Background

28.2 The Privacy Act 1988 (Cth) currently requires that agencies and organisations take reasonable steps to maintain the security of the personal information that they hold. This is commonly referred to as ‘data security’. The data security requirements for agencies and organisations are found in the Information Privacy Principles (IPPs) and National Privacy Principles (NPPs) respectively.

28.3 IPP 4 provides that a record-keeper, who has possession or control of a record that contains personal information, must ensure

(a) that the record is protected, by such security safeguards as it is reasonable in the circumstances to take, against loss, against unauthorised access, use, modification or disclosure, and against other misuse; and

(b) that if it is necessary for the record to be given to a person in connection with the provision of a service to the record-keeper, everything reasonably within the power of the record-keeper is done to prevent unauthorised use or disclosure of the information contained in the record.[1]

28.4 In comparison, NPP 4 provides that ‘an organisation must take reasonable steps to protect the personal information it holds from misuse, loss, unauthorised access, modification or disclosure’.[2] NPP 4 further requires that

an organisation must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed for any purpose for which the information may be used or disclosed under [the ‘Use and Disclosure’ principle].[3]

28.5 Requirements to take steps to ensure the security of personal information are included in a number of international instruments relating to privacy. For example, the European Parliament’s Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data provides that

technical and organisational security measures should be taken by the data controller that are appropriate to the risks presented by the processing. Any person acting under the authority of the data controller, including a processor, must not process data except on instructions from the controller.[4]

28.6 Similarly, the Security Safeguards Principle in the Organisation for Economic Co-operation and Development’s Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980) provides that ‘personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use, modification or disclosure of data’.[5] The OECD also has issued Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security (2002), which responds to security issues raised by the interconnectivity of information systems and networks.[6]

[1]Privacy Act 1988 (Cth) s 14, IPP 4.

[2]Ibid sch 3, NPP 4.1.

[3]Ibid sch 3, NPP 4.2.

[4] See European Parliament, Directive on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, Directive 95/46/EC (1995), art 17.

[5]Organisation for Economic Co-operation and Development, Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980), art 11.

[6]Organisation for Economic Co-operation and Development, Guidelines for the Security of Information Systems and Networks: Towards a Culture of Security (2002).