Privacy Commissioner details 'reasonable steps' for data security

The Office of the Australian Information Commissioner (OAIC) has finally released comprehensive revised guidance on the information security provisions it expects organisations to have in place to ensure they stay on the right side of the new Privacy Act.

The new legislation, which applies to all entities turning over more than $3 million in a year, states that in the case of a company’s information stores being violated or destroyed, the entity will be held in breach of the Act unless it took “reasonable steps” to protect that data in the first place. Since March, the OAIC can hand out fines of up to $1.7 million.

But exactly what these “reasonable steps” involve is a question that has puzzled Australian business since the legislation was unveiled.

To address the uncertainty, the OAIC today released a revision to its guide to avoiding the Privacy Commissioner’s condemnation.

The document is not binding, but the Office said it is the checklist it plans to use when assessing whether an entity is liable for a data breach or whether it has met its obligations under the Privacy Act.

The OAIC has previously said it looks at personal information in terms of life cycles, and will not accept a ‘tick the box once’ approach to securing data.

From the top down, the Office advised entities would be well placed to start with a privacy impact assessment, outlining their privacy vulnerabilities and ways to address them for every system handling sensitive data.

The PIA will need to be reviewed periodically, such as when software is updated or when information handling practices change.

The privacy authority will also be looking for clear lines of accountability when it comes to privacy compliance.

It said it expects no less than a “a governing body, committee or designated individual/s who are responsible for defining information security measures and plans to implement those measures”.

Once these are in place, companies should look to develop a data breach policy and response plan – including clear guidance on who needs to be notified in the event of an accident or attack – and make sure that all staff are aware of it and understand its contents.

The OAIC also sought to remind organisations that they are obliged to destroy information that has outlived its original purpose.

The Office emphasised that information can only be classified as “destroyed” when it can no longer be retrieved – so throwing hardcopies in the bin rather than pulping or shredding them is not up to scratch.

For a more hands-on level, the OAIC offered up a lengthy list of infosec practices it hopes entities are adopting, including:

• Maintaining an information asset register
• Always keeping software patches up to date
• Whitelisting and/or blacklisting applications
• Having security software deployed across all network components
• Maintaining an intrusion detection system and event logs
• Segmenting the network into security zones with protection dependent on each level of risk
• Independent penetration testing at regular intervals
• Making sure private information hosted on web servers can only be accessed by authenticated users
• Independently assessing the compliance of third party contractors hosting data

The instructions may seem like common sense in an enterprise environment, but many major organisations have been undermined in the past, the Office said.

“Human error is regularly claimed as the cause of privacy incidents, however it usually only occurs where entities do not have a privacy culture, training and appropriate practices, procedures and systems,” it advised in the guidelines.

The OAIC is inviting feedback on the guidance until Wednesday 27 August 2014.