A Brief Guide to the ICT Security Controls Required by the Australian Privacy Principles

The Privacy Amendment Act 2012 (No. 197, 2012), has passed through the Australian Parliament and took effect on 12 March 2014.

The new legislation introduces significant obligations for the protection of Personal Information held by Australian organisations and material financial penalties of $1.7mil for all Australian organisations with revenues greater than $3mil. 

Organisations that collect and or hold Personal Information are required to comply with the Privacy Act 1988 and its Amendments.  Personal information is defined in s 6 of the Privacy Act as: information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or an opinion. 

The Privacy Amendment Act 2012 has introduced a number of changes.  These changes at a high level are:

  • The Privacy Amendment Act includes a set of new, harmonised, privacy principles that will regulate the handling of Personal Information by both Australian government agencies and businesses. These new principles are called the Australian Privacy Principles (APPs).  They will replace the existing Information Privacy Principles (IPPs) that currently apply to Australian Government agencies and the National Privacy Principles (NPPs) that currently apply to businesses
  • Under the changes, there are 13 new APPs.  A number of the APPs are significantly different from the existing principles, including APP 7 on the use and disclosure of Personal Information for direct marketing, and APP 8 on cross-border disclosure of Personal Information .

One of the key aspects of the amendments involve changes to the penalties for non-compliance.  The Australian Information Commissioner’s powers have been expanded under the Amending Act reforms.  The Commissioner will have the power to issue guidelines to a non-compliant entity or vary their registered APP code by including additional requirements for compliance. 

Breaches of the Privacy Act will be deemed an interference with privacy and could lead to an entity being subject to investigation by the Commissioner.  The Commissioner also has the power to initiate investigations of its own accord without any complaint having been received.  Serious or repeated breaches of personal privacy can be prosecuted by the Commissioner in the Federal Court and Federal Magistrates Court.  Corporations found in breach of privacy laws can face monetary penalties of up to $1.1 million and non-corporate entities can face monetary penalties of up to $220,000.  Section 4AA of the Crimes Act 1914 has been amended to increase the amount of a penalty unit from $110 to $170.

This means that the maximum penalty amount will be $340,000 for individuals and $1.7 million for entities!

Obviously, at the heart of the Privacy Principles is the protection of Personal Information.  Each of the privacy principles is impacted by security practices and an entity will need to be mindful of all of its obligations under the Privacy Act (along with other relevant legislative requirements) when considering the security of Personal Information. For example, the security measures employed by an entity must allow individuals to access their Personal Information, as required by the Privacy Act; while at the same time prevent unauthorised access to that information. 

The key APP here is APP 11 which requires that “If an APP entity holds Personal Information, the entity must take such steps as are reasonable in the circumstances to protect the information: (a) from misuse, interference and loss; and (b) from unauthorised access, modification or disclosure.”  

The Office of the Australian Information Commissioner has published a handy guide that organisations can follow to understand what ICT security measures that need to undertake to safeguard Personal Information. The guide is called ‘Guide to Information Security, April 2013’ . It should be noted that the OAIC will refer to this guide when assessing an entity’s compliance with its security obligations in the Privacy Act.

I will now document some salient points from the guide and highlight briefly how organisations can work towards implementing what the guide states.

Good privacy practice is important for more than just ensuring compliance with the requirements of the Privacy Act. If an entity mishandles the Personal Information of its clients or customers, it can cause a loss of trust and considerable harm to the entity’s reputation.  Additionally, if Personal Information that is essential to an entity’s activities is lost or altered, it can have a serious impact on the entity’s capacity to perform its functions or activities.

It is important for entities to integrate privacy into their risk management strategies.  Robust information-handling policies, including a privacy policy and data-breach response plan, can assist an entity to embed good information handling practices and to respond effectively in the event that Personal Information is misused, lost or accessed, used, modified or disclosed without authorisation.

Entities that handle Personal Information should build privacy into their processes, systems, products and initiatives at the design stage.  Building privacy into data handling practices from the start, rather than ‘bolting it on’ at a later stage is known as ‘privacy by design’. 

The ‘privacy by design’ stage should also address Personal Information security, including the appropriateness of technology and the incorporation of information security measures that are able to evolve to support the changing technology landscape over time. 

