Key Privacy Reforms – A significant security uplift: The new APP 11.3 and technical and organisation measures (TOMs)

In this the third of our deeper dives into the key areas of the Privacy and Other Legislation Amendment Bill 2024 (Bill) reforms to the Privacy Act we examine the addition of APP 11.3 to set a ‘floor’ or minimum level of information security for protecting personal information for all organisations.

The main way of delivering this is the inclusion in APP 11.3 of the requirement to implement ‘technical and organisational measures’ (also known as TOMs).

Our general overview of the key aspects of the Bill can be found here, our first deeper dive on the statutory right of action for serious invasions of privacy can be found here and our second deeper dive on automatic decision making and offshore disclosures can be found here.

What is it?

Once passed, as currently drafted APP 11.3 clarifies the meaning of ‘reasonable steps to protect personal information’ standard referred to in APPs 11.1 and APP 11.2 (and other provisions in the Privacy Act/APPs). Such ‘reasonable steps’ now include implementing ‘technical and organisational measures’ (i.e. TOMs) as a key minimum ‘security obligation’. In general, ‘technical measures’ are information security controls that protect personal information from misuse, unauthorised access, interference and loss. ‘Organisational measures’ address “how” the organisation ensures it achieves its information security goals for protecting the confidentiality, integrity, availability of personal information including Board oversight of the implementation of an appropriate information security risk management framework.

The ‘technical and organisational measures’ terminology is borrowed from the EU/UK GDPR, Standard Contractual Claims (SCCs) and data protection agreement practices. Typically, the TOMs are specific measures detailed in a data protection agreement or the SCCs. While the new APP 11.3 does not specify exactly what types of TOMs are required in what circumstances, once passed, every APP entity must implement the appropriate TOMs. While the Explanatory Memorandum for the Bill provides slightly different examples (evidencing the disparate views on what “TOMs” means):

• technical measures are those that can be physically or logically implemented, including identity and access management controls; anti-virus controls, data leakage prevention controls, information encryption controls and physical control; and
   
• organisational measures are those that define how to implement information security controls, including processes to embed strong information security risk management, development of policies, standards and procedures and training and awareness raising activities.

The terms ‘security controls’ and ‘TOMs’ are not defined in the Privacy Act/APPs (including APP 11.3). We envisage, as the Government has ‘agreed-in-principle’ in the Privacy Act Review process, that the OAIC will enhance its current APP 11.1 and APP 11.2 guidance to include APP 11.3 and the baseline security and privacy outcomes and/or technical advice (e.g. from the ACSC) to support organisations’ implementation (or uplift) of the TOMs to address the risks and threats to the security of personal information they hold and to meet the APP 11 (as amended) obligations. We expect the OAIC guidance will also address specific minimum types of TOMs to be implemented by all organisations and, over time, it is likely guidance will be issued on the minimum types of TOMs required in key areas (e.g. AI).

So what?

Once passed, APP 11.3 will apply to all personal information holdings of an organisation (no matter when collected) and is intended to increase transparency, certainty and ensure minimum security standards for the handling of personal information by all organisations.

It is even clearer now that there is not a ‘one size fits all’ to information security or a fixed checklist of controls to satisfy the level of security reasonably required for all organisations. The relevant types of TOMs to be implemented must be assessed and be relevant to (and mitigate the threats and risks of) the organisation in its specific circumstances. These must be assessed proportionate to the size of the organisation’s information systems, types of personal information held (including its sensitivity and any harm that may result from any compromise), the volume of personal information the organisation processes and to whom and where the organisation transfers personal information. Any specific industry or sectorial risks the organisation may experience must also be factored in.

In addition to this significantly enhanced information/cyber security obligation, the concern is that the term “technical and organisational measures” (well known in the EU and UK under the GDPR) is a term of art which has been developed over time in the EU/UK based on prescribed specific minimum requirements and through relevant TOMs being detailed in a number of versions of the SCCs. Over time this has advanced the understanding of what TOMs are required in what circumstances by organisations in the EU/UK.

