In August 2014, the Office of the Australian Information Commissioner (OAIC) released a consultation draft of its Revised Guide to information security: 'Reasonable steps' to protect personal information (the Guide).

The Guide is designed to assist entities to meet their Privacy Act 1998 (Cth) obligations by:

  • identifying circumstances and factors that may affect the assessment of "reasonable steps", and
  • providing indicative steps and strategies that may be reasonable for an entity to take.

While the Guide is not binding, the OAIC states that it will refer to it when assessing an entity's compliance with its Privacy Act information security obligations.

Managing information security

The Guide notes that an entity will be better placed to comply with its privacy obligations if it embeds privacy protections in the design of its information handling practices at the start of the process.

Some recommendations to achieve this include:

  • conducting a Privacy Impact Assessment (PIA) for new projects, which:
    • describes the personal information flows in the project
    • analyses and assesses the possible privacy impacts, and
    • sets out how those impacts can be minimised or eliminated
  • conducting an information security risk assessment to inform any PIAs
  • using the PIA and information security risk assessment to develop risk management and information security policies, plans and procedures
  • establishing a privacy "governance body" that defines and implements information security measures, and
  • resourcing to guide and support information security measures.

However, the Guide emphasises the need for an entity to protect personal information throughout the stages of its life-cycle. Accordingly, the initial design does not end the entity's security responsibilities. The Guide states that an entity must also regularly monitor and review its information security controls to reflect changes to the entity's processes and resources, and the changing technology and security risk landscape.

Circumstances that affect assessment of reasonable steps

The Guide sets out a number of circumstances (and gives guidance with examples) as being relevant to the assessment of whether an entity has taken reasonable steps to ensure the security of personal information. They include:

  • the nature of the entity holding the personal information
  • the amount and sensitivity of the personal information held
  • the possible adverse consequences for an individual
  • the information handling practices of the entity holding the information
  • the practicability of implementing security measures, including the time and cost involved, and
  • whether a security measure is itself privacy invasive.

Steps and strategies that may be reasonable to take

The Guide also provides guidance on the steps and strategies that may be reasonable for an entity to take to protect personal information and satisfy its security obligations under the Privacy Act.

In particular, the Guide discusses some key steps and strategies to manage the information life-cycle, including key steps and strategies for:

  • new acts and practices, and changes to existing projects
  • regular reviews of personal information handling practices, and
  • destruction or de-identification of personal information.

It also discusses governance arrangements within the entity to ensure information security is consistently maintained, as well as internal practices, procedures and systems, and standards.

Similarly, the Guide provides steps and strategies to manage ICT security measures including

  • hardware and software security
  • whitelisting and blacklisting issues
  • encryption
  • network security
  • testing
  • backing up
  • communications security
  • access security measures including
    • authentication, authorised access and non-public content
    • passwords and passphrases
    • collaboration
    • logs, audit trails and monitoring access
  • data breaches
  • physical security
  • personnel security and training, and
  • destruction or de-identification of personal information.

A current example

As discussed in our recent article, Bash threat, the Privacy Commissioner has issued a direct warning to business and government agencies that they must take steps to protect citizens' personal information from the most recently discovered computer bug or risk breaching the Privacy Act (dubbed "Shellshock").

The alert, which was issued within days of Shellshock being identified, reminded all organisations of their obligations under the Privacy Act to regularly monitor the operation and effectiveness of ICT security measures to ensure they remain responsive to changing threats, vulnerabilities and other issues that may impact the security of personal information and is what the Guide is squarely aimed at.

Where to now?

Comments on the Guide closed on 27 August 2014. We will continue to keep you informed of developments in the area.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.