The Information Commissioner on Reasonable Security for Personal Information

In April 2013, the Office of the Australian Information Commissioner (OAIC) released the Guide to Information Security (Guide) in relation to Personal Information under the Privacy Act 1988 (Cth). A summary of the guide is available here.

“Reasonable Steps” Depend on the Context

What the OAIC considers to be “reasonable steps” for the security of Personal Information depends on the context in which the Personal Information is handled. The OAIC lists specific factors (in bold), and we’ve added a little explanation next to each.

  • Nature of entity holding the personal information: As an example, there is a difference between what would be reasonable for a highly centralised entity with very few contractors and a distributed entity that runs a business with many contractors. Clearly, the security safeguards required by the distributed entity will be more involved, since data is disclosed to third parties more often.
  • Nature and quantity of personal information held: Sensitive information will be dealt with more securely than non-sensitive information. A person’s medical records, for instance, deserves greater protection than their phone number.
  • Risk to individuals if personal information is not secured: If an inadvertent disclosure of

    certain information has a higher chance of causing harm to a person (reputationally or otherwise), that information must be kept more secure than information that poses less risk.

  • Data handling practices of entity holding the information: Which parties hold data obviously matters. If an organisation outsources its data to third party contractors, the security procedures of the contractors are part of the risk picture for the organisation. It is a truism to say that a security system is only as good as the weakest link.
  • Ease of implementation of security measure: How expensive or impractical a security measure is will impact on whether or not it is reasonable to take it. As the Guide says, “It may not be reasonable to implement a measure if doing so will be impracticable or unduly expensive when balanced against the risks.”

Possible Steps Outlined by the Commissioner

The OAIC outlines categories of steps and strategies that “may be reasonable to take”.

  • Governance: This category refers to specific people and bodies that are formally tasked with managing the challenges of information security within an organisation.
  • ICT Security: Measures implemented with information technology, such as proper authentication systems and network security.
  • Data breach: The maintenance of a plan for data breaches by an organisation so that if a data breach occurs, the organisation can respond more effectively.
  • Physical security: This category contemplates locks on doors

    and moving information around as a physical asset – like paper based files.

  • Personnel security and training: Staff training, particularly in the context of external contractors and service providers.
  • Workplace policies: Formal policies that set out procedures and processes for the way that an organisation deals with information security.
  • Information life cycle: Each organisation needs to think about how they collect information, and when it is appropriate to retain or destroy it.
  • Standards: Organisations should pay attention to industry best practice and standards bodies on certain issues.
  • Monitoring and review: Organisations need to have procedures in place to monitor and review all of the above.