What security measures are appropriate?

Agencies have to take reasonable steps to make sure the information they hold is kept safe and secure. This includes making sure it is protected from loss, accidental or unauthorised disclosure, access, use or modification or any other misuse.

There are a number of different aspects to consider, including physical security, electronic security, operational security, security during transmission and during destruction.

What steps are appropriate will depend entirely on the circumstances, including:

• How sensitive is the personal information involved?

• What are you using the personal information for?

• What security measures are available, and how will using these measures impact on your agency’s functions?

• What might the consequences be for the individual if the information is not kept secure?
  

If you are introducing a security policy, or changing your current policy, you may want to consider doing a privacy impact assessment to help identify and manage any potential risks you agency may face.  The Privacy Commissioner has the power to issue a compliance notice to organisations that are not meeting their obligations under the Privacy Act. This could include systemic issues, such as inadequate security measures.

Updated December 2020