Prevention of misuse and loss of personal information

28.15 A central component of data security is protecting personal information from misuse and loss. The importance of measures to protect personal information from misuse and loss recently was illustrated in the United Kingdom, when Her Majesty’s Revenue and Customs lost in the post the personal information of 25 million Britons, including their dates of birth, addresses, bank accounts and national insurance numbers. In particular, concerns were raised that the data lost had not been encrypted, but merely was password protected.[16]

28.16 The IPPs and the NPPs both include a requirement to protect personal information from misuse and loss. These principles, however, differ subtly. As noted above, IPP 4(a) requires agencies to ensure that a record containing personal information is protected ‘by such security safeguards as is reasonable in the circumstances against unauthorised access, use, modification or disclosure and against other misuse’. An agency that does not take such steps will breach IPP 4, even if no loss, unauthorised access, use, modification or disclosure actually takes place.[17]

28.17 A number of Commonwealth documents also require agencies to adopt certain security measures. In particular, the Protective Security Manual (PSM) outlines minimum standards and procedures for Australian Government agencies, including requirements for: information security; personnel security; physical security; and tendering and contracting.[18] Additionally, the Defence Signals Directorate (DSD) has published the Australian Government Information and Communications Technology Security Manual (ACSI 33), which sets out common principles for Commonwealth and state and territory agencies to protect information held on information and communications systems.[19]

28.18 NPP 4.1 requires organisations to take ‘reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure’. The OPC has issued guidance on how organisations should meet this requirement, including through taking steps to implement:

  • physical security, such as locks, alarm systems and access limitations;

  • computer and network security, such as user passwords and auditing procedures;

  • communications controls, such as encryption of data; and

  • personnel security, such as staff training programs.[20]

28.19 A number of national and international standards-developing bodies also are developing standards on privacy and security issues, including Standards Australia and the International Standards Organization.[21]

Submissions and consultations

28.20 The ‘Data Security’ principle proposed by the ALRC in DP 72 required

an agency or organisation [to] take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.[22]

28.21 This principle mirrored the requirements currently provided in NPP 4.1. The ALRC proposed that the OPC provide guidance to agencies and organisations on how they should meet the requirement to protect personal information from misuse and loss, including through:

  • contracting service providers to handle personal information consistently with the proposed UPPs;

  • recognising the potential benefits of, and detriments associated with, technological developments in this area, including encryption; and

  • implementing adequate staff training.[23]

Criteria for data security

28.22 Several stakeholders expressed views on the proposed criteria for protecting personal information—that is, that agencies and organisations should protect personal information from ‘misuse and loss and from unauthorised access, modification or disclosure’.

28.23 The OPC supported these criteria.[24] The Cyberspace Law and Policy Centre submitted, however, that ‘misuse and loss’ by authorised users would not necessarily encompass excessive access or accidental alteration or degradation falling short of loss. Further,

the reference to ‘unauthorised access, modification or disclosure’ implies that ‘loss’ and ‘modification’ have different meanings, and it may be that neither includes the other. If so, then security need not protect against loss of data caused by unauthorised parties—which would be ridiculous. [25]

28.24 The Centre submitted, therefore, that the ‘Data Security’ principle be reworded to require protection against ‘improper access, use, alteration, deletion, disclosure, or other misuse, by both authorised users and by other parties’.[26] The Australian Privacy Foundation supported the Centre’s submission.[27]

28.25 Australia’s National Computer Emergency Response Team submitted that additional provisions should be included for the security of personal information exchanged over the internet.[28]

‘Reasonable steps’ to protect personal information

28.26 Stakeholders supported the proposal that the OPC should provide guidance about the meaning of the term ‘reasonable steps’ in the context of misuse and loss of personal information.[29] GE Money and Microsoft Asia Pacific submitted that the factors to determine whether an agency or organisation has taken ‘reasonable steps’ to prevent the misuse or loss of personal information should be set out in the ‘Data Security’ principle, rather than being the subject of guidance.[30]

28.27 Several stakeholders suggested additional features that should be included in the OPC guidance. The Public Interest Advocacy Centre (PIAC), for example, submitted that the guidance also should address the physical security of information systems and security of computer networks and communications.[31] The Office of the Victorian Privacy Commissioner (OVPC) commented that other security developments, such as access control and audit tools, were just as important as encrypting personal information.[32] Medicare Australia suggested that the guidance should address the requirements to protect personal information disclosed to a contracted service provider.[33]

28.28 The OPC did not support providing guidance on technological developments in this area; in particular, relevant encryption standards. It submitted that:

