APP 11 — reasonable steps to secure personal information

What APP 11.1 requires

APP 11.1 requires an APP entity to take reasonable steps to protect personal information. These steps must safeguard against misuse, interference, loss, and unauthorised access, modification or disclosure.

This obligation applies to personal information that the entity holds. Holding personal information means the entity has possession or control of it.

APP 11 sits within Part 4 of Schedule 1 to the Privacy Act 1988 (Cth).

What 'reasonable steps' means

What 'reasonable steps' means

The concept of ‘reasonable steps’ is not defined precisely. Instead, it is assessed based on several factors. These include the nature of the organisation holding the information, the volume of personal information held, the sensitivity of that information, and the potential harm that could result from a data breach. Practical considerations in implementing security controls are also taken into account.

Organisations holding a larger volume of personal information, or information of a higher sensitivity – such as health information – generally need to implement more robust security measures. The level of security should be proportionate to the risks involved.

While the cost of implementing security measures is a relevant factor, it cannot be used as justification for failing to protect personal information against reasonably foreseeable risks. The Australian Information Commissioner publishes a ‘Guide to securing personal information’ which provides further guidance.

Indicative controls expected

To comply with APP 11, organisations should implement controls demonstrating reasonable steps to secure personal information. Governance structures are fundamental, requiring clear ownership of information security with a senior accountable individual. Physical security measures should restrict access to premises and devices. ICT security controls should include patching systems, implementing access controls, encrypting information both when it is being transmitted and when it is stored, utilising multi-factor authentication for high-risk access, and maintaining logging and monitoring capabilities. Consider the ACSC Essential Eight Maturity Model as a framework for assessing and improving your security posture.

Personnel management is also a key element. This includes providing training to staff, assigning access based on roles, and establishing robust on-boarding and off-boarding processes. Furthermore, organisations engaging third parties to process personal information must establish contractual obligations, conduct due diligence, and seek assurance that these third parties also meet appropriate security standards.

Finally, organisations must adhere to APP 11.2, which mandates the destruction or de-identification of personal information when it is no longer needed for the purpose for which it was collected. This demonstrates a commitment to minimising the ongoing risk to personal information.

When a failure becomes a breach

A failure to take reasonable steps to secure personal information, as required by APP 11.1, can constitute a breach of the Privacy Act in its own right. This means an organisation can be found to have violated the law even if there is no actual data breach resulting in personal information being compromised.

If a data breach *does* occur, the Notifiable Data Breaches scheme in Part IIIC of the Privacy Act may require notification to the Office of the Australian Information Commissioner (OAIC) and affected individuals within 30 days of becoming aware. This is known as the Notifiable Data Breach 30-day rule.

Serious or repeated interferences with privacy, including failures to take reasonable steps, can attract substantial civil penalties under section 13G of the Privacy Act.