If your organisation handles personal information in any way, shape or form, you will by now be familiar with the Australian Privacy Principles (APPs). Introduced in March 2014, the APPs were designed to act as a single framework of rights and obligations in relation to the collection and handling of personal information.
Specifically, the APPs were drafted to be flexible and technology neutral, so that they maintain their relevance and applicability in our constantly evolving digital landscape. Given the incredible ways in which technology continues to transform our lives, flexibility is certainly an important aim. However, the flipside is that the APPs can be notoriously difficult to interpret, and many organisations struggle to translate their obligations in practical terms. Perhaps the best evidence of this is the raft of material published by the Office of the Australian Privacy Commissioner (OAIC) to help entities understand their privacy obligations – the APP Guidelines are over 200 pages long!
The most recent guidance published by the OAIC is the Guide to Securing Personal Information. This updates and replaces the previous ‘Guide to information Security,’ which was originally released in April 2013, before the introduction of the APPs. The new guide sets out to specifically address the security obligations under the APPs, and to help entities make sense of what it actually means to comply. In particular, it focuses on APP 11, which requires entities to take ‘reasonable steps’ to protect personal information.
What does it mean to take ‘reasonable steps’ to protect personal information? What do ‘reasonable steps’ actually look like? The answer is complicated. The guide as originally published tells us that what constitutes ‘reasonable steps’ will depend on the circumstances – unfortunately, this doesn’t give much comfort to organisations, which must invariably invest time and money into implementing information security strategies.
We’d love to tell you that the made-over guide puts all of these problems to rest. It doesn’t. However it does give organisations a much more workable model for determining their compliance under APP 11, complete with practical examples from recent privacy breaches to illustrate!
In short, the new guide emphasises the importance of managing each stage the information lifecycle through these 5 steps:
1. Consider whether to collect personal information – can your organisation carry out its functions and activities without collecting personal information? Over-collecting personal information means that if, or when a data breach happens, the impact is more severe. The only safe personal data is data that doesn’t exist – so as a first step, you should consider how your collection of personal information can be minimised.
2. Privacy by design – how is privacy protection embedded into your organisation’s day to day practices and procedures? Document your data security policies, and ensure that your staff are adequately trained. Not only will this this enable you to respond quickly and appropriately in the event of a data breach, but it will also help to create a culture of privacy awareness within your organisation. Senior Management MUST get involved, and lead by example to make privacy a priority within your organisation.
3. Assessing the risks – have you conducted a Privacy Impact Assessment recently? Technology is constantly changing, and so are the threats to your information security. It is important that you review your information security controls regularly, so that you can develop risk management strategies that are appropriate to the threat environment.
4. Taking appropriate steps and putting into place strategies to protect personal information – Do your information security controls match your risk profile? Once you have conducted your risk assessment, make sure you implement robust security measures to address the vulnerabilities and threats to your system. This is particularly important if you outsource your systems, for example through a cloud service provider. Take the time to understand the kinds of security controls your service providers have in place, and implement additional measures to fill any gaps.
5. Destroy or de-identify personal information – Do you have strategies in place to ensure that unnecessary personal information is destroyed? This was one of the big lessons to come out of 2014. In fact, a failure to destroy or permanently de-identify personal information was a major factor in the Privacy Commissioner’s finding that Telstra had breached the Privacy Act in 2013, when the personal details of almost 16,000 customers were leaked online. Destroying or de-identifying unnecessary personal information is an important risk mitigation strategy, so make sure you have well documented procedures to carry out this obligation.
As the Privacy Commission stated at the ippANZ Conference last year, privacy is all about business as usual, and if your systems and process do not adequately address known privacy risks, then that is an accident waiting to happen. With this updated guidance from the OAIC, now is the perfect time to review your data handling practices to ensure your organisation complies with the APPs.