Security of personal information

Part 3 of a four-part series on your business’ responsibilities related to cyber attacks and data breaches

Court decisions about security of personal information

Our first article in this series noted that Australian Privacy Principle 11 imposes security of personal information obligations on businesses who hold personal information.

Here are some court decisions and proceedings where ‘security’ of personal information has come into issue:

NX v DPP

A contractor for the Director of Public Prosecutions provided information for a criminal history check. The result returned a ‘spent conviction’ meaning they no longer needed to disclose the conviction. The searcher shared the history check with another manager. The Tribunal held that the search history was not held securely because the manager had a copy.

Department of Education and Training v MT

An employee accessed medical information held by the employer without authorisation. The Court held that there was no liability for the employer as it had protected the information by implementing reasonable security safeguards.

XW v Department of Education and Training

A former student sought certain records from their school. The records were missing due to unauthorised access. The school had taken steps to secure the records through pin codes and an alarm. It had also gradually upgraded its security systems. The Tribunal held that the security safeguards adopted weren’t reasonable in the circumstances taking into account the slow upgrade.

JT v Technical and Further Education Commission (No 2) [3]

The applicant alleged that a TAFE improperly used a counselling file note it held. The Tribunal found that there was no privacy breach and that reasonable security measures had been taken to safeguard the information. These included a code of conduct requiring security for the information and outlining that unauthorised persons may not access it.

OAIC v Facebook [4]

The Court held that there was a prima facie case that Facebook had breached APP 11. The Commissioner submitted that it was insufficient and unreasonable for Facebook to entrust third-party apps compliance with its policies without investigating the nature of the apps and why they sought access. As such, it was alleged that Facebook’s failure to properly assess and review seriously interfered with the individuals’ privacy.

Robertson v Singtel Optus Pty Ltd [5]

The issue ultimately is whether Optus complied with APP 11. It has already been noted in the Federal Court that this will be ‘complicated given the nature of Optus’ business and its highly technical multi-layered cyber defences…Optus is a large telecommunications company with a complex range of systems, processes, policies and controls which operates in an environment that is always changing and needs to comply with a range of legislation overseen by multiple regulators.’

Medibank v OAIC [6]

Subsequent to the decision, the OAIC has filed civil proceedings against Medibank. Ultimately OAIC’s criticism of Medibank is that it didn’t require multi-factor authentication when accessing its systems.[7]

Australian Privacy Principles facilitating the security of personal information

APP 1 obliges open and transparent management of personal information by businesses. In APP 1.2, businesses are specifically required to take reasonable steps to implement practices, procedures and systems relating to its functions or activities that ensure compliance and enable dealing with inquiries and complaints.

APP 11.1 requires that the business take reasonable steps to protect personal information from misuse, interference and loss; and unauthorised access, modification or disclosure.

Anonymous and pseudonymous dealings with businesses by individuals are accommodated by APP 2.

APP 11.2 requires that businesses take reasonable steps to destroy the information or to ensure that it is de-identified when no longer needed by the business.

Practices, procedures and systems that support data security

Examples of practices, procedures and systems that support data security include:[8]

• Privacy risk assessments
• Information security risk assessments
• Policies which address personal information security matters
• ICT security
• Access security
• Mechanisms ensuring third party compliance (such as with cloud computing)
• Physical security
• Procedures for identifying and responding to privacy breaches
• Governance, culture and training for personnel
• Security systems that comply with the Australian Privacy Principles
• Procedures accommodating anonymity and pseudonymity under APP 2
• Application of Standards
• Destruction and de-identification of personal information
• Proactive reviews and audits

Reasonable steps to ensure security of personal information

The reasonable steps required to ensure security of personal information depend on circumstances including:

• the nature of the business;
• the amount and sensitivity of the personal information held;
• the possible adverse consequences for an individual in the case of a breach;
• the practical implications of implementing the security measure including time and cost involved; and,
• whether a security measure is in itself privacy invasive.

Anonymity and pseudonymity

One potential security measure is to use the option in APP 2 of individuals not identifying themselves, or of using a pseudonym, when dealing with the business. The intent of this is that ‘it is often not necessary for an entity to identify the individuals with whom they are dealing’[9] and the privacy of individuals ‘will be enhanced if their personal information is not collected unnecessarily’.[10] The benefits in facilitating anonymity and pseudonymity include minimising the risk of identity fraud and reducing the compliance burden for the business.[11] However, it’s not always possible to use this measure as disclosure of the personal information may be required by law or it may be impracticable for the business to deal with the individual concerned.

Obligation to destroy or de-identify

Once the business no longer needs the information, reasonable steps must be taken to destroy or de-identify it. The exceptions are if the information is contained in a Commonwealth record or if Australian law requires retention.

Personal information is destroyed when it can no longer be retrieved. If it can’t be irretrievably destroyed the business may instead put it ‘beyond use’ (i.e. arrange it so that it can’t be used).

Personal information is de-identified ‘if the information is no longer about an identifiable individual or an individual who is reasonably identifiable.’[12] De-identification is more appropriate where, for example, the de-identified information relates to research and product development.

Read Part 1, Part 2 and Part 4.

For more information, please contact Coleman Greig’s Privacy and Data Protection lawyers.

^{[1] NX v DPP [2005] NSWADT 74.}

^{[2] XW v Department of Education and Training [2009] NSWADT 73 and [2010] NSWADT 17.}

^{[3] JT v Technical and Further Education Commission (No 2) [2011] NSWADT 291.}

^{[4] OAIC v Facebook [2020] FCA 531.}

^{[5] Robertson v Singtel Optus Pty Ltd [2023] FCA 1392.}

^{[6] Medibank v OAIC [2024] FCA 117.}

^{[7] Australian Information Commissioner, Concise Statement in Australian Information Commissioner v Medibank Private Limited, VID497/2024, 19 June 2024.}

^{[8] Explanatory Memorandum, Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Cth) 73.}

^{[9] Explanatory Memorandum, Privacy Amendment (Enhancing Privacy Protection) Bill 2012 (Cth) 74.}

^{[10] Ibid.}

^{[11] Office of the Australian Information Commissioner, Australian Privacy Principles guidelines ‘Chapter 4: Australian Privacy Principle 4 – Dealing with unsolicited personal information’ (July 2019) [2.12].}

^{[12] Privacy Act 1988 (Cth) s 6(1)}