Chapter 11: APP 11 — Security of personal information

pdfChapter 11: APP 11 — Security of personal information190.81 KB

Version 1.0, February 2014

Contents

  1. Key points
  2. What does APP 11 say?
  3. ‘Holds’
  4. Taking reasonable steps
  5. What are the security considerations?
    1. Misuse
    2. Interference
    3. Loss
    4. Unauthorised access
    5. Unauthorised modification
    6. Unauthorised disclosure
  6. Destroying or de-identifying personal information
    1. Personal information held by an agency
    2. Personal information held by an organisation
    3. Required by or under an Australian law or a court/tribunal order
  7. Taking reasonable steps to destroy or de-identify personal information
    1. Destroying personal information — irretrievable destruction
    2. Destroying personal information held in electronic format – putting beyond use
    3. De-identifying personal information

Key points

  • An APP entity must take reasonable steps to protect personal information it holds from misuse, interference and loss, as well as unauthorised access, modification or disclosure.
  • Where an APP entity no longer needs personal information for any purpose for which the information may be used or disclosed under the APPs, the entity must take reasonable steps to destroy the information or ensure that it is de-identified. This requirement applies except where:
    • the personal information is part of a Commonwealth record, or
    • the APP entity is required by law or a court/tribunal order to retain the personal information.

Back to top

What does APP 11 say?

11.1 APP 11 requires an APP entity to take active measures to ensure the security of personal information it holds,[1] and to actively consider whether it is permitted to retain personal information.[2]

11.2 An APP entity that holds personal information must take reasonable steps to protect the information from misuse, interference and loss, as well as unauthorised access, modification or disclosure (APP 11.1).

11.3 An APP entity must take reasonable steps to destroy or de-identify the personal information it holds once the personal information is no longer needed for any purpose for which the personal information may be used or disclosed under the APPs. This requirement does not apply where the personal information is contained in a Commonwealth record or where the entity is required by law or a court/tribunal order to retain the personal information (APP 11.2).

Back to top

‘Holds’

11.4 APP 11 only applies to personal information that an APP entity holds. An entity holds personal information ‘if the entity has possession or control of a record that contains the personal information’ (s 6(1)).

11.5 The term ‘holds’ extends beyond physical possession of a record to include a record that an APP entity has the right or power to deal with. For example, an entity that outsources the storage of personal information to a third party, but retains the right to deal with that information, including to access and amend it, holds that personal information.

11.6 The term ‘holds’ is discussed in more detail in Chapter B (Key concepts).

Back to top

Taking reasonable steps

11.7 The ‘reasonable steps’ that an APP entity should take to ensure the security of personal information will depend upon circumstances that include:

  • the amount and sensitivity of the personal information. More rigorous steps may be required as the quantity of personal information increases, or if the information is ‘sensitive information’ (defined in s 6(1) and discussed in Chapter B (Key concepts)) or other personal information of a sensitive nature
  • the nature of the entity. Relevant considerations include an entity’s size, resources and its business model. For example, the reasonable steps expected of an entity that operates through franchises or dealerships, or gives database and network access to contractors, may differ from the reasonable steps required of a centralised entity
  • the possible adverse consequences for an individual. More rigorous steps may be required as the risk of adversity increases
  • the entity’s information handling practices, such as how it collects, uses and stores personal information. This includes whether personal information handling practices are outsourced to third parties, and whether those third parties are subject to the Privacy Act.[3] If a third party is not subject to the Privacy Act, it may be reasonable for the entity to take steps to ensure the third party meets the entity’s obligations under the Privacy Act, for example through specific privacy obligations in contracts and mechanisms to ensure these are being fulfilled
  • the practicability, including time and cost involved. However an entity is not excused from taking particular steps to protect information by reason only that it would be inconvenient, time-consuming or impose some cost to do so. Whether these factors make it unreasonable to take particular steps will depend on whether the burden is excessive in all the circumstances
  • whether a security measure is in itself privacy invasive. For example, while an APP entity should ensure that an individual is authorised to access information, it should not require an individual to supply more information than is necessary to identify themselves when dealing with the entity (see also Chapter 12 (APP 12)).

11.8 Reasonable steps could including taking steps and implementing strategies to manage the following:

  • governance
  • ICT security
  • data breaches
  • physical security
  • personnel security and training
  • workplace policies
  • the information life cycle
  • standards
  • regular monitoring and review.

