Any organisation that holds personal information, including government agencies, financial institutions and participants in the health and telecommunications industries.
What do you need to do?Organisations need to review the Guide and consider how the measures could affect their business practices.
Partner
T +61 2 6217 6051
Sydney
Andrea Beatty
James Moore
Melbourne
Ros Grady
Canberra
Stephen Skehill
Author
Sophia Rihani
The Federal Privacy Commissioner has issued a final version of the Voluntary Guide to Handling Personal Information Security Breaches (Guide). The Guide has been designed to assist public sector agencies and private sector organisations (Organisations) to prevent, and respond effectively to, breaches of personal information security.
A summary of key points in the Guide can be found in our Privacy Alert of 17 April 2008. These key points are unchanged from the draft Guide issued on 15 April 2008.
Organisations need to review the Guide and decide whether or not to incorporate some or all of the Guide’s procedures in their internal security policies and risk management plans.
Although the Guide is only voluntary, it is possible the Guide (or part of it) will become law in the future, particularly if the Commonwealth Government decides to accept the Australian Law Reform Commission’s recent recommendations on changes to privacy law. Our Privacy Alert of 11 August 2008 provides further details about those recommendations.
The Commonwealth Government has indicated that it will make a decision on mandatory notification of privacy breaches as part of the second stage of its privacy law reforms. The timeframe for the second stage is unclear, although Senator John Faulkner has indicated that the first stage of privacy law reforms is likely to occur over the next 12 to 18 months (John Faulkner’s Speech to Launch the Australian Law Reform Commission's Report on Privacy, 11 August 2008.)
Next Steps
While the Guide is voluntary, it may be useful for Organisations to incorporate some of the Guide’s procedures in their internal security policies as good practice in handling personal information security breaches. It may also place Organisations in a better position to comply with the law if legislation on data breach notices is introduced in the future.
How we can help
We have considerable experience and expertise in advising on privacy issues. We can assist you in considering the impact of the Guide on your Organisation and reviewing your internal information security policies and risk management plans from a privacy perspective.