The recent OAIC Guide to securing personal information provides an updated outline of the reasonable steps an entity must take to meet regulatory obligations under the Privacy Act and Australian Privacy Principles. The five steps outlined are the measures that every organisation must consider in assessing whether to collect personal information, how to protect it, and what to do with it at end-of-life.
The concept of the information lifecycle is central to understanding these obligations. It also illustrates the dynamic nature of personal information handling, highlighting the need for security measures to be embedded in day-to-day processes, rather than just observed for isolated projects or activities.
The information lifecycle brings together some important concepts, in particular Privacy by Design and risk assessment. With the ever-changing nature of information in the electronic age, seemingly non-personal information may become personal information during the information lifecycle, with a subsequent change in legal obligations. While the secure destruction or de-identification of all personal information is an important risk mitigation strategy, it can have particular significance when an information holding, inadvertently, or deliberately changes, in its legal status.
The Guide reminds entities that both physical and digital personal information holdings must be irretrievably destroyed or, where this is not possible, put beyond use. Secure destruction depends on comprehensive staff awareness of destruction procedures. Compliance must be monitored, and guaranteed, by stringent reporting requirements. Destruction procedures also include third party holdings and the Guide introduces for the first time, guidelines for cloud storage solutions.
Privacy by Design calls for a systematic, overarching approach to the handling of personal information, incorporating it in business planning, staff training, priorities, project objectives and design processes. A privacy and security aware culture driven from the most senior organisational level is essential for good governance.