Australian Information Commissioner releases a consultation draft “Guide to Information Security”.
December 10, 2012 |
The Australian Privacy Commissioner has released a Guide to information security.
It is a comprehensive document. It is worth extracting some of the opening passages such the “The purpose of the guide” which provides:
This guide provides guidance on the reasonable steps entities are required to take under the Privacy Act 1988 (Cth) to protect the personal information they hold from misuse, loss and from unauthorised access, use, modification or disclosure.
This guide is aimed at helping entities meet their Privacy Act obligations by:
- outlining the circumstances that can affect the assessment of what steps are reasonable to take, and
- providing examples of steps and strategies which may be reasonable for an entity to take.
This guide highlights the importance of preventative measures as part of an entity’s approach to information security. Such measures can assist in minimising the security risks to personal information.
Although this guide is not binding, the Office of the Australian Information Commissioner (OAIC) will refer to this guide when assessing an entities compliance with its information security obligations in the Privacy Act.
The key message is described as:
- This guide provides guidance on information security, specifically the reasonable steps entities are required to take under the Privacy Act 1988 (Cth) to protect the personal information they hold.
- This guide discusses some of the circumstances that the Office of the Australian Information Commissioner takes into account when assessing the reasonableness of the steps taken by entities to ensure information is kept secure. It also presents a range of steps and strategies that may be reasonable for an entity to take in order to secure personal information.
- What is reasonable may vary between entities and may also change over time. Therefore it is important that entities regularly review the relevance of security measures which protect personal information.
- In some circumstances the use of electronic and online records can increase the possibility of personal information being misused, lost or inappropriately accessed, modified or disclosed. It is critical that entities consider the steps and strategies required to protect and secure personal information they hold in order to meet the Privacy Act’s requirements.
- Entities should build privacy into their processes, systems, products and initiatives at the design stage. This, and other preventative steps, assists entities to ensure that they have appropriate measures in place to minimise the security risks to personal information they hold.