Chapter 14


Chapter 14

Australian Privacy Principle 11–security of personal information

Introduction

14.1      Australian Privacy Principle 11 (APP 11) protects personal information by imposing specific obligations on both agencies and organisations which hold that information. The principle also provides that entities take reasonable steps to destroy or de-identify the personal information once it is no longer needed. The Companion Guide noted that keeping personal information for only as long as 'reasonably necessary is an effective way of reducing the risk that it may be mishandled'. In addition, these obligations are in line with international best practice on privacy protection.[1]

Background

14.2      There are currently requirements within the National Privacy Principles (NPPs) and Information Privacy Principles (IPPs) which ensure agencies and organisations protect the personal information in their possession. NPP 4 requires organisations to take reasonable steps to protect personal information from misuse and loss and from unauthorised access, modification or disclosure as well as taking reasonable steps to destroy or de-identify information no longer needed.

14.3      IPP 4 requires that personal information is protected, by such security safeguards as it is reasonable in the circumstances to take, against loss, against unauthorised access, use, modification or disclosure, and against other misuse. If the personal information is provided to a service provider, everything reasonably within the power of the agency is to be done to prevent unauthorised use or disclosure of information contained in the record.

14.4      The Australian Law Reform Commission (ALRC) noted the importance of a data security principle in privacy legislation, which is reflected by the provisions set out for both agencies and organisations to 'take reasonable steps to maintain the security of the personal information that they hold'. In addition, there are a number of international instruments relating to privacy which ensure the security of personal information.[2]

14.5      The ALRC review focussed on:

  • how agencies and organisations should fulfil their data security obligations during the active life of records that contain personal information;
  • disclosure of personal information to third parties; and
  • the obligations of agencies and organisations to destroy or render non-identifiable personal information when it is no longer needed.

14.6      The ALRC recommended the data security principles be consolidated and simplified into a single principle. However, the ALRC commented that a consolidated principle would 'need to be sufficiently flexible to accommodate the differences' between the functions of the private sector and the public sector.[3]

14.7      The ALRC went on to comment that the criteria in the principle should ensure that personal information is 'protected from misuse and loss and from unauthorised access, modification or disclosure'. The ALRC explained that 'these criteria balance the role of the "Data Security" principle and those acts and practices that can be regulated more appropriately through other privacy principles'. Furthermore, the ALRC noted that some authorised access, use and disclosure can be improper and would not be regulated by the criteria above and are regulated elsewhere in the privacy principles by the data quality and use and disclosure principles.[4]

14.8      The ALRC also commented on the issue of personal information exchanged over the internet and whether it should be regulated by provisions in this principle. However, in keeping with the recommendation to keep the privacy principles technologically neutral, the ALRC considered that this step would not be necessary.[5]

14.9      In relation to the requirement on entities to take 'reasonable steps' to prevent the loss and misuse of personal information, the ALRC commented that 'implementing privacy-enhancing technologies will be one of the main ways through which agencies and organisations will comply with the requirement'. The ALRC acknowledged concerns by the Office of the Privacy Commissioner (OPC) on providing appropriate guidance on technological developments and recommended 'that the Privacy Act be amended to empower the Privacy Commissioner to establish expert panels at his or her discretion' to provide guidance on privacy-enhancing technologies.[6]

14.10         The ALRC considered the requirement of IPP 4 that provides that if an agency discloses personal information to a third party to carry out a service, the agency is required to take steps to prevent the unauthorised use and disclosure of this personal information by the third party involved. The ALRC did not recommend that such a requirement be included in the 'Data Security' principle. It noted that agencies remain regulated by section 95B of the Privacy Act[7] which provides that an 'agency must take contractual measures to ensure that contracted service providers do not breach the privacy principles'. However, the ALRC commented that its position assumed implementation of a number of other recommendations including removal of the small business exemption from the Privacy Act and changes to the cross-border flow of data provisions. If these recommendations are implemented, the ALRC concluded that 'there will be few, if any, situations where a contracted party will not be under an obligation to comply with the Privacy Act.[8]

