Skip to main content
Skip to secondary navigation
Australian Government - Office of the Australian Information Commissioner - Home

Guide to Information Security: ‘Reasonable steps’ to protect personal information consultation information

December 2012

Submissions to this consultation closed on 7 January 2013.

Guide released following the consultation

The OAIC released a finalised version of the Guide to information security: ‘reasonable steps’ to protect personal information on 29 April 2013.


In December 2012, the Office of the Australian Information Commissioner (OAIC) sought comments on draft guidance on the security of personal information:

Guide to Information Security: ‘Reasonable steps’ to protect personal information (Consultation draft – December 2012) PDF

The guide is intended for entities, including Australian, ACT and Norfolk Island Government agencies, and private sector organisations that are covered by the Privacy Act 1988 (Cth). It is also relevant to credit reporting agencies (CRAs), credit providers and tax file number (TFN) recipients.

The guide provides information on the reasonable steps entities are required to take under the Privacy Act to protect the personal information they hold from misuse, loss and from unauthorised access, use, modification or disclosure.

The guide is aimed at helping entities meet their Privacy Act obligations by:

  • outlining the circumstances that can affect the assessment of what steps are reasonable to take
  • providing examples of steps and strategies which may be reasonable for an entity to take.

Although it will not be binding, the OAIC will refer to the guide when assessing an entities compliance with its information security obligations in the Privacy Act. 

Stimulus questions

The OAIC prepared the questions below which were intended to stimulate comments and reflections on the guide. They were not intended to confine the issues that could be raised.

  • Is the guide helpful and easy to read?
  • Does the guide provide adequate assistance in interpreting the security obligations regarding the handling of personal information in the Privacy Act?
  • Are technical issues involving information security, especially in the area of IT security, accurately and appropriately covered in the draft guidance?
  • Are there any other ways in which the guide could be enhanced?

Submissions received

The following submissions on the draft guide are generally presented in the format received by the OAIC with redactions to remove direct contact details and signatures not relevant to the submission. If you have difficulty accessing a submission please contact us for an alternative version.

  1. Abacus Australian Mutuals (provided orally - file note available on request)
  2. rtfArmorlog Group880.22 KB and txtsupplementary7.03 KB
  3. txtAttorney-General’s Department3.12 KB and pdfattachment625.51 KB
  4. txtAustralian Government Information Management Office8.79 KB
  5. rtfAustralian Information Security Association1.25 MB
  6. pdfAustralian Medical Association130.55 KB
  7. pdfAustralian Privacy Foundation205.22 KB
  8. pdfAustralasian Retail Credit Association266.59 KB
  9. Confidential - not published
  10. pdfDaniel Johns1.4 MB
  11. pdfData Theft Australia229.45 KB
  12. txtDepartment of Agriculture, Fisheries and Forestry2.83 KB
  13. pdfFinancial Industry Delegation Australia99.65 KB
  14. txtInstitute of Certified Bookkeepers1.81 KB
  15. txtInsurance Council of Australia1.8 KB
  16. KPMG (provided orally - file note available on request)
  17. pdfLockstep Group157.58 KB
  18. txtMcAfee4.18 KB and rtfattachment25.59 MB
  19. rtfNational Archives of Australia63.41 KB
  20. pdfNational E-health Transition Authority95.61 KB
  21. pdfRoyal Australian College of General Practitioners176.22 KB
  22. pdfSiganto and Burdon520.37 KB
  23. rtfStandards Australia186.45 KB
  24. pdfXamac Consultancy268.65 KB