This guide is intended to help agencies and private sector businesses comply with the information security requirements under the Privacy Act.
This guide is intended for entities, including Australian, ACT and Norfolk Island Government agencies, and private sector organisations that are covered by the Privacy Act 1988 (Cth). It is also relevant to credit reporting agencies, credit providers and tax file number recipients.
This guide provides guidance on information security, specifically the reasonable steps entities are required to take under the Privacy Act to protect the personal information they hold.
This guide discusses some of the circumstances that the Office of the Australian Information Commissioner takes into account when assessing the reasonableness of the steps taken by entities to ensure information is kept secure.
This guide also presents a set of non-exhaustive steps and strategies that may be reasonable for an entity to take in order to secure personal information. Although it is not necessary for all entities to take all the steps and strategies outlined in this guide, the OAIC will refer to this guide when assessing an entity’s compliance with its security obligations in the Privacy Act.
What is reasonable may vary between entities and may also change over time. Therefore it is important that entities regularly monitor and review the relevance and effectiveness of security measures which protect personal information.
In some circumstances the use of electronic and online records can increase the possibility of personal information being misused, lost or inappropriately accessed, modified or disclosed. It is critical that entities consider the steps and strategies required to protect and secure personal information they hold in order to meet the Privacy Act’s requirements.
Entities should build privacy and information security measures into their processes, systems, products and initiatives at the design stage. This, and other preventative steps, assists entities to ensure that they have appropriate measures in place to minimise the security risks to personal information they hold.
Entities should consider undertaking a Privacy Impact Assessment and an information security risk assessment for new acts or practices, or changes in existing acts or practices that involve the handling of personal information in order to identify the steps and strategies they will take to secure personal information.