Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

Guide to securing personal information

The Office of the Australian Information Commissioner’s Guide to securing personal information is a resource to help agencies and organisations to meet their obligations under the Australian Privacy Principles to take reasonable steps to protect personal information. The Guide emphasises the five steps that are necessary for agencies and organisations to take in assessing whether to collect personal information, how to protect it, and what to do with it once it is no longer needed.

The publication is based on the former Guide to information security but now has greater emphasis on the concept of the information lifecycle. The information lifecycle brings together several important concepts, such as privacy by design, risk assessment and that unnecessary collection of personal information increases the likelihood that it may be mishandled. The Guide also reminds organisations and agencies about the ever-changing nature of information in the electronic age and that some, seemingly non-personal information, may become ‘personal information’ during the information life cycle, meaning that their obligations under the Privacy Act 1988 may change.

‘The information lifecycle illustrates the dynamic nature of personal information handling, and demonstrates why personal information security must be embedded in day-to-day processes, rather than only being considered in the context of specific projects or activities’, said Privacy Commissioner Timothy Pilgrim.

The Guide now includes steps and strategies to minimise the risk of a ‘trusted insider’ breach, and to emphasise the necessity of designing and building-in security measures that factor in human error.  It also places emphasis on the importance of governance, the creation of a privacy and security aware culture within the workplace, and the necessity for a privacy culture to be driven from the board-level within organisations. A section on using cloud storage solutions is introduced for the first time, outlining the continued requirements that apply when information handling is outsourced to a third party provider.