11.9 For further discussion of the relevant considerations, and examples of steps that may be reasonable for an APP entity to take, see the Office of the Australian Information Commissioner’s Guide to information security: ‘reasonable steps’ to protect personal information (OAIC Information Security Guide).[4]

Back to top

What are the security considerations?

11.10 The six terms listed in APP 11, ‘misuse’, ‘interference’, ‘loss’, ‘unauthorised access’, ‘modification’ and ‘disclosure’, are not defined in the Privacy Act. The following analysis and examples of each term draws on the ordinary meaning of the terms. As the analysis indicates, there is overlap in the meaning of the terms.

Misuse

11.11 Personal information is misused if it is used by an APP entity for a purpose that is not permitted by the Privacy Act. APP 6 sets out when an entity is permitted to use personal information (see Chapter 6). APPs 7 and 9 also contain requirements relating to an organisation’s use of personal information for the purpose of direct marketing, and use of government related identifiers, respectively (see Chapters 7 and 9).

11.12 ‘Use’ is discussed in more detail in Chapter B (Key concepts).

Interference

11.13 ‘Interference’ with personal information occurs where there is an attack on personal information that an APP entity holds that interferes with the personal information but does not necessarily modify its content. ‘Interference’ includes an attack on a computer system that, for example, leads to exposure of personal information.

Loss

11.14 ‘Loss’ of personal information covers the accidental or inadvertent loss of personal information held by an APP entity. This includes when an entity:

  • physically loses personal information, such as by leaving it in a public place, or
  • electronically loses personal information, such as failing to keep adequate backups of personal information in the event of a systems failure.

11.15 Loss of personal information could also potentially occur following unauthorised access or modification of the personal information. However, it does not apply to intentional destruction or de-identification of that personal information that is done in accordance with the APPs.

Unauthorised access

11.16 ‘Unauthorised access’ of personal information occurs when personal information that an APP entity holds is accessed by someone who is not permitted to do so. This includes unauthorised access by an employee of the entity.[5]

Unauthorised modification

11.17 ‘Unauthorised modification’ of personal information occurs when personal information that an APP entity holds is altered by someone who is not permitted to do so, or is altered in a way that is not permitted under the Privacy Act.

Unauthorised disclosure

11.18 ‘Unauthorised disclosure’ occurs when an APP entity releases the subsequent handling of that personal information from its effective control in a way that is not permitted under the APPs. This includes an unauthorised disclosure by an employee of the entity.[6] The term ‘disclosure’ is discussed in more detail in Chapter B (Key concepts).

Back to top

Destroying or de-identifying personal information

11.19 An APP entity must take reasonable steps to destroy personal information or ensure it is de-identified if it no longer needs the information for any purpose for which it may be used or disclosed under the APPs (APP 11.2).

11.20 This means that an APP entity will not need to destroy or de-identify personal information it holds if the information is still necessary for the primary purpose of collection or for a secondary purpose for which it may be used or disclosed under APP 6 (see Chapter 6). Where the entity is an organisation and the personal information is needed for the purpose of direct marketing, or is a government related identifier, whether it may be used or disclosed under APPs 7 and 9 may also be relevant (see Chapters 7 and 9 respectively). ‘Purpose’ is discussed in more detail in Chapter B (Key concepts).

11.21 The requirement to take reasonable steps to destroy or de-identify does not apply if personal information is contained in a Commonwealth record, or if an Australian law or a court/tribunal order requires it to be retained (APP 11.2). In practice, this means that different rules apply to agencies and organisations.

Personal information held by an agency

11.22 The term ‘Commonwealth record’ in s 6(1) has the same meaning as in s 3 of the Archives Act 1983 (the Archives Act) and is discussed in more detail in Chapter B (Key concepts).[7] The definition is likely to include all or most personal information held by agencies. It may also include personal information held by contracted service providers.

11.23 If the personal information is contained in a Commonwealth record, the agency is not required to destroy or de-identify the personal information under APP 11.2, even if it no longer needs the personal information for any purpose for which it may be used or disclosed under the APPs. The agency will instead be required to comply with the provisions of the Archives Act in relation to those Commonwealth records.

