The 13 Australian Privacy Principles (APPs) regulate the handling of personal information by a broad swathe of private, governmental and not-for-profit organisations – known as “APP entities”.
Where an information security or cyber security breach at an APP entity involves personal information, the Office of the Australian Information Commissioner (OAIC) can investigate and has broad enforcement powers and other potential remedies.
A breach of the APPs in relation to personal information is an “interference with the privacy” of the relevant individual. Where the OAIC determines that such an interference has occurred, the remedies will often include a review of the organisation’s procedures and processes, along with a written apology and an award of damages for non-economic loss.
The OAIC has developed a Guide to Securing Personal Information that sets out its guidance on the reasonable steps entities are required to take under the Privacy Act. The guide is not legally binding. However, the OAIC will refer to it in undertaking its functions, including investigating whether an APP entity has complied with its personal information security obligations.
APP 11 – Security of Personal Information
APP entities must take active measures to ensure the security of personal information they hold and to actively consider whether they are permitted to retain this personal information.
An APP entity that holds personal information must take reasonable steps to protect the information from misuse, interference and loss, as well as unauthorised access, modification or disclosure. Further APP entities must also take reasonable steps to destroy or de-identify the personal information they hold once it is no longer needed for any purpose for which it may be used or disclosed under the APPs.
When considering the security of personal information, you also need to be mindful of other obligations under the Privacy Act, such as your obligations under APP 8 (Cross-border disclosure of personal information) and APP 12 (Access to personal information).
Notifiable Data Breach Scheme
The NDB scheme requires entities to notify affected individuals and the OAIC where an “eligible data breach” occurs. An eligible breach is likely to result in serious harm to any of the individuals to whom the information relates. Entities must conduct a prompt and reasonable assessment if they suspect that they may have experienced an eligible data breach.
What are “reasonable steps” for an APP entity to take depends on a variety of circumstances, including the nature of an entity, the amount and sensitivity of information held and possible adverse consequences in event of a breach. The OAIC’s Guide sets out steps and strategies across nine broad topics. These strategies are, effectively, a good practice information security set. We will look at those strategies in more detail in another blog.
Proposed New Penalties
The OAIC has broad enforcement powers and is likely to have extensive new powers and financial penalties at its disposal.
From a financial perspective, the Federal Government has proposed a new regime that would increase maximum penalties for misuse of personal information to the greatest of $10 million, three times the value of any benefit obtained through the misuse of information and 10% of a company’s annual domestic turnover.
The OAIC would be able to issue infringement notices for failure to cooperate with efforts to resolve minor breaches. Penalties would go up to $63,000 for companies and $12,600 for individuals.
The OAIC would also have powers, via third-party reviews and/or publication of notices about specific breaches, to ensure individuals who are directly affected are aware of threats to their personal information.