4 ASIAN BRIEFINGS MARCH 2017 © Association of Corporate Counsel
PRACTICAL DATA SECURITY TAKEAWAYS FROM AUSTRALIA’S RECENT PRIVACY DETERMINATIONS
and by limiting access, allow an organization
to control the integrity and vulnerability of
information and databases.
4. Entities must not forget to protect
Typically, when individuals think about
data security, they think about firewalls,
encryption standards, and access controls.
However, the OAIC enforced a determination against an Australian telecommunications company for failing to adequately
protect physical information. 31
In this matter, customers were required
to provide identification information,
including a driver’s license and Medicare
card, in order to enter into a contract. 32 After receiving that information, the company
failed to adequately secure their customer’s
personal information in a proper manner. One journalist reported that it had
abandoned physical copies of customer
information in open shipping containers. 33
Even though the company used locks on
containers holding customer information,
the OAIC noted that due to the nature and
sensitivity of the information, its actions
were not “reasonable.” 34 The OAIC noted
that since the information was extremely
sensitive, the company should have taken
additional steps to secure sensitive personal
information, even in a physical form. 35
It is important to remember that the Privacy
Act applies to all forms of personal data, includ-
ing information on paper documents. In this
decision, the OAIC noted that depending on the
sensitivity of the personal information, entities
should consider the following steps to ensure the
physical security of personal information:
a. Monitor the movement of physical files;
b. Implement physical access controls such as
issuing a limited number of keys or passes
to areas in which the information is stored;
c. Monitor and guard the location in which
the information is stored; and,
d. Use a secure means of storage, such as
a secure or locked room in monitored,
Furthermore, organizations should consider
implementing physical safeguards within their
organization and requiring that their vendors
also implement at least the same safeguards
when handling data. Organizations should also
consider periodically auditing a vendor’s secu-
The OAIC received an 18 percent increase in
the number of privacy enquiries in 2016.37 As
organizations brace and prepare for future investigations, organizations should work closely with
its own electronic and physical security teams by
considering recent findings and taking appropriate action to evaluate their own controls and
safeguards. A strong security posture includes
adequate security provisions with practices that
are documented and align to the requirements.
Where possible, technical controls, including
access restrictions and audit logs, should be used
to monitor and enforce security practices. Finally, sensitive information warrants additional
security protections, regardless of whether it is
maintained in an electronic or physical format.
To maintain an adequate security strategy, it
must addresses cyber, access, and physical security requirements. AB
1 Section 6D of the Privacy Act.
3 The Explanatory Memorandum to the Privacy
Amendment Bill of 2012 states that entities who
have an online presence (but no physical presence
in Australia), and collect personal information from
people who are physically in Australia, carry on a
“business in Australia or an external Territory.”
4 Directive 95/46/EC.
5 Section 5B of the Privacy Act.
6 Section 5B(1B) of the Privacy Act.
7 Id at Section 27.
8 Id at Section 40A; with limited exceptions, the
OAIC is required under the Privacy Act to make
reasonable attempts to conciliate the complaint.
9 According to the OAIC, over 97 percent of privacy
complaints are resolved prior to a determination
and within 12 months of the initial filing.
10 Prior to revision of the Privacy Act in 2014,
the APPs were separated into the Information
Privacy Principles (IPPs) for government
entities (known as IPP entities) and the