The Office of the Australian Information Commissioner (OAIC) has published a final version of its Guide to Information Security: ‘Reasonable steps’ to protect personal information.

The Australian Privacy Commissioner, Timothy Pilgrim, said that 100% of the high profile investigations he completed in 2011–12 involved data security issues.

Information security obligations for businesses are contained in the National Privacy Principles, the credit reporting provisions in the Privacy Act and the Tax File Number Guidelines.

The guide provides guidance on information security, specifically the reasonable steps entities are required to take under the Privacy Act to protect the personal information they hold.

It provides examples of steps and strategies which may be reasonable for an entity to take.

This could include taking steps and implementing strategies to manage the following:
• governance
• ICT security
• data breaches
• physical security
• personnel security and training
• workplace policies
• the information life cycle
• standards
• regular monitoring and review.

The guide recommends businesses build privacy and information security measures into their processes, systems, products and initiatives at the design stage.

In the amendments that commence on 12 March 2014, the security of personal information is dealt with in APP 11. The obligations in APP 11 are similar to those in NPP/IPP 4. However, APP 11 will require an entity to take reasonable steps to protect personal information from ‘interference’ (eg hacking), as well as from misuse, loss, unauthorised access, modification or disclosure.

Bright Law can assist you to review your privacy policy to address information security issues.