The OAIC’s comments on APRA’s draft Draft Prudential Practice Guide (PPG 235) Managing Data Risk is a useful guide to analysing an organisation’s data security procedures from a privacy perspective:

• does the procedure concern the collection, disclosure, use and storage of “personal information” (as defined in the Privacy Act?)
• does “confidentiality” include “privacy”?
• are the obligations regarding the handling of personal information set out in the Privacy Act (including the Privacy Principles) considered?

NPP 1 (which will be replaced by APP 2 which deals with the collection of solicited personal information) requires that:

• personal information may only be collected where necessary for a function or activity of the organisation
• collection must not be by unfair or unlawful means, and
• reasonable steps must be taken to provide the individual to which the information relates with notice of specified matters, including the identity of the organisation collecting the information, the purpose of the collection, and the contact details of the organisation.

NPP 2 (which will be replaced by APP 6) provides that personal information may only be used or disclosed for the purpose for which it was collected (the ‘primary purpose’), unless a specified exception applies. This requires an organisation to have a clearly defined purpose for the initial collection of personal information, which is also consistent with the requirements of NPP 1.

NPP 4 (which will be replaced by APP 11) relates to data security and requires organisations to take ‘reasonable steps’ to protect the personal information that they hold from misuse or loss and from unauthorised access, use, modification or disclosure.

The OAIC is currently developing guidance on the reasonable steps with respect to information security that organisations are required to take under the Privacy Act.

The OAIC has also published a voluntary Data Breach Notification Guide which outlines steps that organisations should consider in preparing for and responding to information security breaches, including notifying affected individuals. The Government is considering mandatory data breach notification provisions.

NPP 9, which relates to trans-border data flows, currently provides that organisations cannot avoid their Privacy Act obligations by sending personal information offshore.

NPP 9 generally prohibits an organisation from disclosing personal information to someone in a foreign country who is not subject to a comparable information privacy scheme, unless the individual has consented.

NPP 9 will be replaced by APP 8 which deals with cross-border disclosures of personal information: this principle will not prohibit cross-border disclosures of personal information but organisations will be accountable for any disclosure of personal information outside Australia, unless one of a number of exceptions applies. Before any actual cross border disclosure of personal information occurs, an organisation must have put into place appropriate arrangements in relation to the information.

The Tax File Number Guidelines 2011 (TFN Guidelines) issued under the Privacy Act regulate the collection, storage, use, disclosure, security and disposal of individuals’ TFN information.

Guideline 6 of the TFN Guidelines states that TFN recipients must take ‘reasonable steps’ to safeguard TFN information. This includes protecting TFN information from misuse and loss, and from unauthorised access, use, modification or disclosure, and ensuring that access to records containing TFN information is restricted to individuals who need to handle that information for legal purposes.

Part IIIA of the Privacy Act governs the handling of credit information files, credit reports and other credit worthiness information about individuals by credit reporting agencies and credit providers. CRAs and credit providers must also ensure that credit information files and credit reports are subject to security safeguards as are ‘reasonable in the circumstances’.

The OAIC suggests that the Draft APRA Practice Guide also refer to de-identification as a tool for managing data risks.