On 17 March 2021 the NSW Civil and Administrative Tribunal made Orders requiring Council to take certain actions in relation to the security of personal information held by the Council. The Orders required Council to:
- perform IPP 5 by implementing such security safeguards as are reasonable in the circumstances against loss, unauthorised access, use, modification or disclosure and against all other misuse for all of personal information it holds in physical form; and
- implement such administrative measures necessary to ensure that the conduct of concern will not occur again. Such security safeguards and administrative measures must include details as to when and in what circumstances an internal review of an incident will be sufficient and when an external independent review of an incident is required.
- amend its Privacy Management Plan (PMP) to reflect the security safeguards implemented in accordance with the above.
Council has now completed the measures required by these Orders, and has:
- engaged information security experts to conduct an independent review of Council’s handling of personal information for security of physical records containing personal information, which involved an onsite security walkthrough of Council’s premises;
- implemented the recommendations made by the security experts to improve its procedures and processes relating to security of information it holds in physical form, to safeguard against any loss, unauthorised access, use, modification or disclosure and against all other misuse for all of personal information;
- provided education materials and training to staff on any changed or new security processes, to assist them in complying with the requirements of IPP 5;
- reviewed and improved its procedures and processes in relation to dealing with internal reviews (this included providing educational materials to staff to assist them in understanding and implementing Council’s new internal review process);
- amended its PMP, including to reflect the security safeguards it has implemented and its updated internal review process.
In addition to completing the measures required by the Orders, Council took this opportunity to conduct a comprehensive review of its PMP, which included:
- comprehensive stakeholder engagement, including internal privacy review surveys, face-to-face meetings, and seeking feedback on working drafts of the PMP;
- using resources and guidance materials provided by the NSW Information and Privacy Commissioner (IPC) to prepare the PMP;
- considering emerging ‘good practice’ PMPs implemented by other public sector agencies; and
- using the IPC’s ‘Checklist - Privacy Management Plans’ tool to assess the content of the PMP once it was prepared, to ensure the PMP addressed all of the section 33 requirements of the Privacy and Personal Information Protection Act 1998 (NSW) (PPIP Act).
Back to Listing