14.11         However, the ALRC remarked that if the above recommendations are not implemented 'then a requirement for organisations to take steps to protect information disclosed to a third party...will be an integral component of the Privacy Act'.[9]

14.12         In relation to the provision to de-identify personal information that is no longer needed, the ALRC recommended the phrase 'render de-identifiable' be used instead the NPP 4 wording of  'permanently de-identify'. The ALRC noted that this rephrasing would make it clearer that data destruction should include the prevention of re-identification of data in the future.[10]

14.13         Another concern raised during the ALRC review was the possible conflicts between the requirement to destroy data and the requirements of agencies to retain information. According to the ALRC, '[t]he data destruction requirement included in the "Data Security" principle must be worded so as to accommodate the various reasons why agencies and organisations may need to retain personal information'.[11] The ALRC noted that agencies are prohibited by the Archives Act 1983 to destroy Commonwealth records without the permission of the National Archives, subject to certain exceptions. The ALRC noted however that the interaction between subsection 24(2) of the Archives Act and the destruction requirements of the Privacy Act were not clear. The ALRC recommended that 'agencies responsibilities under the Archives Act should take precedence over the data destruction requirement in the data security principle'.[12]

14.14         Another issue raised in the ALRC review was the concept of giving an individual the right to request an agency or organisation to destroy personal information that relates to that individual. The ALRC did not support this approach to data destruction, noting that it would be too rigid and would encourage destruction even when another method of dealing with the information may be more appropriate for example, rendering the information non-identifiable. The ALRC noted that rendering information non-identifiable still allows entities to evaluate the effectiveness of their projects, while not conflicting with the archives legislation obligations and ensuring that personal information is secure.[13]

14.15         In relation to guidance, the ALRC recommended that the OPC develop and publish guidance on matters including what constitutes 'reasonable steps' to prevent the misuse and loss of personal information by organisations and agencies; when it is appropriate to destroy or render non-identifiable personal information; the interaction between the data destruction requirements and legislative records retention requirements; and the manner in which personal information should be destroyed or rendered non-identifiable.[14]

Government Response

14.16         The Government responded positively to all the recommendations made by the ALRC in regards to the data security principle. The Government accepted that a data security principle should ensure the protection of personal information from loss and misuse, as well as the requirement to destroy and render non-identifiable information that is no longer needed. The Government noted that in relation to data destruction, the requirements on agencies to destroy or retain information as set out by the Archives Act 1983 would not be affected.

14.17         The response supported the ALRC recommendations to have the OPC develop and publish guidelines on what constitutes 'reasonable steps' and the expected requirements on entities to destroy or render personal information non-identifiable.[15]

Issues

14.18         The issue of security of personal information was important to many of the submitters to this inquiry. Microsoft commented that 'security as an absolutely critical element of a privacy framework. Poor security makes privacy impossible.'[16] The Office of the Victorian Privacy Commission welcomed APP 11, remarking that it largely mirrors NPP 4 and Victorian IPP 4.[17] Similarly, the Australian Institute of Credit Management supported this principle and Yahoo!7 broadly agreed with its flexible approach.[18]

Structure

14.19         As discussed in the previous chapter, Privacy NSW suggested that APP 10 and APP 11 should be relocated within the legislation to better reflect the information cycle, that is, the quality principle and the security principle should be placed after the notification principle and before the use and disclosure principle.[19]

Protecting personal information

14.20         APP 11(1) provides that an entity must take such steps as are reasonable in the circumstance to protect information from misuse, interference and loss and from unauthorised access, modification or disclosure. The Office of the Health Services Commissioner Victoria indicated support for APP 11(1) as did the Australian Bankers' Association (ABA) which welcomed the stronger emphasis on 'organisations to take all reasonable steps to ensure their systems and processes are secure'.[20] Other submitters commented on the 'reasonable steps' requirement, the protection of information accessed by contractors to agencies, and the inclusion of the term 'interference'.[21]

