This article discusses the Privacy Act obligations of organisations to protect clients’ personal information.
There are a number of Commonwealth statutes which impose commercial obligations to protect clients’ personal information. Notably the Privacy Act 1988 (Cth) outlines the Australian Privacy Principles (APP) which obliges organisations to reasonably protect clients’ personal information. The APP replaced the National Privacy Principles as part of Parliament’s push for reform of the Privacy Act obligations and came into effect on 12 March 2014.
More information on how the Privacy Act applies to individual people can be found in our Privacy Law article.
What organisations must comply with the AAP?
Organisations that have Privacy Act obligations are defined as follows:
- Organisations which are non-government entities; and
- Organisations which are not classified as a ‘small business.’
Small business is defined in section 6D of the Act. Small businesses are entities with an annual turnover of less than $3 million. However, a small business does not include health service providers and credit reporting bodies. This means that regardless of size, health service provides and credit reporting bodies have Privacy Act obligations.
What is personal information?
Section 6 of the Act states that personal information is information that can be used to specifically identify or ‘reasonably’ identify a person given the contents of the information. While some individual information looked at in isolation may not be identifiable, when considered in combination with other available information it may become identifiable and therefore personal.
If there you are unsure as to whether the information can reasonably identify an individual, organisations should err on the side of caution and treat the information as if it were personal.
Personal information in relation to Privacy Act obligations includes the following:
- A person’s name;
- An address;
- An occupation; or
- Medical or financial records.
The truth of the information and whether it has been recorded in a material form is irrelevant for the purposes of determining whether it is personal.
What Privacy Act obligations do organisations have?
There is a total of 13 Australian Privacy Principles which outline the Privacy Act obligations for organisations to manage personal information.
Specifically, APP 11 compels an organisation to take reasonable steps to protect personal information it holds from loss, interference, unauthorised access, modification, misuse or disclosure. The ordinary meaning of these words is used as AAP 11 does not specify definitions.
Under section 6(1) of the Act an entity holds personal information if there is sufficient control or possession of a record which contains personal information. As a result, outsourcing the storage of information but retaining access rights is still considered holding personal information
APP 3 states that entities have Privacy Act obligations to only gather personal information that is reasonably necessary to carry out their ordinary business functions.
What are ‘reasonable steps’ that must be taken?
What particular reasonable steps an organisation must take in order to meet their Privacy Act obligations depends on a variety of factors.
Factors which are relevant to determining what reasonable steps must be taken include the following:
- The potential harm a disclosure would have on identified individuals;
- The practicality of implementing preventative measures; and
- The sensitivity of the information.
The nature of the organisation, such as its size and available resources is also relevant in determining what reasonable steps must be taken.
Organisations will still need to comply with APP 11 even if the possible protective measures are inconvenient, expensive, or tedious. Overall, determining reasonable steps is finding the right balance between the burden on the organisation and the potential for adverse consequences for the identified person.
Even though what is reasonable will depend on the specific circumstances of each matter, there are general steps organisations can take to ensure compliance with APP 11 and their Privacy Act obligations. These steps include:
- Providing staff training that aims to foster cultural awareness and minimise the chances of inadvertent disclosure;
- Notifying staff of changes to the organisation’s security policies;
- Implementing preventative policies, such as guidelines for the printing of documents containing personal information as well as ensuring identity authentication procedures when granting access to personal information;
- Creating clear lines of authority for information security decisions;
- Establishing technological security measures, such as anti-virus software, firewalls, electronic encryption, password protocols, whitelisting and blacklisting.
- Establishing physical security measures;
- Ensuring the use of appropriate back-up systems;
- Undertaking appropriate due diligence when engaging third parties for storage services, such as cloud computing, in order to verify the adequacy of their security controls; and
- Formulating a response plan to potential data breaches.
This list is not exhaustive and organisations do not have to implement all of the listed measures.
When implementing reasonable steps to comply with their Privacy Act obligations, companies must undertake appropriate testing in order address any defects. It is also expected that entities will regularly monitor and review the effectiveness of their preventative measures.
Undertaking reoccurring assessments and updating processes is vital as measures may become obsolete over time as a result of technological advancements.
It is not necessary for companies to safeguard against every possible breach as this would be impossible. Nevertheless, companies have an obligation under APP 1.2 to document their internal practices, procedures and systems which are used to meet their APP 11 obligations. It is therefore vital that entities regularly update this documentation to ensure compliance with their Privacy Act obligations.
What happens in the event of a breach?
While there are no Privacy Act obligations setting out how organisations must respond to a breach or suspected breach, the Office of the Australian Information Commissioner (OAIC), has outlined four steps that can be used as a guide:
- Contain the breach. This serves to minimise the harm;
- Perform a preliminary assessment;
- Evaluate the risks associated with the breach;
- Notify affected clients and the OAIC when necessary. While notification is not mandated it may be considered a reasonable step in preventing future breaches; and
- Identify ways to improve policies and procedures, and implement changes.