OAIC – DRAFT Guidance on Information Security Reasonable Steps

In December 2012, the Office of the Australian Information Commissioner (OAIC) released a draft ‘Guide to Information Security Reasonable Steps to Protect Personal Information”[1] for public consultation, with submissions to be made by January 7, 2013.  Although it will not be legally binding per se, the OAIC will refer to the guide when assessing an entities compliance with its information security obligations in the Privacy Act

From its title and stated purpose, it would be expected that this document would provide guidance on the information security approach to managing risks to personal information that the OAIC will be looking for when investigating whether entities have met their obligations  under the Privacy Act1988 (Cth)  to protect the personal information they hold.  

It does do that – but only in a very limited way.  The Guide does not set out any comprehensive approach to information security.   In fact, it does only two things:

·         It outlines the circumstances that can affect the assessment of what steps might be reasonable to take; and

·         It provides examples of steps and strategies which may be reasonable for an entity to take to address particular risks.

Need for Guidance

Some sort of guidance from the OAIC on information security is long overview. 

The last publication directed at this issue was released in 2001, over twelve years ago – a very long time in the technology world.    As well, guidance plays an important part of any compliance approach and is of particular importance in supporting principle based regulation such as the Privacy Act.  This point was made repeatedly by the ALRC in its 2008 Privacy Act review[2] and was expressly made in relation to NPP4 when the ALRC opted not to recommend that that principle be made more specific. [3]

Too Ambitious

However – providing guidance on information security is hard.

Information security is both a complex and constantly changing area.  There are many published texts on information security, many with over 500 pages of content.[4]   It is difficult to see how the OAIC could cover the same subject matter in less than 30.

As well, the Guide’s target audience is extremely wide and diverse -  covering large listed organisations and government departments as well as small and medium organisations (at least to the extent they fall outside of the small business exemption) which may hold small amounts of sensitive information.   

It may have been better for the OAIC to be less ambitious with this Guidance.  Guides addressed to particular groups or identifying particular security problems, that can more easily be updated with changes in technology and its uses,  may well be more useful in the longer term.

Consultation Process

It is interesting that, given the complexity of the issues underlying this Guidance and its evident need, such little time was made available for consultation.  Released in early December, responses were requested to be made by January 7 – a period which covered the traditional Australian summer holiday break.

As well, to date the consultation process has been less than transparent.   Submissions that were made to the draft Guide have not been published – which is a departure from previous practice. 

Our Submission

There were a number of other issues with the Guidance that were covered in the Submission that we made in January.  These include:

·         Failure to align with risk management methodology

·         Referencing industry standards

·         Importance of Privacy by Design and its relationship with Privacy Impact Assessment

·         Consistency with Existing OAIC Guidance and Publications

·         Omissions from the list of Security Safeguards

A copy of that submission is available here.


Despite the lack of transparency in the consultation process, the Attorney General is set to announce the new Guide on April 29 at the flagship event for Privacy Awareness Week. 

It will be interesting to see what the final Guide looks like and how it is received by the information security community.


[2] ALRC Report Volume 1 Section 4.65 at p248: “The ALRC particularly supports the critical role of the Privacy Commissioner to provide guidance, consistent with the third part of the ALRC’s regulatory approach. Guidance can be provided in a variety of forms. One of the most obvious is through guidelines issued by the Privacy Commissioner. Guidance can be provided in information available on the regulator’s website, through frequently-asked-questions (FAQs), information sheets, advice, a telephone hotline for enquiries, education programs and tips for compliance.”

[3] ALRC Report Volume 2 at 951

[4] See, for example, Tipton, H and Krause Information Security Management Handbook (Auerbach Press)