Last month, the OAIC released a Revised Guide to Information Security for public consultation. The Guide was originally published in April 2013, to de-mystify the obligation under the Privacy Act 1988 (the Act) to take ‘reasonable steps’ to keep personal information secure. It provides much needed practical guidance, by explaining what steps and strategies the OAIC expects entities to take in order to comply with the Australian Privacy Principles (APPs).
Under APP 11, APP entities must take reasonable steps to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure. APP entities must also take reasonable steps to destroy or de-identify personal information once they no longer need it. The OAIC acknowledges that what constitutes ‘reasonable steps’ will depend on the nature of the entity, and on the particular circumstances. With this in mind, the Guide is intended to act as a reference point for the OAIC in determining whether an entity has complied with its information security obligations under the APPs.
So, what do the revisions to the Guide tell us? The revised document clearly articulates the lessons learned from the OAIC’s recent investigations into high profile data breaches by Telstra, Multicard, and Cupid Media. In particular, the revisions emphasise the need to actively manage the information lifecycle, by embedding privacy protection at all stages of the information handling process, and having practices and procedures in place to identify personal information that needs to be destroyed or de-identified. Importantly, a failure to destroy or de-identify personal information was instrumental to the Privacy Commissioner’s findings that both Telstra and Cupid Media had breached the Act. In both cases, there is no doubt that the impact of the data breaches would have been far less extensive had out-of-date or ‘junk’ data been appropriately destroyed or de-identified. The revised Guide provides more specific and comprehensive guidance for managing the information lifecycle, including the destruction and de-identification of data. It recommends that entities establish a personal information inventory to keep track of the personal information handled, as well as the associated risks.
The revisions also elaborate on the original list of ICT security measures set out in the Guide. We saw in the OAIC’s investigation into the Multicard data breach the importance of implementing robust access security and user authentication measures, and this is something that is particularly stressed in the revisions. Entities must ensure that any personal information hosted on their web servers is protected by user authentication processes, and should also implement access monitoring measures to enable them to detect any unauthorised access.
The revisions serve as an important reminder that the OAIC expects APP entities to build privacy considerations into their overall risk management strategies, reinforcing the Privacy Commissioner’s statement that ‘there is no ‘set and forget’ solution to information security and privacy in the digital environment.’ It is clear from the Guide that the OAIC will be looking for comprehensive, well-documented policies and procedures for managing the personal information lifecycle, along with clear governance strategies to ensure compliance with the APPs.
The OAIC has invited submissions as to how the Guide can be improved to assist you in understanding your information security obligations. It will be very interesting to see how these revisions are received, and the comments and suggestions that arise out of the submissions.