Much tougher security, deletion and de-identification obligations proposed

Following on from our first three articles, in this article we address the proposals in the Attorney General's Privacy Act Review Report (Report), below we highlight the proposals related to the security, destruction and de-identification of personal information.

The key proposals in the Report in these areas focus on whether APP entities have the correct settings in place to secure personal information they hold and only retain personal information for the time that is necessary and legally allowed.

1. Security of personal information

The Report notes that the current security standard in APP 11.1 of ‘reasonable steps’ for the security of personal information is not, in practice, sufficiently understood or protecting the volumes of data that organisations are accumulating with the technological advancements and frequency of data breaches involving malicious or criminal attacks. The Report's proposals therefore push for clearer guidance on the security, destruction and de-identification of personal information. 

The main proposed amendments to APP 11.1 in relation to the security of personal information are to: 

• Include details of the technical and organisation measures that are included (if not a minimum standard required) in the term ‘reasonable steps’ to clarify the expected scope of measures that APP entities should be taking when protecting personal information.
   
• Develop a list of baseline privacy outcomes (rather than prescriptive measures and factors) that APP entities must consider/achieve when taking ‘reasonable steps’ to protect the personal information they hold. These privacy outcomes will be developed in consultation with industry and the Government and be informed by the Government’s 2023-2030 Australian Cyber Security Strategy. 
   
• Enhance the OAIC Guidelines in relation to ‘reasonable steps’ under APP 11 with technical advice from the Australian Cyber Security Centre to align APP 11 with existing cyber security standards and better practice to enable cohesive understanding of cyber security obligations by APP entities.
   
• Expand the application of APP 11.1 to de-identified information. That is, APP entities must take reasonable steps to also protect de-identified information, but these steps may be of a lower level of protection than of personal information.

These proposals seek to significantly strengthen the security of personal information and apply widely across the economy to ensure a broad uplift in information (or cyber) security in accordance with the Government’s 2023-2030 Australian Cyber Security Strategy.

The proposed security outcomes (i.e. changes) in APP 11.1 will give some certainty which, in practice, does not currently exist. However they will also significantly increase the impact on organisations and their decisions on cyber security, resilience and how to implement effective controls over their data. The security outcome approach provides flexibility for the organisation to achieve and take reasonable steps versus prescriptive (and potentially expensive) factors but failure to meet these outcomes will be harder to justify or excuse. These security outcomes will also enable sectors to further improve their regulated entities’ cyber security and resilience with further specific targeted regulations to come on security arising from the Government's 2023-2030 Australian Cyber Security Strategy.  

2. Destruction, de-identification and retention of personal information

In response to the recent significant cyber incidents and data breaches, while acknowledging the data minimisation principles under the Privacy Act and the breadth and scale of data retention requirements in Federal, State and Territory legislation, the Report proposes to amend APP 11.2 in relation to the destruction and/or de-identification of personal information by:

• Enhancing the OAIC Guidelines to provide detailed guidance that clearly articulates what ‘reasonable steps’ are to be undertaken to destroy or de-identify personal information and to clarify what this obligation entails in context of the types or sensitivity of information, an APP entity’s operations and each specific industry. That is, what does destruction and de-identification mean for you/your industry.
   
• Examining the various legislative retention requirements to determine if the provisions requiring the retaining of personal information balance with the privacy and cyber risks of APP entities in holding significant volumes of personal information after they have used it for the purpose(s) they collected it for.
   
• Requiring APP entities to establish their own maximum and minimum retention time periods in relation to the personal information they hold and requiring that these retention periods should be periodically reviewed. 
   
• Including a requirement in APP 1 that an APP entity’s privacy policy must specify its personal information retention periods.

In our experience, data security and retention practices (i.e. APP 11.1 and 11.2) are currently two of the most problematic areas. It has now, however, become a priority for many organisations holding vast amounts of personal information rich data/records. The Report’s proposals only serve to ensure that data retention will become an even more difficult area. Any outdated, forgotten or missing data management practices (specifically in relation to data retention and/or destruction) must be a target for improvement if these proposals are accepted and enacted by the Government.

Organisations should start to evaluate their data holdings and data management policies now, especially for personal information rich records, with the aim of limiting the volumes of information retained to what is necessary or legally required to be held. In so doing, organisations will minimise their exposure to potentially significant data breaches and the significant amount of uplift that will otherwise be required in this area once the proposals are enacted. 

Next Steps

We provide the above as an overview of some of the key proposals of the Report. Our aim is to raise awareness and alert you to what we perceive as the implications of these key proposals. However, please do not hesitate to reach out if you wish to discuss in more detail any of the above proposals we highlight (or any of the others in the Report) and how they may impact on your specific business, current processes and/or privacy compliance. 

To read the first three articles in the series, please see below - 

Article 1 

Article 2 

Article 3