Entities should design their information security measures with the aim to:

  • Prevent the misuse, loss or inappropriate accessing, modification or disclosure of Personal Information
  • Detect privacy breaches promptly
  • Be ready to respond to potential privacy breaches in a timely and appropriate manner.

One way to achieve privacy by design is to conduct a Privacy Impact Assessment (PIA).  A PIA is an assessment tool that examines the privacy impacts of a project and assists in identifying ways to minimise those impacts.  A PIA will assist in identifying where there are privacy risks, and where additional privacy protections may be required. Generally, a PIA should:

  • Describe the Personal Information flows in a project
  • Analyse the possible privacy impacts of those flows
  • Assess the impact the project as a whole may have on the privacy of individuals
  • Explain how those impacts will be eliminated or minimised.

A detailed guide to conducting PIAs is available from the OAIC website.  
The Guide to Information Security, April 2013 introduces the concept of ‘reasonable steps’ that need to be taken protect Personal Information.  The reasonable steps will always depend on the circumstances, including the following:

  • Nature of entity holding the Personal Information
  • Nature and quantity of Personal Information held
  • Risk to individuals if Personal Information is not secured
  • Data handling practices of entity holding the information
  • Ease of implementation of security measure.

The steps and strategies which may be reasonable to take according to the guide are noted below .  In order to protect any Personal Information that you hold, you essentially have to implement the steps and strategies mentioned below in your organisation:

Governance and this involves -

  • Robust information asset management
  • Dedicated individual or body responsible for managing Personal Information
  • Governance arrangements to:
    • Implement and maintain information
    • Security plans and measures
    • Promote awareness and compliance.

ICT security which includes -

  • Whitelist and/or blacklisting entities, content or applications
  • Up to date software security
  • User authentication controls
  • Policies to prevent inappropriate or unauthorised access
  • Point of access logs and audit trails being implemented
  • Encryption controls to prevent data disclosure
  • Network security measures
  • Testing ICT systems and processes
  • Backups
  • Communications security measures.

Data breach which involves -

  • Developing a data breach response plan
  • Training staff about how to respond to data breaches.
  • Physical security controls that involve -
  • Security and alarm systems
  • Access logs being maintained
  • Workplace design
  • Secure work and storage spaces
  • Clean desk policy
  • Storage and movement of files audited and monitored.

Personnel security and training including -

  • Appropriate security clearances
  • Staff training (including contractors and service providers)
  • Employee exit procedures.

Workplace policies including -

  • Policies documenting security matters, such as physical and ICT security
  • Conflict of interest policy addressing handling of Personal Information of persons known to staff member
  • Policies addressing use of portable/mobile devices, and staff’s own devices
  • PSD, BYOD and offsite work policies.

Information life cycle management -

  • PIAs and information security risk assessments conducted for new or changed acts or practices
  • Collection practices periodically being reviewed
  • Personal information protected:
    • During system upgrades
    • When passed to/handled by a third party
  • Policies for data retention and destruction
  • Outsourcing contracts address handling of Personal Information.

Standards and frameworks being used to guide ICT security -

  • Relevant international, Australian and industry/sector standards on information security
  • Compliance with standards tested internally or by third party.

Monitoring and review of ICT systems -

  • Operation and effectiveness of information security measures monitored and reviewed regularly
  • Changes implemented as a result of monitoring and review.

The list above can look at little overwhelming, but a methodical and detailed approach will get you there.  The key here is to recognise that this as a program of works and applying the relevant disciplines to it, as well as making available the necessary resources to complete the tasks is critical to success.  This is not an activity that can be completed as a side project.  Please also note that outsourcing the processing, transmission or storage (such as in the cloud) of Personal Information does not absolve the organisation collecting the data of its obligations to protect it. 

The consequences of ignoring these directives are a bit more serious now and can include:

  • Significant financial penalties (up to $1.7 mil)
  • Loss of reputation and customer trust
  • Harm to your customers
  • Reduced business functions and activities

If you don’t get on top of your Personal Information protection measures!

Join the CSO newsletter!

Error: Please check your email address.

Tags securityprivacy principleslegislationPrivacy Amendment Act 2012privacy

Show Comments