The Privacy Act 1988 (Cth) (Privacy Act) requires organisations to take “reasonable steps” to ensure that all Personal Information held is secure and protected from misuse, interference, loss and disclosure.
In order to assist organisations to comply with this aspect of the Privacy Act, the Office of the Australian Information Commissioner (OAIC) has released a “Guide to Securing Personal Information” (Guide).
The Guide assists organisations in determining what active measures are required to meet the “reasonable steps” threshold for complying with the Privacy Act. The Guide is divided into two parts:
Part A: Circumstances that affect the assessment of reasonable steps.
This part confirms that the factors to be considered when assessing what reasonable steps are required include:
- the nature of the organisation;
- the amount and sensitivity of Personal Information held;
- the adverse consequences for an individual in the case of a breach;
- the practical implications of implementing the security measures (i.e. the costs involved); and
- whether a security measure is itself invasive.
Part B: Steps and Strategies which may be reasonable for an organisation to take.
This part provides practical examples of what an organisation should be doing to ensure compliance with the Privacy Act under 9 main headings which include:
- governance, culture and training;
- internal practices, procedures and systems;
- data breaches
- destruction and de-identification of Personal Information; and
- access to Personal Information.
Whilst the Guide is not legally binding, it is a useful tool for organisations. Furthermore, it should not be ignored as the OAIC has made it clear that it will give consideration to the Guide when determining whether an organisation has breached the Privacy Act. Therefore, organisations should be reviewing their practices and procedures for dealing with Personal Information in accordance with the Guide.
If your organisation is in breach of the Privacy Act, it not only faces penalties from the OAIC but may also suffer adversely as a consequence of mishandling personal information, for example, through the loss of clients and goodwill. Given the significant focus on overhauling the privacy regime, organisations should be taking proactive steps to ensure that their day to day practices are up to scratch.
Stay tuned for practical tips on how you can comply with the Privacy Act. In the meantime, a complete copy of the Guide can be found here.
For more information please contact: