The Privacy Commissioner issues Guide to securing personal information

January 28, 2015 |

The Privacy Commissioner has issued Guide to securing personal information. It has been long awaited. While it will be an important resource for privacy law practitioners as it will guide them in developing processes, spending on the security and setting priorities it is drawn in the broad and sets the regulatory bar quite low when compared to what it could be.  It suffers from having generally described factors drafted in imprecise terms. As a consequence either further elaboration will be required or, more likely, it will be for the Privacy Commission through enforcement action or, preferably, the Federal Court to set down principles and standards which are drafted with more legal rigour.  The problem with that latter approach has been the relative inactivity on the regulation and enforcement front by the Privacy Commissioner since he received his new enforcement powers almost 11 months ago.

The guideline has attracted particularly strong criticism in the Australian piece Security experts slam new privacy guidelines which provides:

SECURITY experts have slammed new privacy law guidelines which they claim sends a weak message and lets businesses off the hook should they fall prey to hackers.
However, legal experts say it isn’t an open-and-shut case.
The Office of the Australian Information Commissioner last week released the Australian Privacy Principles guidelines which is a crucial tool to March 12 when new privacy laws kick in.
Agencies and companies can be fined up to $1.7 million and individuals $340,000 for serious or repeated invasions of privacy.
Phil Kernick, CQR national head of information security, said the guidance “wildly underwhelms me since businesses won’t be held liable if they get hacked”.
Mr Kernick said the guidance states that organisations won’t be held accountable for the exposure of personal information if it happens as a result of a cyber attack and if the OAIC was satisfied that ‘reasonable steps’ were taken to prevent them.
He said that if an organisation does get hacked then by definition reasonable steps were not taken to guard against the breach.
“The OAIC has watered this down and they should be taking all measures possible to make business do the right thing by consumers.
“The guidance implies that organisations are to a degree defenceless to certain kinds of cyber attacks, which is untrue. It sends the wrong ‘governance’ message,” he said.
Mr Kernick said businesses “are going to love the new privacy laws because it “lets them off the hook and they do just the bare minimum to protect consumers’ personal information”.
“Why would they bother taking it seriously?” he asked.
But Matthew McMillan, a partner at law firm Henry Davis York, said he didn’t consider the issue as “black and white as that”.
“The reasonable steps test recognises that not all organisations and data risks are the same,” Mr McMillan said.
“The question whether an organisation has taken reasonable steps to protect the information it holds from unauthorised access needs to be considered on a case-by-case basis, and will depend on such matters as the sensitivity of the data involved, the nature of the organisation handling the information and the possible adverse consequences for the individual.
“Certainly, this test would require someone like a bank, for example, to take rigorous steps around data governance and the management of security given the sensitivity of the financial information which it handles,” Mr McMillan said.
He said that while the “practicability of taking certain steps is a relevant consideration”, the guidelines make the point that an organisation is not excused from taking particular steps just because it would be inconvenient, time-consuming or costly to do so.
“The burden on the organisation must be excessive before it is excused. Organisations ought, therefore, to be aware that steps which they consider to be ‘reasonable’ may not necessarily be enough to meet their legal obligations,” Mr McMillan said.
He said what constitutes reasonable steps will be depend on particular circumstances, but could include taking steps and implementing strategies to manage governance, security (which includes ICT, physical and personnel security), data breaches, workplace policies, training, the information handling life cycle, compliance with standards, and regular monitoring and review.
The OAIC has released an information security guide which provides examples of steps that it may be reasonable for an organisation to take in that regard.
Mr McMillan said the OAIC will have regard to a range of factors when determining what constitutes ‘reasonable steps’.
“(This includes) the amount and sensitivity of the personal information involved such as more rigorous steps will be required in the case of large quantities of sensitive information, the nature of the organisation (including its size, resources and business model).”
The possible adverse consequences for the individual (eg more rigorous steps will be required as the risk of adversity increases) and the nature of the organisation’s information handling practices, including how it collects, uses and stores personal information and the extent to which such practices are outsourced to third parties, could also fall into the ‘reasonable steps’ basket, Mr McMillan said.

It is hard to cavil with those criticisms.  And the muted defence of the guidelines by the quoted lawyer highlights the “on the one hand and on the other hand” weighing of general principles which when taken as a whole would lead organisations to conclude that the risk of exposure and prosecution as quite low.  That is a poor regulatory outcome.

The sober reality is that many hacks result from poor privacy processes, inadequate cyber security, a failure to maintain programs and woeful privacy training.  Almost invariably problems that could have been resolved and thereby avoiding the hack attack.  The guideline has attracted some comment in the media such as the straight up reporting in Insider threat, cloud make OAIC’s privacy checklist. 

One Response to “The Privacy Commissioner issues Guide to securing personal information”

  1. The Privacy Commissioner issues Guide to securing personal information | Australian Law Blogs

    […] The Privacy Commissioner issues Guide to securing personal information […]

Leave a Reply