Protecting personal information: what is 'Reasonable'?

We live in a world where nearly all information is exchanged digitally and in cyberspace - whether through allegedly 'secure' corporate email accounts or through questionably protected social media platforms.  The question of protecting personal and corporate data is not an isolated issue reserved for big businesses, those in the legal field, or individuals commanding a large capital.  Consumers and businesses are becoming increasingly concerned with protection of identity, privacy, and information security generally.  This week, we focus on the changes that were made to the Privacy Act 1988 last year by the Office of Australian Information Commissioner (‘OAIC’).

New solutions to modern problems

Information security concerns moved the OAIC to make significant changes to the Privacy Act 1988.  One of these changes were the 13 new Australian Privacy Principles, and specifically Australian Privacy Principles 11 for the protection of information security.

Companies are required under the Privacy Act to take 'reasonable steps' to protect personal information from falling into the wrong hands and being used for fraudulent or unethical purposes.  A draft Guideto information security: ‘Reasonable steps’ to protect personal information ('Guide') was released in August of 2014 for comment.  In January 2015, the OAIC released the finalised Guide.  The Guide outlines the reasonable steps entities should take to secure personal information from falling into the wrong hands.

Is the Guide Binding?

While the Guide is not binding or obligatory, it is an excellent point of reference for anyone concerned with how to protect information and how to prevent security breaches which can carry serious consequences.

The Lifecycle of Information

The Guide explains that information goes through a certain process as it is “born”, processed, and eventually destroyed.  At different points of the information lifecycle, appropriate measures must be taken to ensure the safety of the information.

The Guide provides the following five steps for entities:

1. Consider whether it is actually necessary to collect and hold personal information in order to carry out business functions or activities;

2. Plan how personal information will be handled by embedding privacy protections into the design of information handling practices;

3. Assess the risks associated with the collection of the personal information due to a new act, practice, change to an existing project or as part of business as usual;

4. Take appropriate steps and implement strategies to protect personal information the entity holds; and

5. Destroy or de-identify of the personal information when it is no longer needed.

The Guide explains that at different stages of the lifecycle, the information's vulnerability will fluctuate.  The key concern is how and when the information is collected and held.

Reasonable Steps and Strategies for Best Protection

To ensure successful protection of the information being held, the security must be actively and effectively managed.  This can be achieved by running Privacy Impact Assessments for projects.  Such assessments would:

• demonstrate how the information flows;

• investigate and analyse possible privacy repercussions; and

• present solutions to minimizing and eventually eliminating any privacy impacts

The Guide also recommends the following to protect data and personal information on internal servers:

• regular information security risk assessments; and

• development of risk management plans and policies on information security policies

What Should I Do Next?

Please do not hesitate to get in touch with us if you have further questions on personal information security or would like a more in depth explanation of the Guide as pertaining to the information security.

Our helpful and friendly staff is always looking forward to helping you resolve any doubts or issues that may arise in connection with this or any other matter you, your clients, or your company may be facing.

* This blog is for general guidance only. Legal advice should be sought before taking action in relation to any specific issues.