During the Attorney-General’s lengthy review of the Privacy Act (AG’s Review), which spanned the last term of the Coalition and the first term of the Labour Governments, a significant number of business and industry association submissions to the AG’s Review noted the significant difficulties businesses faced in interpreting, applying and complying with the ‘reasonable steps’ requirements of APP11.

Against the backdrop of some of the most significant and public data breaches seen in Australia, these submissions requested more clarity and detail about what their ‘reasonable steps’ obligations were under APPs11.1 and 11.2 and the Attorney General was amenable to such submissions. In the final hours of the Parliament in 2024 business (or at least those that had made submissions on behalf of business) finally got what they wished for in the shape a new APP 11.3, passed at the end of November and in force from 11 December 2024.

What are the new APP 11.3 and TOMs requirements?

In response to the submissions of business (which businesses are, when subject to the Privacy Act, referred to as organisations), APP 11.3 was introduced to clarify the requirements of the ‘reasonable steps to protect personal information’ and the ‘reasonable steps to destroy or de-identify personal information’ standards referred to in APPs 11.1 and 11.2.The way APP 11.3 does this is to specify (i.e. require) that from 11 December 2024 such ‘reasonable steps’ must include ‘technical and organisational measures’, that is TOMs. The TOMs become a key mandatory minimum ‘security obligation’ under both of APPs 11.1 and 11.2. It is also important to note that, in line with the existing APP 1.2 obligation TOMs include significant ‘organisational measures’, not just technical security measures.

In general, ‘technical measures’ of the TOMs are physical information security controls that protect personal information from misuse, unauthorised access, interference and loss. The ‘organisational measures’ of the TOMs address ‘how’ the organisation ensures it achieves its information security goals, including ensuring the implementation of the relevant technical measures to protect the confidentiality, integrity and availability of personal information by oversight of and accountability for the implementation of an appropriate information security risk management framework across the organisation.

The new APP 11.3 does not detail what types or the extent of the TOMs that are specifically required in what circumstances. However, the Explanatory Memorandum for the Privacy and other Legislation Amendment Act 2024 provides the following examples, showing the wide range of measures included under the APP 11.3 TOMs banner:

• technical measures are those that can be physically or logically implemented, including identity and access management controls, anti‑virus controls, data leakage prevention controls, information encryption controls and physical controls; and
• organisational measures are those that detail how to implement the information security controls, including processes to embed strong information security risk management, development of policies, standards, procedures and training and awareness raising activities.

The Privacy Commissioner has also been charged with enhancing its current APP 11.1 and APP 11.2 guidance and to now include guidance on APP 11.3. This revised guidance is expected to include technical advice from the ACSC to support the implementation and uplift of the necessary TOMs by organisations in order to address the risks and threats to the security of personal information that organisations hold. While the revised guidance may provide examples of certain types of TOMs to be implemented by certain types of organisations in certain specific circumstances, it is unlikely to ever be a comprehensive encyclopaedia of all types of TOMs required in all areas of business in all circumstances.

In the absence of detailed requirements being set out in the Act/APPs or the Commissioner’s guidance, every organisation must implement TOMs appropriate to the privacy risks that arise in the circumstances of each activity. However, we are not without guidance or precedent to assist with the interpretation of what TOMs may be relevant under APP 11.3. The ‘technical and organisational measures’ terminology of APP 11.3 is borrowed from the GDPR (Articles 24, 25, 28 and 32) and the EU’s Standard Contractual Clauses (SCCs) and data processing agreement (DPA) where specific required measures are detailed.

TOMs in Australia under APP 11.3

The term ‘technical and organisational measures’, well known in the EU and UK under the GDPR, is a term of art which has been developed over time in the EU/UK based on specific prescribed minimum requirements and through the TOMs being developed and refined over a number of versions of the SCCs and regulator decisions. This lack of history and a developed understanding of what TOMs are in Australia and, in particular, what specific TOMs may be relevant in specific circumstances will make it difficult for Australian organisations to interpret and apply this obligation.

In addition to this burden, taking the lead from the TOMs required in the EU and UK under the GDPR, even on the most limited interpretation of what TOMs include these are significantly more onerous than the security and accountability practices implemented by most organisations in Australia to date to comply with APP 11.These increased obligations and additional targeted organisational measures to be implemented proportionate to the specific circumstances of each organisation, will require significant effort and cost. The effort required to implement relevant TOMs should not be underestimated.

In order to better understand what TOMs are required under APP 11.3 the EU/UK experience, which is also expected to be a source of inspiration for the Commissioner’s interpretation and enforcement of this obligation, is instructive.