While the Office recognises the need for guidance in this area, it is concerned about the specialised level of expertise required to provide such guidance, along with the resource implications of continually ensuring the accuracy of guidance in a rapidly changing technological environment.[34]

28.29 The Australian Federal Police and the Department of Defence commented on the need to avoid duplication, conflict or confusion between the guidance provided by the OPC and guidance on security measures presently provided for Commonwealth agencies by other agencies, such as Australian Government Attorney-General’s Department (AGD) which publishes the PSM, and the DSD which publishes the ACSI 33.[35]

28.30 Privacy advocates also suggested that the requirement for agencies and organisations to take ‘reasonable steps’ to prevent the misuse or loss of personal information should be subject to a proportionality test—that is, that the security safeguards should be commensurate with the sensitivity of the information.[36] The Cyberspace Law and Policy Centre commented, for example, that the over-zealous application of the ‘Data Security’ principle could result in privacy protections which themselves become privacy infringements, and serve to impede the legitimate flow of information.[37]

ALRC’s view

Criteria for data security

28.31 The criteria in the ‘Data Security’ principle should reflect the criteria currently provided in NPP 4.1—that is, that personal information should be protected from misuse and loss and from unauthorised access, modification or disclosure. These criteria balance the role of the ‘Data Security’ principle and those acts and practices that can be regulated more appropriately through other privacy principles.

28.32 Security concerns are implicit in the notion of ‘misuse and loss’ of personal information. These criteria, therefore, are appropriate matters for the ‘Data Security’ principle. In comparison, security concerns only arise where ‘access’, ‘modification’ or ‘disclosure’ of personal information is unauthorised. Authorised access, modification or disclosure that is, nevertheless, improper, is addressed through other privacy principles. In particular, the ‘Data Quality’ principle will apply to personal information that has been modified improperly. The ‘Use and Disclosure’ principle will apply to wrongful disclosures of personal information. Additionally, authorised access leading to unauthorised disclosure could, if sufficiently serious, engage the data breach notification provisions.[38]

28.33 The ALRC does not recommend additional data security provisions for personal information exchanged over the internet. This would be inconsistent with the ALRC’s recommendation that the UPPs should be technology neutral and capable of general application.[39] The ALRC addresses issues relating to technological developments in Part B.

‘Reasonable steps’ to protect personal information

28.34 The ALRC does not recommend expanding upon the term ‘reasonable steps’ in the ‘Data Security’ principle. Such an expansion would be inconsistent with the ALRC’s recommendation that the model UPPs should be high-level principles of general application.[40] Moreover, the ALRC considers further statutory elucidation to be unnecessary given other requirements in the model UPPs—for example, the requirement for an agency or organisation to create a Privacy Policy that outlines how it proposes to handle personal information consistently with the Privacy Act.[41] Instead, the ALRC recommends that the OPC should develop and publish guidance on the meaning of the term ‘reasonable steps’ in this context. The OPC guidance will complement more specific guidance provided in certain contexts—for example, the agency-specific requirements set out in the PSM and ACSI 33.

28.35 Implementing privacy-enhancing technologies will be one of the main ways through which agencies and organisations will comply with the requirement to take steps to prevent the misuse and loss of personal information. Accordingly, the ALRC recommends that relevant technological developments, including encryption techniques, should be included in the OPC’s guidance on this issue.

28.36 The ALRC acknowledges the OPC’s concerns about the expertise required to provide guidance on relevant technological developments. There are a number of ways, however, in which the OPC could provide such guidance. One example is the Good Practice Note on the security of personal information issued by the United Kingdom Information Commissioner’s Office. This document—without mandating or endorsing specific standards or technologies—refers readers to other sources of information, including relevant international and national standards.[42] A similar framework could be adopted by the OPC.[43]

28.37 The ALRC also recommends that the Privacy Act be amended to empower the Privacy Commissioner to establish expert panels at his or her discretion. In particular, the OPC could use expert panels to develop education and guidance materials relating to new and developing technologies.[44] The OPC also could consult with other bodies with expertise in the implications of technological developments for data security, for example the DSD.

28.38 Organisational policies and procedures, such as staff training programs and the physical security of paper-based and electronic information, also will be important measures to protect personal information. The ALRC recommends, therefore, that these measures also should be addressed in the OPC guidance.

28.39 Proportionality considerations are implicit in the requirement to take ‘reasonable steps’. That is, whether a particular security measure is determined to be a reasonable step for an agency or organisation to take in any given situation will depend upon factors such as the: likelihood and severity of harm threatened; sensitivity of the information; and cost of implementation. Further, where a security measure, in and of itself, could be an interference with privacy this will be a relevant factor in assessing its reasonableness.