11.24 A Commonwealth record can, as a general rule, only be destroyed or altered in accordance with s 24 of the Archives Act. The grounds on which this may be done include with the permission of the National Archives of Australia (as set out in a records disposal authority) or in accordance with a ‘normal administrative practice’. See Chapter B (Key concepts) for more information about Commonwealth records.

Personal information held by an organisation

11.25 Where an organisation ‘holds’ personal information it no longer needs for a purpose that is permitted under the APPs, it must ensure that it takes reasonable steps to destroy or de-identify the personal information. This obligation applies even where the organisation does not physically possess the personal information, but has the right or power to deal with it. ‘Holds’ is discussed in more detail in paragraphs 11.4–11.6 above and Chapter B (Key concepts).

11.26 Where an organisation holds personal information that needs to be destroyed or de-identified, it must take reasonable steps to destroy or de-identify all copies it holds of that personal information, including copies that have been archived or are held as back-ups.

11.27 An organisation should have practices, procedures and systems in place to identify personal information that needs to be destroyed or de-identified (see APP 1.2, Chapter 1).

Required by or under an Australian law or a court/tribunal order

11.28 If an organisation is required by or under an Australian law or a court/tribunal order to retain personal information, it is not required to take reasonable steps to destroy or de-identify it (APP 11.2(d)).

11.29 ‘Australian law’ and ‘court/tribunal order’ are defined in s 6(1). The term ‘required by or under an Australian law or court/tribunal order’ is discussed in Chapter B (Key concepts).

Back to top

Taking reasonable steps to destroy or de-identify personal information

11.30 The ‘reasonable steps’ that an organisation should take to destroy or de-identify personal information will depend upon circumstances that include:

  • the amount and sensitivity of the personal information — more rigorous steps may be required as the quantity of personal information increases, or if the information is ‘sensitive information’ (defined in s 6(1) and discussed in Chapter B (Key concepts)) or other personal information of a sensitive nature
  • the nature of the organisation. Relevant considerations include an organisation’s size, resources and its business model. For example, the reasonable steps expected of an organisation that operates through franchises or dealerships, or gives database and network access to contractors, may differ from the reasonable steps required of a centralised organisation
  • the possible adverse consequences for an individual if their personal information is not destroyed or de-identified — more rigorous steps may be required as the risk of adversity increases
  • the organisation’s information handling practices, such as how it collects, uses and stores personal information, including whether personal information handling practices are outsourced to third parties
  • the practicability, including time and cost involved — however an organisation is not excused from destroying or de-identifying personal information by reason only that it would be inconvenient, time-consuming or impose some cost to do so. Whether these factors make it unreasonable to take a particular step will depend on whether the burden is excessive in all the circumstances.

11.31 While APP 11.2 requires an organisation to take reasonable steps to either destroy or de-identify personal information, in some circumstances one or the other may be more appropriate (see paragraphs 11.34 and 11.40 below).

Destroying personal information — irretrievable destruction

11.32 Personal information is destroyed when it can no longer be retrieved. The steps that are reasonable for an organisation to take to destroy personal information will depend on whether the personal information is held in hard copy or electronic form.

11.33 For example, for personal information held:

  • in hard copy, disposal through garbage or recycling collection would not ordinarily constitute taking reasonable steps to destroy the personal information, unless the personal information had already been destroyed through a process such as pulping, burning, pulverising, disintegrating or shredding[8]
  • in electronic form, reasonable steps will vary depending on the kind of hardware used to store the personal information. In some cases, it may be possible to ‘sanitise’ the hardware to completely remove stored personal information.[9] For hardware that cannot be sanitised, reasonable steps must be taken to destroy the personal information in another way, such as by irretrievably destroying it. Where it is not possible to irretrievably destroy personal information held in electronic format, an organisation could instead comply with APP 11.2 by taking reasonable steps to de-identify the personal information (see paragraphs 11.37–11.41 below), or should put the information beyond use (see paragraphs 11.34–11.36 below)
  • on a third party’s hardware, such as cloud storage, where the organisation has instructed the third party to irretrievably destroy the personal information, reasonable steps would include taking steps to verify that this has occurred.

