Australian Privacy Principle 11 — Security of Personal Information
11.1 If an organisation holds personal information, it must take whatever reasonable steps it can to protect the information from:
misuse – use for a purpose not permitted by the Privacy Act (See APP’s 6, 7 & 9),
interference – hacking or suchlike leading to exposure of the information
loss –loss of information, either physically or electronically, through theft, damage, accident, etc.
Modification –alteration of information by an unauthorised person, or contrary to the Privacy Act.
Disclosure – making information accessible to outsiders, so that it is released form the organisation’s control, contrary to the Privacy Act.
A very basic step in securing information is to make sure that the identify of any person requesting access is proven.
11.2 An organisation must do whatever is reasonable to destroy or de-identify the personal information once the information is no longer needed for any purpose permitted under the APP’s. This applies where information is not contained in a Commonwealth record and where retention is not required under any law or judicial order.