In Australia, however, without this history and a developed understanding of what TOMs are and, in particular, what specific TOMs are required for an organisation in their specific circumstances, it will be difficult to interpret this which, in itself, will become a burden for organisations. In addition to this burden, taking a lead from the requirements of the term in the EU and UK under the GDPR, this is a significantly higher bar (even on its most limited interpretation) than the current security practices of most organisations in Australia complying with APP 11. These increased obligations and additional targeted security measures must be implemented proportionate to the specific circumstances of the organisation. The effort required to meet these obligations should not be underestimated, especially as, once passed and receiving Royal Assent, the APP 11.3 (and TOMs) obligations will apply immediately (likely by mid‑2025).

How will this impact you?

Your organisation will need to consider (or revisit) its privacy and information/cyber security risk analysis and management framework, organisational processes implementing information security and deletion/de‑identification policies (i.e. under APPs 11.1 and 11.2), their oversight/governance (including Board involvement) as well as the physical and technical measures currently in place. All of these must be assessed for their effectiveness and to determine what additional requirements and improvements are necessary to meet APPs 11.1 and 11.2 and, once legislated, APP 11.3 and the TOMs requirement.

In addition to any technical controls and measures implemented, the TOMs obligation requires that an organisation has in place appropriate ‘organisational measures’/governance too. That is, an overarching organisation-wide privacy and security risk management framework with real oversight by (and involvement of) the Board. As a starting point, the 10 example organisational accountability measures listed in Chapter 1 of the OAIC’s APPs Guidelines (see para 1.7) plus those noted in recent APP 1.2 Privacy Commissioner decisions such as Uber, Clearview AI and the Federal Police (collectively Organisational Accountability Measures) should be implemented by all organisations now.

What you can do to prepare

Now is the time to review your organisation’s privacy and security governance framework to align with the technical and organisational measures of APP 11.3 and ensure, at a minimum, you have all of the relevant Organisational Accountability Measures in place. There is no transition period allowed for implementing the relevant TOMs once the Bill passes and receives Royal Assent, APP 11.3 and the TOMs obligations will apply immediately to all organisations. These obligations are therefore likely to be ‘live’ from mid‑2025 which, with summer holidays soon, is less than six months away.

Your organisation should also consider aligning to a good practice standard for information security, such as ISO27001:2022, which provides guidelines for implementing an information security management system (ISMS). Aligning your organisation to an information security standard will enable sufficient organisational governance to be applied to technical controls so that controls are well managed and operate effectively – one of the most likely gaps that results in an information security incident.  

No time to waste! How we can help

Our Cyber Advisory and Digital Law teams can assist you to meet your obligations by:

• Undertaking an assessment of the information security measures your organisation has in place and (including identifying what of the relevant Organisational Accountability Measures are missing) and providing recommendations for improvement
   
• Assessing your risk management and governance capability and the maturity of the organisation’s information security and privacy programs, ensuring information and privacy risks are identified and reduced appropriately, including Board oversight and other governance measures required by APP 1.2
   
• Reviewing the organisation’s information security policy frameworks and identifying gaps in the design of information security controls, helping to uplift/develop new governance documents, including ISMS implementation
   
• Evaluating/auditing your organisation’s controls in relation to the confidentiality, integrity and availability of personal information it uses, stores and transfers
   
• Reviewing measures and governance in place for third parties accessing your premises or technology systems which process your personal information and providing recommendations for improvement
   
• Conducting information security awareness training sessions for all employees and contractors
   
• Uplifting/testing your organisation’s incident response and recovery capability via tabletop exercises and cyber simulations, identifying process gaps and providing recommendations to achieve strong cyber resilience.

Please reach out to us to organise a time to discuss with us how best (and most cost‑effectively) your organisation can address these issues.

Clyde & Co’s Cyber, Privacy and Technology Team has unparalleled and specialised expertise across the privacy, cyber, financial services information regulatory and broader technology practice areas. It also houses the largest dedicated market leading privacy and cyber incident response practice across Australia and New Zealand. All of this ensures your “readiness, response and recovery” is in good hands. We provide end‑to‑end risk management solutions for clients from advice, strategy, transactions, innovations, cyber and privacy pre‑incident readiness, incident response and post‑incident remediation and recovery to regulatory investigations, dispute resolution, recovery of damages and third party claims. We offer market leading practical solutions, focussed assistance and advice.