The OAIC has released a statement confirming its position that that while an organisation may not be found to have ‘disclosed’ personal information following a data breach or cyber-attack (under Australian Privacy Principle 6), the organisation may still be found in breach of APP 11 if it did not take reasonable steps to protect the information from unauthorised access, such as a cyber-attack.

APP 6 outlines when an APP entity may use or disclose personal information. Under APP 6, an APP entity is not taken to have ‘disclosed’ personal information where a third party intentionally exploits the entity’s security measures and gains unauthorised access to the information. However, the organisation may still be found in breach of APP 11 when this occurs.

APP 11 requires an organisation that holds personal information to take reasonable steps to protect the information from misuse, interference and loss, and from unauthorised access, modification or disclosure. Failure to take reasonable steps to prevent unauthorised access such as a cyber-intrusion may be a breach of APP 11.

The OAIC expects that entities will regularly monitor the operation and effectiveness of the steps and strategies they have taken to protect personal information, including measures to respond to changing technology and security risks.

The Australian Privacy Principles (together with other Privacy Act amendments) commence on 12 March 2014.