What measures are considered reasonable to safeguard private information held by businesses under Australian law? This question was partly answered through an investigation by the Office of the Australian Information Commissioner (OAIC) in 2014.
The investigation found that the Pound Road Medical Centre (PMRC) in Melbourne had breached the Privacy Act 1988. This followed a discovery that the centre had stored confidential patient files in a locked garden shed. The shed in question had been broken into at a site no longer staffed by PMRC, compromising the security of a range of private personal information.
PMRC’s specific breach was failing to take reasonable steps to secure the material. Australian Privacy Commissioner Timothy Pilgrim was quoted as saying:
‘I can’t think of any circumstances in which it would be reasonable to store health records, or any sensitive information, in an insecure temporary structure such as a garden shed.’
However, it is not only the long-forgotten reams of paper stashed away in a back room that could compromise information security. Private information held electronically, whether on local servers or via online storage (or a combination of the two), also needs to be protected against leaks, loss or external threats.
It is important to remember that the virtual world does have its equivalent of the loosely secured garden shed. Companies using electronic storage should therefore ensure that they put in place adequate security measures that are consistent with the Privacy Act’s requirement of taking reasonable steps to secure private information.
Further, Australian Privacy Principle 11 (APP11), which is contained in the recently amended Privacy Act, offers guidance on safe storage of private information. APP11 reiterates that companies must take reasonable steps to protect information ‘from misuse, interference and loss; and from unauthorised access, modification or disclosure.’
APP 11 also reinforces the need to destroy or de-identify personal information that is held but no longer required, sentiments that are echoed by the Privacy Act.
According to Mr Pilgrim ‘If organisations don’t need to keep personal information for a legal purpose, then they must have a system in place to dispose of it securely.’
Businesses handling private information should take heed of the OAIC’s warnings, and ensure that their electronic and physical records are securely stored. Some guidance offered by the OAIC to the offending medical practice PMRC provides the following suggestions:
- undertake a risk assessment in relation to records management and privacy practices;
- organise privacy training for all staff; and
- develop a data breach response plan to assist with future incidents.
Therefore, it would be wise to adopt a well thought out policy on handling sensitive or private information.
Ultimately, the best option is to become familiar with the laws regulating the storage and destruction of personal information, and seek legal advice to clarify any uncertainty. And of course, avoid the garden shed policy.