The Office of the Australian Information Commissioner (OAIC) has released a draft of its guide to secure personal information.
Titled "Guide to Information Security: 'Reasonable steps' to protect personal information," the consultation draft attempts to outlines what organisations should consider when moving to protect the personal information they are responsible for under the Privacy Act.
National Privacy Principle 4 and Information Privacy Principle 4 state that organisations must take reasonable steps to protect the personal information it holds. Given that the definition of what is reasonable could be considered subjective, the guide aims to help organisations understand how the OAIC assesses whether the steps are sufficient.
There are five areas that the OAIC takes into consideration. These areas include the structure of the organisation, such as how large it is, or if it works on a franchise model; it looks at what kind of personal information is or should have been protected, as this would have an effect on what measures need to be put in place; and the information itself is also considered by the OAIC to determine what harm may come to individuals.
Given that no two businesses are alike, the OAIC also looks at how the organisation handles data, including whether processing or analysis of it is outsourced to a third party, and finally, whether it is reasonable to expect the organisation to implement security measures in the face of what is considered an acceptable risk or the financial costs.
In April this year, the OAIC released its guide into data breaches, outlining the best actions organisations can take when they've experienced a breach. The other half of the OAIC's most recent guide completes the full picture by advising organisations on what they can do to avoid having to experience a breach in the first place.
Its advice covers areas such as IT security, physical security, personnel security, and communications security. For each area, it covers the questions that it would ask when undertaking an investigation and, as such, it represents a fairly comprehensive list of queries that every CIO should be able to answer.
A small segment of the questions include:
What processes are in place to ensure that patches and security updates to applications and operating systems are installed as they become available?
Does the entity employ email validation and authentication systems, such as the Sender Policy Framework and DomainKeys?
Is there a data breach response plan?
If files are placed in lockable cabinets or similar, are these storage units kept locked? How is access to keys controlled?
Does staff training cover information security and appropriate handling of personal information?
Are there clear polices governing the use of portable/mobile devices, use of staff's own devices, and procedures for taking work home?
Are staff made aware of the risks of disclosure if they discuss customers' or clients' personal information over the telephone?
The OAIC's guide acknowledges that due to the differences between each organisations, not all questions will be relevant for everyone.
Like many of the OAIC's publications, it has opened the process up to public scrutiny. It is currently inviting submissions to provide feedback on the draft guide, including any technical issues that it may have missed.
Submissions close January 7, 2013.