Requirements about storing information and keeping it secure
Overview
Storage and security of information
Privacy Act 2020, s 22, information privacy principle 5
A government agency, business or other organisation that holds information about you must make sure that reasonable security safeguards are in place to protect the information against being lost or misused (including if it’s accessed, used, changed or released without the organisation’s permission).
If the organisation needs to give the information to a contractor or someone else who provides a service to the organisation, the organisation must also make sure everything reasonable is done to prevent the information being used or disclosed without authorisation.
The steps that an organisation will need to take to keep your information secure will usually depend on the type of information being collected. For example, an organisation will usually need to protect its databases with anti-virus software, and protect its physical premises from burglary or theft by having a monitored alarm.
What happens if there is a privacy breach?
One of the biggest changes in the Privacy Act is that organisations now have obligations to let people know if there has been a “notifiable privacy breach”. This means that if a breach has caused (or is likely to cause) serious harm to someone, the organisation must tell the Privacy Commissioner and the individual whose privacy was breached.
When deciding if a privacy breach is likely to cause serious harm, organisations should get independent legal advice. If an organisation fails to notify the Privacy Commissioner of a “notifiable privacy breach,” they can be fined up to $10,000.
An organisation has to consider the following before deciding if the privacy breach is likely to cause serious harm:
- any action taken by the organisation to reduce the risk of harm following the breach,
- whether the personal information is sensitive in nature,
- the nature of the harm that may be caused to affected individuals,
- the person or body that has obtained or may obtain personal information as a result of the breach (if known),
- whether the personal information is protected by a security measure, and
- any other relevant matters.