Popular search terms
Click each term for related articles
Asia Pacific
Data Protection & Privacy
Following on from our first three articles, in this article we address the proposals in the Attorney General's Privacy Act Review Report (Report), below we highlight the proposals related to the security, destruction and de-identification of personal information.
The key proposals in the Report in these areas focus on whether APP entities have the correct settings in place to secure personal information they hold and only retain personal information for the time that is necessary and legally allowed.
The Report notes that the current security standard in APP 11.1 of ‘reasonable steps’ for the security of personal information is not, in practice, sufficiently understood or protecting the volumes of data that organisations are accumulating with the technological advancements and frequency of data breaches involving malicious or criminal attacks. The Report's proposals therefore push for clearer guidance on the security, destruction and de-identification of personal information.
The main proposed amendments to APP 11.1 in relation to the security of personal information are to:
These proposals seek to significantly strengthen the security of personal information and apply widely across the economy to ensure a broad uplift in information (or cyber) security in accordance with the Government’s 2023-2030 Australian Cyber Security Strategy.
The proposed security outcomes (i.e. changes) in APP 11.1 will give some certainty which, in practice, does not currently exist. However they will also significantly increase the impact on organisations and their decisions on cyber security, resilience and how to implement effective controls over their data. The security outcome approach provides flexibility for the organisation to achieve and take reasonable steps versus prescriptive (and potentially expensive) factors but failure to meet these outcomes will be harder to justify or excuse. These security outcomes will also enable sectors to further improve their regulated entities’ cyber security and resilience with further specific targeted regulations to come on security arising from the Government's 2023-2030 Australian Cyber Security Strategy.
In response to the recent significant cyber incidents and data breaches, while acknowledging the data minimisation principles under the Privacy Act and the breadth and scale of data retention requirements in Federal, State and Territory legislation, the Report proposes to amend APP 11.2 in relation to the destruction and/or de-identification of personal information by:
In our experience, data security and retention practices (i.e. APP 11.1 and 11.2) are currently two of the most problematic areas. It has now, however, become a priority for many organisations holding vast amounts of personal information rich data/records. The Report’s proposals only serve to ensure that data retention will become an even more difficult area. Any outdated, forgotten or missing data management practices (specifically in relation to data retention and/or destruction) must be a target for improvement if these proposals are accepted and enacted by the Government.
Organisations should start to evaluate their data holdings and data management policies now, especially for personal information rich records, with the aim of limiting the volumes of information retained to what is necessary or legally required to be held. In so doing, organisations will minimise their exposure to potentially significant data breaches and the significant amount of uplift that will otherwise be required in this area once the proposals are enacted.
We provide the above as an overview of some of the key proposals of the Report. Our aim is to raise awareness and alert you to what we perceive as the implications of these key proposals. However, please do not hesitate to reach out if you wish to discuss in more detail any of the above proposals we highlight (or any of the others in the Report) and how they may impact on your specific business, current processes and/or privacy compliance.
To read the first three articles in the series, please see below -
End