14.21         Microsoft submitted that 'getting security right is a bit more objective than some other aspects of privacy' and that the APPs could 'accommodate some more specific tests provided these did not affect cost effectiveness and were conducive to innovation'. In support of this view, Microsoft suggested 'a specified list of factors in the data security principle to help guide any determinations as to whether an organisation has taken "reasonable steps" to secure personal information it holds'. Microsoft has suggested this list be included in the legislation, or at least included with guidance issued by the Office of the Australian Information Commissioner once the legislation is in place.[22]

14.22         The NSW Department of Justice and Attorney General commented on the security requirements for information held by agencies which may be accessed by a contractor. It noted that, under section 95B of the Privacy Act, an agency must take contractual measures to ensure that contracted service providers do not breach the privacy principles. However, APP 11 imposes no such requirement. While many organisations will be subject to APP 11, the small business exemption means that some organisations which may handle very sensitive personal information will not fall within the ambit of APP 11. The NSW Department of Justice and Attorney General recommended that consideration be given to replicating the requirement imposed on agencies by section 95B (and NSW legislation) 'in any model privacy laws if it is not to be provided for in the APPs'.[23]

14.23         The security of information in the hands of a contractor was also raised by the Privacy Interest Advocacy Centre (PIAC) in its submission to the ALRC review. PIAC stated that it was important to 'ensure that the data disclosed to third parties under contractual arrangements is maintained'.[24]

14.24         The National Association of Information Destruction (NAID-Australasia) suggested that APP 11 include a direction to entities that data protection policies and procedures be documented in writing. NAID-Australasia suggested that benefits would arise from such a requirement: having written policies and procedures is the only way to ensure that employees and vendors are given proper direction; and written policies and procedures is the only way an entity can demonstrate that it comprehends and takes its responsibilities to protect personal information seriously.[25]

Use of the term 'interference'

14.25         The ABA commented on the inclusion of the term 'interference' in APP 11(1)(a), and noted it is not present in the corresponding NPP. The ABA stated that it is not clear what the term intends to address, and sought specific guidance, with examples, on how it may occur and how 'interference' differs from the other listed factors of 'misuse', 'unauthorised access' and 'modification'.[26] The Australian Direct Marketing Association (ADMA) also noted the inclusion of the new term 'interference' in APP 11 and commented that the term is used broadly and without proper definition. ADMA sought further clarification on 'how broadly the obligations that stem from this inclusion would be expected to apply'.[27]

14.26         Telstra expressed a similar view and went on to state that 'interference' could be viewed as 'unlawful interception' which requires further technological protections and 'degrees of encryption'. Telstra commented this could 'unfairly impose responsibility for external events or attacks' on organisations and lose the technologically neutral objective of the legislation. Telstra suggested the removal of the term 'interference'.[28]

14.27         The Department of the Prime Minister and Cabinet responded to these concerns and stated:

The inclusion of 'interference' in APP 11 is intended to recognise that attacks on personal information may not be limited to misuse or loss, but may also interfere with the information in a way that does not amount to a modification of the content of the information (such as attacks on computer systems). It is correct that this element may require additional measures to be taken to protect against computer attacks etc, but the requirement is conditional on steps being 'reasonable in the circumstances'. Practical measures by entities to protect against interference of this nature are becoming more commonplace.

The use of the term 'interference', which focuses on the activity rather than the means of the activity, ensures that the technologically neutral approach to the APPs is retained.[29]

Destruction of personal information

14.28         APP 11(2) provides for the destruction of records no longer required. NAID-Australasia supported information destruction as being a reasonable precaution for the security of personal information. However, it noted that the concept of destruction is often misunderstood, and gave the example of organisations relying on 'casual disposal or simple recycling as methods of destruction'. In order to clarify the meaning of destruction, NAID-Australasia recommended a definition of destruction within the definition section of the legislation. NAID-Australasia believed 'it is possible to define "destruction" while remaining technologically neutral, reasonable and non-descriptive'.[30]

