On the 19 January 2015 the Office of the Australian Information Commissioner (OAIC) released a ‘guide to securing personal information’. The guide provides ‘reasonable steps’ that organisations should take to ensure they are acting in accordance with requirements under the Privacy Act 1988. The Privacy Act regulates the way an individuals’ information is dealt with. The Privacy Act includes 13 ‘Australian Privacy Principles’ (APPs) that specifically deal with the handling of personal information. This guide is a supplement to these principles and will be used by the OAIC in the assessment of a breach.
Who is liable under the Privacy Act?
Australian Government agencies, not-for-profits and business that have an annual turnover exceeding 3 million dollars are subject to the Privacy Act. Organisations that are not subject to the Privacy Act include universities; state government agencies; political parties; media organisations and small business operators.
What is in the guide?
The guide begins with a recap of what is ‘personal information’ and why it is important. Section 6 of the Privacy Act defines ‘personal information’ as ‘information or an opinion about an identified individual, or an individual who is reasonable identifiable’. ‘Sensitive information’ is a subset of ‘personal information,’ this type of information requires a higher level of privacy and is generally health related.
Part A and B contain the practical components of the guide. Part A deals with circumstances that affect the assessment of what is ‘reasonable’ in determining the ‘reasonable steps’. These circumstances include the nature of the collecting entity; the amount of information held; the adverse consequences for people holding information; the practicality of implementing security measures; and whether or not the privacy measures itself is invasive. Looking at the scope of the circumstances considered, it is clear that a holistic approach is taken by the OAIC to define what is reasonable for an organisation. Although this allows for individual situations to be factored in, it also creates ambiguity for those trying to formulate and manage privacy procedures. To help with clarification, an explanation of each of these circumstances is accompanied by a case example in the guide.
Part B is concerned with the actual steps and strategies an organisation can employ. This part is essentially a non exhaustive summary of suggested methods aimed at stimulating entities to think critically about their current practises and how they can improve them. The guide suggests that privacy practices begin within the organisation’s culture and governance. It also includes internal practices and systems; ICT security; access security; third party providers such as cloud services; data breaches; physical security; destruction or de-identification of person information; and finally industry and national standards.