Privacy Commissioner inviting comments on its Guides to Information Security

August 6, 2014 |

Curiously the Privacy Commissioner has today, 6 August,  published on the OAIC web site notice titled Consultation on the revised Guide to information security although it is dated Monday 4 August. Time must move more slowly in Canberra.

The statement consultation period closes on Wednesday 27 August 2014.  That is 3 weeks from today.  Given the nature and importance of the issues surrounding information security, what should constitute reasonable steps and the developments in both law overseas and technological advances (and otherwise) why such an abridged timetable is warranted is more than a little perplexing.

The Consultation draft is found here.

The Consultation Information is found here and provides:


The Office of the Australian Information Commissioner (OAIC) released the Guide to information security: ‘Reasonable steps’ to protect personal information (Information security guide) in April 2013.

The OAIC’s proposed revisions to the Information security guide have been prompted by the OAIC’s learning and experience regarding information security matters following the guide’s release, as well as recent changes to the Privacy Act 1988 (Cth) (Privacy Act). The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Privacy Amendment Act) introduced several changes to the Privacy Act from 12 March 2014. These changes included the introduction of the Australian Privacy Principles (APPs), which apply to both agencies and organisations and replace the National Privacy Principles and Information Privacy Principles which previously applied. The APPs outline the obligations of APP entities with regards to the security of personal information.

Revised Information security guide

The revised guide provides information on the reasonable steps entities are required to take under the Privacy Act to protect the personal information they hold from misuse, interference and loss, and from unauthorised access, modification or disclosure.

The revised guide is aimed at helping entities meet their Privacy Act obligations by:

  • outlining the circumstances that can affect what steps are reasonable for an entity to take
  • providing examples of steps and strategies which may be reasonable for an entity to take.

The revised guide is intended for entities, including Australian and Norfolk Island Government agencies and private sector organisations that are covered by the Privacy Act. It is also relevant to credit reporting bodies, credit providers and tax file number recipients.

Although it will not be binding, the OAIC will refer to the revised guide when assessing an entity’s compliance with its information security obligations in the Privacy Act. 

In addition to revising the guide to reflect changes to the Privacy Act, the OAIC has taken the opportunity to:

  • review and incorporate elements from recent OAIC investigations and assessments which have a bearing on how the OAIC interprets information security obligations under the Privacy Act
  • reword or restructure specific sections of the guide to enhance readability and improve consistency within the document and with the APP guidelines
  • update links to other information security resources.

How to make comments

The OAIC invites your comments on the revised guide.

The closing date for comment is Wednesday 27 August 2014.

Submissions can be made to or GPO Box 5218 Sydney NSW 2001.

While submissions may be lodged electronically or by post, electronic lodgement is preferred. It would also be appreciated if your submission could be provided to us in a web accessible format or, alternatively, in a format that would allow the OAIC to easily convert to HTML code eg: Rich Text Format (.rtf) or Microsoft Word (.doc).

Stimulus questions

To assist you in preparing comments for this consultation, the OAIC has prepared the questions below which are intended to stimulate comments and reflections on the revised guide. They are not intended to confine the issues that may be raised. You may wish to respond to some or even all questions, or to raise other issues related to the guide.

  • Is the revised guide helpful and easy to read?
  • Does the revised guide provide adequate assistance in interpreting the security obligations regarding the handling of personal information in the Privacy Act?
  • Noting that the guide is not intended to be exhaustive, generally are technical issues involving information security, especially in the area of ICT security, accurately and appropriately covered in the revised guide?
  • Are there any other ways in which the revised guide could be enhanced?

Privacy collection statement

The OAIC will use the personal information it collects in the course of this consultation only for the purpose of considering and dealing with submissions.


Submissions may be made anonymously or by using a pseudonym. The OAIC intends to make all submissions publicly available once the consultation period has ended. Please indicate when making your submission if your submission contains confidential information which you do not wish to make public. Requests for access to confidential comments will be determined in accordance with the Freedom of Information Act 1982.

One Response to “Privacy Commissioner inviting comments on its Guides to Information Security”

  1. Privacy Commissioner inviting comments on its Guides to Information Security | Australian Law Blogs

    […] Privacy Commissioner inviting comments on its Guides to Information Security […]

Leave a Reply