14.29         The Office of the Health Services Commissioner Victoria commented that the provisions of APP 11(2) are not appropriate for the health industry as 'there may be a lapse of time in people re-presenting for treatment, or there may be medical conditions that are slow to progress'. The Commission recommended that a minimum retention period for records be included in this principle, as is the case in Victoria, where the Health Records Act provides for a minimum retention period of seven years for health records. The Commission recommended that state and federal laws should continue to operate side by side, to ensure the seven year retention period is maintained.[31]

14.30         The Financial Services Council (FSC) requested further guidance on when it is appropriate to destroy or de-identify personal information, and the 'interaction between data destruction requirements and legislative record retention requirements'. The Council stated that retaining records for seven to ten years from the last date of interaction with the client is standard practice in the financial services industry and recommended that the requirement to destroy or de-identify personal information 'commence after other legal requirements for record retention timeframes have been met'.[32]

14.31         Yahoo!7 suggested that the provisions for the retention of personal information rely on 'legitimate business purposes' rather than the purposes of APP 10 and APP 11.[33]

14.32         Google Australia stated that subsection APP (2)(c) should be amended to allow for compliance with foreign laws. Google noted that they conduct business worldwide and are required to comply with both Australian Privacy Laws and Foreign Privacy Laws.[34] (The committee has commented on this matter in chapter 3, see paragraphs 3.77–78.)

14.33         Privacy Law Consulting Australia raised concerns about this privacy principle conflicting with section 24 of the Archives Act and creating a circular process of interaction between the provisions of the two Acts. The Consultancy suggested including information within APP 11 to explain its interaction with section 24 of the Archives Act.[35] Similar points were raised by the ALRC (see para 14.18). The Government response stated that the ALRC's recommendation in relation to destruction or de-identifying information 'does not affect the operation of the Archives Act 1983 on how agencies retain personal information'.[36]

Conclusions

14.34         The issue raised by the NSW Department of Justice and Attorney General and the Privacy Interest Advocacy Centre concerned the protection of information held by agencies which may be accessed by third parties, for example, contractors. The committee notes that the ALRC did not recommend such a requirement. Further, the ALRC commented that agencies remain subject to section 95B of the Privacy Act which provides that an agency must take contractual measures to ensure that contracted service providers do not breach the privacy principles. The Government has not indicated that a provision similar to section 95B will not be retained in the new Act. However, the committee will consider this matter further when the relevant exposure draft is provided.

14.35         In relation to comments concerning the inclusion of the term 'interference' in APP 11(1)(a), in particular that its meaning is unclear, the committee notes that the department has indicated that 'interference' is intended to recognise that attacks on personal information may not be limited to misuse or loss, but may also interfere with the information in a way that does not amount to a modification of the content of the information. The department provided the example of 'interference' through an attack on a computer system. The committee considers that this is an essential protection for personal information and supports the inclusion of the term 'interference'. However, the committee believes compliance with this principle would be improved if the term 'interference' was defined or a note was included to explain its meaning.

Recommendation 24

14.36         The committee recommends that a definition of the term 'interference' used in proposed APP 11(1)(a), pertaining the security of personal information, be provided or a note included in the legislation to explain its meaning in this context.

14.37         The committee considers that the destruction of personal information no longer required is an important matter. The committee notes the concerns raised by NAID-Australasia that destruction of information is often misunderstood and approached in a less than appropriate manner. The committee considers that it will be important that guidance is provided in relation to what constitutes 'destruction' in relation to personal information. The committee also notes that submitters called for guidance on range of other matters and that the need for guidance from the Office of the Australian Information Commission was recommended by the ALRC and accepted by the Government.

Recommendation 25

14.38         The committee recommends that the Australian Information Commissioner provide guidance on the meaning of 'destruction' in relation to personal information no longer required and the appropriate methods of destruction of that information.

14.39         Submitters did not comment on the use of the term 'to ensure that the information is no longer personal information' in relation to APP 11 however, comments were made in relation to APP 4, see chapter 7.

Navigation: Previous Page | Contents | Next Page