During the Attorney-General’s lengthy review of the Privacy Act a significant number of business and industry association submissions noted the significant difficulties businesses faced in interpreting, applying and complying with the ‘reasonable steps’ requirements of APP 11. Those businesses, or those making submissions on behalf of businesses, got what they wished for in the shape a new APP 11.3, passed at the end of November 2024.

What is the new APP 11.3 ‘TOMs’ requirements?

APP 11.3 requires that, from 11 December 2024, the ‘reasonable steps’ under APPs 11.1 and 11.2 must include necessary ‘technical and organisational measures’ (TOMs).APP 11.3 applies to all personal information holdings of an organisation from 11 December 2024, no matter when collected, and every organisation must implement TOMs appropriate to the privacy risks that arise in the circumstances of each activity.

In general, ‘technical measures’ of the TOMs are physical information security controls that protect personal information from misuse, unauthorised access, interference and loss. The ‘organisational measures’ of the TOMs address ‘how’ the organisation ensures it achieves its information security goals, including ensuring the implementation of the relevant technical measures to protect the confidentiality, integrity and availability of personal information by oversight of and accountability for the implementation of an appropriate information security risk management framework across the organisation.

There is no detail in the Act/APPs or any Commissioner guidance (as yet) as to what the relevant TOMs are. But the ‘technical and organisational measures’ terminology of APP 11.3 is ‘borrowed’ from and we can take guidance from the GDPR (Articles 24, 25, 28 and 32), the EU’s SCCs and data processing agreements where the required TOMs are detailed.

An example from the GDPR & SCCs

As an example, under Article 32 of the GDPR in relation to the transfer of ‘personal data’ outside of the EU Annex II of the SCCs details the key TOMs necessary to ensure the secure processing of the transferred personal data and to protect that personal data against accidental or unlawful destruction, loss, alteration or unauthorized disclosure (e.g. akin to the APP 11.1 obligation). These TOMs provide a good indication as to the expectations of the privacy Commissioner in Australia under APP 11.3.

The SCC’s technical measures include pseudonymization, encryption, access controls, data loss prevention, regular security audits/reviews and physical security. The SCC’s organisational measures include PIAs, privacy and infosec policies and procedures, access and corrections processes, a senior employee responsible for privacy, training, a data breach response plan and regular assessments/reviews of privacy compliance.

Further, Recital 78 relating to Article 32 of the GDPR elaborates on the importance of ‘privacy by design’ as part of TOMs. The following words from Recital 78 should be considered by all organisations when implementing TOMs in order to comply with APP 11.3:

“In order to be able to demonstrate compliance … should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. … [including] minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, ...”

What TOMs apply when?

It is even clearer now post-APP 11.3 that there is no ‘one size fits all’ for information security under APP 11. Each activity involving personal information and, in particular, sensitive information must be risk assessed and necessary TOMs must be implemented in order to mitigate the threats and risks faced by the organisation proportionate to the size of the organisation, its information systems, types of personal information held, any harm to individuals that may result from any compromise of the information in question, the volume of personal information being processed and to whom and where the organisation transfers the personal information.

How to address TOMs in practice

The best way for organisations to meet the APP 11.3/TOMs obligation is to:

• undertake an assessment of the existing technical and organisational measures and identify required improvements;
• assess the organisation’s privacy risk management and governance capability to ensure that all information and privacy risks are identified and managed appropriately;
• review the organisation’s information security policy framework and design of information security controls and, as required, develop new governance documents;
• revaluate the organisation’s controls in relation to the confidentiality, integrity and availability of the personal information it uses, stores and discloses;
• review the measures and governance in place in relation to third parties accessing the organisation’s premises, technology systems or which process the organisation’s personal information;
• conduct information security and privacy awareness training and simulations for all employees and contractors;
• test and uplift the organisation’s incident response and recovery capability through exercises and cyber simulations; and
• involve the Board in and to oversee privacy compliance.

Your organisation should also consider aligning to a good practice standard for information security, such as ISO27001:2022, which provides guidelines for implementing an information security management system (ISMS). Aligning your organisation to an information security standard will enable sufficient organisational governance to be applied to technical controls so that controls are well managed and operate effectively – one of the most likely gaps that results in an information security incident.

To hear more or to organise a chat, get in touch:

info@atmosgroup.com.au