Requirements about storing information and keeping it secure
Overview
Storage and security of information
Privacy Act 2020, s 22, principle 5
A government agency, business or other organisation that holds information about you must make sure that reasonable security safeguards are in place to protect the information against:
- being lost
- being accessed, used, changed or released without the organisation’s permission
- being misused in any other way.
If the organisation needs to give the information to a contractor or someone else who provides a service to the organisation, the organisation must also make sure everything reasonable is done to prevent the information being used or disclosed without authorisation.
The steps that an organisation will need to take to keep your information secure will usually depend on the type of information. For example, an organisation will usually need to protect its databases with anti-virus software, and protect its physical premises from burglary or theft by having a monitored alarm.
What happens if there is a privacy breach?
One of the biggest changes in the Privacy Act 2020 is that organisations now have obligations to let people know if there has been a “notifiable privacy breach”. This means that if breach has caused (or is likely to cause) serious harm to someone, the organisation must tell the individual whose privacy was breached, and the Privacy Commissioner.
An organisation has to consider the following before deciding if the privacy breach is likely to cause serious harm:
- any action taken by the organisation to reduce the risk of harm following the breach
- whether the personal information is sensitive in nature
- the nature of the harm that may be caused to affected individuals
- the person or body that has obtained or may obtain personal information as a result of the breach (if known)
- whether the personal information is protected by a security measure
- any other relevant matters.
When deciding if a privacy breach is likely to cause serious harm, organisations should get independent legal advice. If an organisation fails to notify the Privacy Commissioner of a “notifiable privacy breach”, they can be fined up to $10,000.