28.40 This can be illustrated by the following example. An organisation may hold personal information electronically. To verify that an individual is entitled to access the relevant information, the organisation seeks responses to a number of questions. These questions require the individual to provide further personal information. It is logical that, when assessing whether this constitutes a ‘reasonable step’ to protect personal information from misuse or loss, the organisation’s collection of additional personal information should be taken into account. The ALRC recommends, therefore, that proportionality considerations should be included in the OPC guidance on this issue.

Recommendation 28-3 The Office of the Privacy Commissioner should develop and publish guidance about the ‘reasonable steps’ agencies and organisations should take to prevent the misuse and loss of personal information. This guidance should address matters such as the:

(a) factors that should be taken into account in determining what are ‘reasonable steps’, including: the likelihood and severity of harm threatened; the sensitivity of the information; the cost of implementation; and any privacy infringements that could result from such data security steps; and

(b) relevant security measures, including privacy-enhancing technologies such as encryption, the security of paper-based and electronic information, and organisational policies and procedures.

[16] See, for example, R Blakely, ‘Data ‘Fiasco’ Leads to Calls for Law Changes’, Times Online (online), 20 November 2007, <http://business.timesonline.co.uk>; P Wintour, ‘Lost in the Post—25 Million at Risk After Data Discs Go Missing’, The Guardian (online), 22 November 2007, <http://politics
.guardian.co.uk>
.

[17]Office of the Federal Privacy Commissioner, Plain English Guidelines to Information Privacy Principles 4–7: Advice to Agencies about Storage and Security of Personal Information, and Access to and Correction of Personal Information (1998), 3.

[18]Australian Government Attorney-General’s Department, Protective Security Manual (PSM 2005) <www.ag.gov.au/www/agd/agd.nsf/Page/National_security> at 8 April 2008.

[19] Australian Government Defence Signals Directorate, Australian Government Information and Communications Technology Security Manual (ACSI 33) (2007).

[20]Office of the Federal Privacy Commissioner, Security and Personal Information, Information Sheet 6 (2001), 1–4. The OPC has suggested similar security measures in the context of agencies: see Office of the Federal Privacy Commissioner, Plain English Guidelines to Information Privacy Principles 4–7: Advice to Agencies about Storage and Security of Personal Information, and Access to and Correction of Personal Information (1998).

[21] See Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), [7.56]–[7.63].

[22]Ibid, UPP 8(a).

[23]Ibid, Proposal 25–3.

[24]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[25]Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[26]Ibid.

[27]Australian Privacy Foundation, Submission PR 553, 2 January 2008.

[28]Australia’s National Computer Emergency Response Team, Submission PR 474, 14 December 2007.

[29]Confidential, Submission PR 570, 13 February 2008; Australian Government Department of Families‚ Housing‚ Community Services and Indigenous Affairs, Submission PR 559, 15 January 2008; Australian Federal Police, Submission PR 545, 24 December 2007; Australian Direct Marketing Association, Submission PR 543, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Centre for Law and Genetics, Submission PR 497, 20 December 2007; ACT Government Department of Disability, Housing and Community Services, Submission PR 495, 19 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; Australia Post, Submission PR 445, 10 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007.

[30]GE Money Australia, Submission PR 537, 21 December 2007; Microsoft Asia Pacific, Submission PR 463, 12 December 2007.

[31]Public Interest Advocacy Centre, Submission PR 548, 26 December 2007.

[32]Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007.

[33]Medicare Australia, Submission PR 534, 21 December 2007.

[34]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007.

[35]Australian Federal Police, Submission PR 545, 24 December 2007; Australian Government Department of Defence, Submission PR 440, 10 December 2007.

[36]Australian Privacy Foundation, Submission PR 553, 2 January 2008; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007. The draft Asia-Pacific Privacy Charter, for example, provides that ‘security safeguards should be proportional to the likelihood and severity of the harm threatened, the sensitivity of the information and the context in which it is held’: Asia-Pacific Economic Cooperation, APEC Privacy Framework (2005), [22].

[37]Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007.

[38] See Ch 51.

[39] Rec 18–1.

[40] See Ch 18.

[41] See Ch 24.

[42] United Kingdom Government Information Commissioner’s Office, Data Protection Good Practice Note—Security of Personal Information (2007).

[43] In Ch 10, the ALRC notes that mandating standards in regulations could have unintended consequences in the face of rapid technological development. The ALRC recommends, however, that in carrying out its functions under the Privacy Act, the OPC should have reference to the work of national and international standards bodies.

[44] See Rec 46–5.