OAIC releases guide to information security

After promising to help organisations take better steps to protect personal information, the Office of the Australian Information Commissioner has released its guide to information security.

The Office of the Australian Information Commissioner (OAIC) has released a guide for entities covered under the Privacy Act to help them take the right steps to protect personal information that they may hold.

The final version of the guide, titled "Guide to information security: 'reasonable steps' to protect personal information" (PDF), has been shaped by several months of feedback from the industry after the OAIC released its draft last year. Now in its final form, Australian Privacy Commissioner Timothy Pilgrim said that while it was not binding, its guidelines would also be used by the OAIC when assessing data breaches that have occurred.

The guide itself highlights the importance of building privacy into business processes and applications "by design", and how privacy impact assessments (PIAs) and information security risk assessments can be used to help organisations comply with the Privacy Act from day one, rather than "bolting on" privacy as an afterthought.

"The OAIC strongly recommends all entities covered by the Privacy Act to undertake a PIA for any new business processes that involve the handling of personal information," Pilgrim said at the launch of the guide and Privacy Awareness Week in Sydney on Monday.

While the reforms to Australia's Privacy Act mean that the Privacy Commissioner will be able to require government entities to undertake PIAs, they are still voluntary for private organisations.

Nevertheless, Pilgrim encouraged private organisations to familiarise themselves with the assessments and with the guide, saying that following its recommendations provides the best insurance against data breaches.

"While the guide is not binding, it sends a clear message about my expectations in this area. So naturally, we intend to refer to it when assessing compliance with the data security obligations under the Privacy Act."

Pilgrim also acknowledged that a data breach did not necessarily mean that an organisation had breached the Privacy Act. He presented a brief example of an unnamed organisation that had been breached, but it had ensured that all of its staff had been regularly trained and educated in information security, established good security protocols, and had an annually reviewed security policy.

"Despite these measures, an employee inadvertently caused malware to be installed on the organisation's system. This was a sophisticated and malicious attack that required expert knowledge to execute. However, such an attack does not necessarily mean that an organisation has failed to take reasonable steps as required by the Act."

In contrast, he highlighted a different case where a breached organisation had conducted over 200 security tests on their systems, but due to the very limited scope of the test, did not detect its vulnerabilities.

"Because testing was limited, the vulnerability was not discovered until it had already been exploited. I therefore concluded the company had failed to have taken adequate steps in not having adequate security in place to protect the personal information it held."