Destroying personal information held in electronic format — putting beyond use

11.34 Where it is not possible for an organisation to irretrievably destroy personal information held in electronic format, reasonable steps to destroy it would include putting the personal information ‘beyond use’. However, an organisation could instead consider whether de-identifying the data would be appropriate (see paragraphs 11.37–11.41 below) and if so, take reasonable steps to de-identify the personal information.

11.35 Personal information is ‘beyond use’ if the organisation:

  • is not able, and will not attempt, to use or disclose the personal information
  • cannot give any other entity access to the personal information
  • surrounds the personal information with appropriate technical and organisational security. This should include, at a minimum, access controls together with log and audit trails, and
  • commits to take reasonable steps to irretrievably destroy the personal information if, or when, this becomes possible.

11.36 It is expected that only in very limited circumstances would it not be possible for an organisation to destroy personal information held in electronic format. For example, where technical reasons may make it impossible to irretrievably destroy the personal information without also irretrievably destroying other information held with that personal information, which the entity is required to retain.

De-identifying personal information

11.37 Personal information is de‑identified ‘if the information is no longer about an identifiable individual or an individual who is reasonably identifiable’ (s 6(1)). De-identification is discussed in more detail in Chapter B (Key concepts).

11.38 An organisation that intends to comply with APP 11.2 by taking reasonable steps to ensure that personal information is de-identified should consider whether de‑identification is appropriate in the circumstances. For more information on when and how to de-identify information, and how to manage and mitigate the risk of re-identification, see Privacy Business Resource — De-identification of Data and Information and Information Policy Agency Resource — De-identification of Data and Information.[10]

11.39 De-identification of personal information may be more appropriate than destruction where the de-identified information could provide further value or utility to the organisation or a third party. For example, where:

  • an organisation shares de-identified information with researchers, or
  • an organisation uses de-identified information to develop new products.

11.40 Regardless of the de-identification technique chosen, the risk of re-identification must be actively assessed and managed to mitigate this risk. Where it is not possible for the risk of re-identification to be appropriately minimised, the organisation could instead consider taking reasonable steps to destroy the personal information (see paragraphs 11.32–11.38 above).

11.41 Where the personal information is held on a third party’s hardware, such as cloud storage, and the organisation has instructed the third party to de-identify the personal information, reasonable steps to de-identify the personal information would include taking steps to verify that this has occurred.

Back to APP guidelines


Footnotes

[1] Explanatory Memorandum, Privacy Amendment (Enhancing Privacy Protection) Bill 2012, p 86.

[2] Explanatory Memorandum, Privacy Amendment (Enhancing Privacy Protection) Bill 2012, p 86.

[3] Agencies will also need to consider s 95B, which sets out requirements for Commonwealth contracts.

[4] See OAIC website <www.oaic.gov.au>.

[5] An APP entity needs to take reasonable steps to ensure that an employee does not carry out an unauthorised disclosure of personal information ‘in the performance of the duties of the person’s employment’ (s 8(1)).

[6] An APP entity needs to take reasonable steps to ensure that an employee does not gain unauthorised access to personal information ‘in the performance of the duties of the person’s employment’ (s 8(1)).

[7]Archives Act 1983 section 3: Commonwealth record means:

  1. a record that is the property of the Commonwealth or of a Commonwealth institution; or
  2. a record that is to be deemed to be a Commonwealth record by virtue of a regulation under subsection (6) or by virtue of section 22;

but does not include a record that is exempt material or is a register or guide maintained in accordance with Part VIII.

[8] See Attorney-General’s Department, Information security management guidelines of the Australian Government Protective Security Policy Framework (PSPF), Attorney-General’s Department Protective Security website <www.protectivesecurity.gov.au>. Although the PSPF only applies to Australian Government agencies, the examples may also be relevant to organisations in complying with APP 11.2.

[9] See the ‘Controls’ section of the Defence Security Directorate’s Information Security Manual (ISM), Defence Signals Directorate website <www.dsd.gov.au>. The ISM also discusses how various forms of hardware should be sanitised or destroyed. Although the ISM only applies to Australian Government agencies, it may be of interest to organisations in complying with APP 11.2.

[10] OAIC, Privacy Business Resource — De-identification of Data and Information and Information PolicyAgency Resource — De-identification of Data and Information, OAIC website <www.oaic.gov.au>.

Share this page

Protecting information rights — advancing information policy