.
The Guide outlines a five stage ‘information lifecycle’ which entities should follow so as to enhance personal information security within their organisation. The stages are (in order):
- consider whether it is really necessary to collect personal information;
- work out how that personal information will be handled;
- assess the potential risks surrounding the collection;
- take appropriate steps and implement protections; and
- destroy the personal information once it is no longer needed.
Exactly what steps should be taken will depend upon the characteristics and capacity of the entity and the nature of the personal information held by the entity, but steps that could be taken within the entity include:
- making sure that any governance and/or training arrangements are appropriate and promote an awareness of privacy and security;
- making sure that any internal practices, procedures and/or systems are also appropriate and comply with the Australian Privacy Principles (APPs);
- ensuring that ICT security (e.g. software and network security, encryption, testing, backing up or email security), access security and physical security is effective;
- destroying or de-identifying personal information; and
- considering the use of international and/or Australian standards.
Additionally, if an entity utilises any third party providers (such as a cloud service provider) and that provider holds personal information, protections for that information should also be put in place.
Entities should be aware, however, that the Guide does not replace any existing government and/or industry guidelines concerning personal information security.
How should the Guide be used?
Entities should read the APP Guidelines whilst reading the Guide because the APPs govern how personal information must be handled by entities and government agencies.
Apart from the APPs, additional legislation will apply to entities that are credit reporting bodies, credit providers, tax file number recipients, health care providers or government agencies. This legislation should therefore also be read in conjunction with the Guide.
For more information and specific recommendations about security practices, entities should refer to the Guide, which can be found here.