|
We would like to
welcome you to the December edition of the Koffels E-Newsletter.
We hope you find this publication informative and that it provokes consideration
of some of the day to day legal issues you, or
your clients might face.
If you require further information about any of the topics covered in any
of our E-Newsletters or legal assistance generally please feel free to
contact Ross Koffel on (02) 9283 5599
The Australian Privacy Commissioner recently
released the Guide to handling personal information
security breaches (the "Guide") for use by
businesses, agencies and non-government
organisations.
Compliance with the Guide is not
mandatory. The aim of the Guide is to encourage a
risk-analysis approach by businesses, agencies and
organisations when evaluating and responding to a
breach.
Some
examples of how personal information security breaches
can occur are
- lost or stolen laptops,
removable storage devices or physical files containing
personal information
- paper records
inadequately recycled or left in garbage
- computer hard drives
and other storage media being disposed of without
erasing contents
- an agency or
organisation mistakenly providing personal information
to the wrong person, for example by sending details
out to the wrong address (including email
address)
- an individual deceiving
an agency or organisation into improperly releasing
the personal information of another person
- databases containing
personal information being "hacked" into or otherwise
illegally accessed by individuals outside of the
agency or organisation
- employees accessing
personal information outside the requirements of their
employment
The Guide
points out that personal information security breaches
may just as easily be caused by internal errors and
failure to follow established information handling
procedures and not merely confined to malicious actions
like theft or 'hacking' and the resulting security
breach just as harmful to the affected
individuals.
The Guide
further sets out some of the existing privacy
obligations under the Privacy Act 1988 (Cth) ("Privacy
Act") and agency-specific legislation. In particular
agencies and organisations are required to take
reasonable steps to protect the personal
information they hold from misuse and loss and from
unauthorised access, modification or disclosure. It is
important to note that there are no express requirement
to notify affected individuals under the Privacy Act
however breach notification is good privacy practise as
it may be a reasonable step under the obligation
to keep personal information secure and for the other
reasons set out in the Guide.
Under the
Guide, they are 4 main steps to be considered when
responding to a breach or suspected breach. The Guide
provides detailed scenarios and suggested steps to be
taken. A short summary is set out below.
- Contain the breach and do a preliminary
assessment
Step 1 involves taking all steps to
immediately contain the breach including considering
what steps can be taken to mitigate the harm to
individuals, appointing a person with sufficient
authority to lead the initial assessment and
considering whether anyone needs to be notified such
as the relevant internal authority or the police in a
case of theft.
- Evaluate the risks associated with the breach
This step requires assessing the risks
by considering what personal information is involved,
what is the context of the information, establishing the
cause and extent of the breach, assessing what is the
risk of harm that could result to individuals and
identifying what other harms or risks could arise.
Some of the questions posed in the
Guide are:
- Could the information
combined with publicly available information be used
for fraudulent or other harmful purposes?
- Is there a risk of ongoing breaches or further
exposure of the information?
- Is the information rendered unreadable by security
measures?
- What was the source of the breach?
- Is this a systematic problem or an isolated
incident?
- Consider notification
The Guide stipulates that as a
general rule if a personal information security breach
creates a real risk of serious harm to the individual,
those affected should be notified. In determining when
notification is appropriate, agencies and
organisations should take into account the ability of
the individual to take specific steps to mitigate any
such harm and consider whether informing other parties
like the police, professional bodies, the Privacy
Commissioner or other regulators is appropriate. The
Guide also offers a lengthy discussion on the
appropriate process of notification and the content to
be included in notification and further lists various
examples of notification.
- Prevent future breaches
Finally the agency or organisation
should consider the need to evaluate existing prevention
plan or developing a plan to prevent future breaches.
The agency or organisation may need to update its
security / response plan, make appropriate changes to
current policies and procedures and/or revise staff
training practises.
There is a useful schematic guide to
breach notification at the end of the Guide.
The Guide is available at www.privacy.gov.au/publications/breach_guide.pdf
The release of this
Guide follows the launch of the Australian Law Reform
Commission's landmark report For Your Information:
Australian Privacy Law and Practice (ALRC 108)
during its press release Australia must rewrite
privacy laws for the Information Age which can be accessed at:
http://www.alrc.gov.au/media/2008/mr1108.html.
More questions?
If you have any questions or would like
to discuss any of the issues addressed in our
E-Newsletters, please do not hesitate to contact us on
02 9283 5599 or email us at admin@koffels.com.au.
| 
