Towards a single data security principle

28.7 As noted above, agencies and organisations are subject to data security requirements under the IPPs and NPPs respectively. These principles, however, differ in two main respects. First, agencies are obliged to take steps to prevent the unauthorised use or disclosure of personal information that has been disclosed to a third party in connection with the provision of a service to the agency. No equivalent obligation applies to organisations. Secondly, organisations are obliged to take steps to destroy or de-identify personal information that is no longer needed. No equivalent ‘data destruction’ requirement applies to agencies.

28.8 In the Discussion Paper, Review of Australian Privacy Law (DP 72), the ALRC proposed that these differences should be reconciled in order to create a single data security principle that is applicable to agencies and organisations.[7] This proposal reflected the ALRC’s broader policy of consolidating the IPPs and NPPs to create a single set of privacy principles, the UPPs, which generally would be applicable to agencies and organisations.[8]

28.9 Many stakeholders that commented on this proposal supported a single data security principle.[9] Some stakeholders suggested that the ALRC’s proposed requirements for data breach notification[10] should be incorporated into the ‘Data Security’ principle.[11] The Australasian Compliance Institute submitted, for example, that introducing data breach notification provisions suggests that the consequences of non-compliance with the data security principle are not sufficient incentive to ensure compliance.[12]

ALRC’s view

28.10 The model UPPs should contain a single ‘Data Security’ principle that applies to agencies and organisations. This will consolidate and simplify the existing provisions of the IPPs and NPPs that deal with data security. A single ‘Data Security’ principle also is consistent with the ALRC’s recommendation that, unless there is a sound policy reason to the contrary, the privacy principles should apply equally to agencies and organisations.[13]

28.11 While the ‘Data Security’ principle will need to be sufficiently flexible to accommodate the differences between the operation of agencies and organisations, there is no good policy reason for maintaining two separate principles dealing with data security. The appropriateness of including, in the ‘Data Security’ principle, obligations that currently only apply to agencies or organisations—for example, protecting information disclosed to contractors and destroying or rendering non-identifiable information that is no longer needed—is considered below.

28.12 There is a clear connection between compliance by agencies and organisations with the ‘Data Security’ principle and the ALRC’s recommended data breach notification provisions.[14] For example, where an agency or organisation has acted in accordance with its obligations under the ‘Data Security’ principle—such as taking steps to encrypt personal information—exceptions to the data breach notification provisions may apply. The deterrent effect of a data breach notification requirement also will provide increased incentives for agencies and organisations to take seriously their obligations under the ‘Data Security’ principle.

28.13 There are significant differences, however, in the objectives of these provisions and the regulatory framework through which the ALRC recommends achieving these objectives. The ‘Data Security’ principle provides a broad framework for the protection of personal information by agencies and organisations. As with the other UPPs, the ‘Data Security’ principle is based on principles-based regulation. In comparison, the data breach notification provisions require agencies and organisations to take specific steps to ameliorate the harms that flow from a particular breach of data security—namely, the unauthorised acquisition of personal information. This is an example of rules-based regulation, which is better placed either in statutory provisions or in legislation.[15]

28.14 Due to these differences, it is not appropriate to incorporate the data breach notification provisions into the ‘Data Security’ principle. The ALRC recommends, however, that a note should be inserted after the ‘Data Security’ principle alerting agencies and organisations to their requirements under the data breach notification provisions.

Recommendation 28-1 The model Unified Privacy Principles should contain a principle called ‘Data Security’ that applies to agencies and organisations.

Recommendation 28-2 A note should be inserted after the ‘Data Security’ principle cross-referencing to the data breach notification provisions.

[7]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 25–1.

[8]Ibid, Proposal 15–2.

[9]Australian Government Centrelink, Submission PR 555, 21 December 2007; Public Interest Advocacy Centre, Submission PR 548, 26 December 2007; Liberty Victoria—Victorian Council for Civil Liberties, Submission PR 540, 21 December 2007; GE Money Australia, Submission PR 537, 21 December 2007; Medicare Australia, Submission PR 534, 21 December 2007; Optus, Submission PR 532, 21 December 2007; Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Centre for Law and Genetics, Submission PR 497, 20 December 2007; ACT Government Department of Disability, Housing and Community Services, Submission PR 495, 19 December 2007; Office of the Victorian Privacy Commissioner, Submission PR 493, 19 December 2007; Legal Aid Queensland, Submission PR 489, 19 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Privacy NSW, Submission PR 468, 14 December 2007; National Health and Medical Research Council, Submission PR 397, 7 December 2007; Recruitment and Consulting Services Association Australia & New Zealand, Submission PR 353, 30 November 2007. The Australian Direct Marketing Association did not disagree with the proposal. Australian Direct Marketing Association, Submission PR 543, 21 December 2007.

[10] See: Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Proposal 47–1.

[11]Office of the Privacy Commissioner, Submission PR 499, 20 December 2007; Cyberspace Law and Policy Centre UNSW, Submission PR 487, 19 December 2007; Australasian Compliance Institute, Submission PR 419, 7 December 2007. The ALRC’s recommended data breach notification scheme is discussed in Ch 51.

[12]Australasian Compliance Institute, Submission PR 419, 7 December 2007.

[13] Rec 18–2.

[14] See Ch 51.

[15] See Ch 4.