This post was written with Nicole Stephensen from Ground Up Privacy.
With the introduction of the first tranche of the long-awaited reforms to the Privacy Act on 12 September 2024, organisations should – if they haven’t already – start to prepare for one of the most important changes that will impact their business: clarification of what it means to take ‘reasonable steps’ to secure personal information through its lifecycle.
All organisations that collect personal information whether about customers, clients, service recipients (like patients and students), job applicants and employees will be impacted, whether their personal information holdings are limited or vast.
For many businesses, this information can be commercially sensitive – and highly valuable (particularly for FMCG businesses) in understanding consumer buying patterns and preferences to inform targeted advertising campaigns and drive business decisions.
While data (including personal information) can be an asset, it is also a potential liability and can make an organisation a target for cyber criminals and other threat actors. The wave of high-profile data breaches in recent years (think Optus, Medibank and Latitude) have highlighted this.
Organisations are already required under the Privacy Act to take reasonable steps to secure personal information they hold. The Privacy and Other Legislation Amendment Bill 2024 (Privacy Bill) once passed would strengthen this requirement by clarifying that “reasonable steps” includes both technical and organisational measures. We also expect the OAIC will provide additional guidance about what reasonable steps an entity should take to keep personal information secure.
Your organisation’s risk profile
What constitutes “reasonable steps” will depend on several factors, like the nature of your business, the amount and sensitivity of the personal information you hold and the risks to that information. A Rule of Thumb is a general approach to decision making that can be applied consistently based on known factors. In the case of what determines “reasonable steps”, the privacy Rule of Thumb is: The higher the risk of unauthorised access or activity involving the personal information (and/ or potential harm to the person that information is about), the more robust your security controls need to be.
What risk looks like for every organisation will be different. Healthcare, policing, corrections, education, banking and financial services need to consider what their unique privacy risk profile includes. For example, in motor vehicle insurance, if there’s a risk that a client’s accident claim records could be accessed without authorisation and leaked publicly, this signals a need to apply robust controls to help prevent the risk from materialising.
Step by step: what is “reasonable”?
Understanding the nature of your organisation’s compliance risk under the Privacy Act (including whether you need to hold the personal information in the first place) and the risk to individuals in the event of a data breach, is the first step in determining what “reasonable steps” are for your organisation. This understanding then informs the assessment of appropriate technical and organisational measures required to address these risks and ensure your organisation meets Privacy Act requirements and community expectations. It can also help mitigate the risk of a data breach.
This initial risk assessment involves:
-
- Conduct an information audit: Understand exactly what personal (including health or other sensitive) information you hold across all databases and systems. You might consider using data accountability tools to help with this.
-
- Map your risk: Identify legitimate use of the personal information (for example, the running of the business) and potential misuse (such as unauthorised access, use or disclosure) and the risk of harm to individuals or another party (for example, the impact of health or financial information being made public).
-
- “Reasonable steps” – a three-tiered approach: Determine what administrative, technical and physical controls you have or need to put in place, relative to the risk:
-
- Administrative: This should focus on organisational governance: for example, your procurement processes, contract management, relevant policies, procedures and guidelines, and ongoing training for employees about collection and handling of personal information in their work.
-
- Technical: Technology-based processes are the focus here: for example, role-based access to information with unique access credentials, using phishing resistant multifactor authentication as an added security layer, and routine system audits.
-
- Physical: This includes mechanisms that protect and prevent unauthorised access to physical facilities and resources: for example, locked doors, gates, access codes and employee identification cards.
-
- “Reasonable steps” – a three-tiered approach: Determine what administrative, technical and physical controls you have or need to put in place, relative to the risk:
How we can help
The clarification to what it means to take “reasonable steps” (that is, applying the privacy Rule of Thumb in practice) is just one of the reforms to the Privacy Act introduced by the Privacy Bill. This is the first tranche of reforms, with further amendments to the Privacy Act anticipated to be introduced following further consultation.
Overall, the reforms to the Privacy Act will place more onus on organisations to be proactive, not reactive, when it comes to the management of personal information. The key take away message is that privacy program uplift must be a top priority for organisations – and this is not limited to those handling large volumes of customer information, highly sensitive data, or planning high privacy risk projects and activities in the future.
Here at Helios, our multidisciplinary team offers a full commercial lens to help organisations navigate these changes from a holistic perspective, taking legal, privacy, information security and governance considerations together.
This allows us to deeply understand the operational challenges our clients face and provide fit-for-purpose solutions that you can readily implement, ensuring that your compliance and risk management measures are both robust and practical in the real world.
Want to learn more? Let’s talk.