Guidance and examples from the GDPR & SCCs

Under Article 32 of the GDPR, in relation to the transfer of ‘personal data’ outside of the EU, Annex II of the SCCs details the key technical and organisational measures necessary to meet the requirements under the GDPR to ensure the secure processing of the transferred personal data and to protect that personal data against accidental or unlawful destruction, loss, alteration or unauthorized disclosure (e.g. akin to the APP 11.1 obligation). These TOMs provide a good indication as to the likely expectations of the Commissioner in Australia under APP 11.3 in order for organisations to meet their APP 11.3 TOMs obligation, in addition to their APP 1.2 obligations. The SCC’s technical measures include:

• Pseudonymization: Using a pseudonymized identifier instead of the data subjects name.
• Encryption: Protecting personal data by converting it into an unreadable format.
• Access Controls: Limiting access to personal data based on roles and permissions.
• Data Loss Prevention (DLP) Systems: Detecting and preventing personal data from leaving their systems.
• Security Audits: Regularly testing and evaluating the effectiveness of security measures.
• Physical Security: Ensuring the security of locations where personal data is processed.

The SCC’s organisational measures include:

• Privacy Impact Assessments (PIAs):¹ Assessing the impact of personal data processing activities on individuals' rights.
• Data Protection and Information Security Policies and Procedures: Establishing clear guidelines for personal data handling and security.
• Data Subject Rights: Ensuring individuals have the right to access, rectify and erase their data.²
• Designation of a Data Protection Officer (DPO): Ensuring a dedicated individual oversees data protection compliance.
• Employee Training: Educating employees on data protection and security protocols.
• Data Breach Response Plan: Establishing procedures for handling data breaches.
• Regular Assessments and Audits: Conducting regular assessments and audits to ensure the organisation’s compliance.

Recital 78 relating to Article 32 of the GDPR elaborates on the type of TOMs required under the GDPR and the importance of ‘privacy by design’ as part of them and should be carefully considered by organisations in Australia when considering how to implement TOMs under and in order to comply with APP 11.3:

^“In order to be able to demonstrate compliance with this Regulation [the GDPR], the controller [the organisation] should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features. When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors [organisations] are able to fulfil their data protection obligations. The principles of data protection by design and by default should also be taken into consideration in the context of public tenders.”

When and to what does APP 11.3 apply?

APP 11.3 applies to all personal information holdings of an organisation from 11 December 2024, no matter when collected.It is also even clearer now that there is no ‘one size fits all’ for information security under APP 11 or a fixed single checklist of controls to satisfy the level of security reasonably required for all organisations in all circumstances.

Each activity involving personal information and, in particular, sensitive information must be assessed on its merits (i.e. its risk) and the TOMs to be implemented must be adjusted accordingly. The TOMs to be implemented must be assessed in order to mitigate the threats and risks faced by the organisation and proportionate to the size of the organisation, its information systems, types of personal information held, including the sensitivity of the information, any harm to individuals that may result from any compromise of the information in question, the volume of personal information being processed and to whom and where the organisation transfers the personal information in relation to each activity.

How to address the APP 11.3 TOMs in practice

Organisations need to revisit their privacy and information/cyber security risk analysis and risk management framework and their governance processes under APPs 11.1, 11.2 and 11.3. The technical measures of organisations currently in place should be reviewed against this revised risk management framework and any gaps addressed.All existing measures must be assessed for their effectiveness and to determine what additional requirements and improvements are necessary to meet the TOMs requirement of APP 11.3 or to align them with the technical and organisational measures required under APP 11.3 and the organisation’s obligations under both APPs 11.1 and 11.2. However, organisations must remember that, in addition to the technical measures and controls, the TOMs obligation also requires that an organisation has in place appropriate ‘organisational’ and governance measures too.Organisations must implement an overarching organisation-wide privacy and security risk management framework with oversight of the Board of the organisation in order to comply with their obligations under APPs 1.2 and 11.3.

Organisations should also consider aligning their practices to accepted good practice standards for information security and privacy, such as AS 27001:2022 and AS 27701:2024 which, respectively, provide the frameworks for implementing an information security management system (ISMS) and a privacy information management system (PIMS).Aligning the organisation’s privacy, information security and related risk management practices to these standards, including obtaining independent certification to them, will ensure sufficient technical and organisational measures under APP 11.3 and also the governance framework to meet their APP 1.2 obligation.

To best meet the APP 11.3 obligation, organisations should:

• undertake an assessment of the technical and organisational measures it has in place and provide recommendations for required improvements to address any gaps;
• assess the organisation’s privacy risk management and governance capability and the maturity of the organisation’s information security and privacy programs to ensure that all information and privacy risks are identified and managed appropriately;
• review the organisation’s information security policy frameworks and identify gaps in the design of information security controls and undertake any required uplift of existing and, as required, develop new governance documents, including considering an ISMS implementation;
• revaluate and assess the organisation’s controls in relation to the confidentiality, integrity and availability of the personal information it uses, stores and discloses, including considering if a PIMS is appropriate for the organisation;
• review the measures and governance in place in relation to third parties accessing the organisation’s premises, technology systems or which process the organisation’s personal information and provide recommendations for improvement and to address any gaps found;
• conduct information security and privacy awareness training and simulations for all employees and contractors;
• test and uplift the organisation’s incident response and recovery capability through exercises and cyber simulations, identifying process gaps and provide recommendations to achieve strong cyber resilience; and
• report all findings from these activities to the Board of the organisation together with a plan to address all required uplift.

Published in LexisNexis Privacy Law Bulletin: Issue 22.4 (special edition)

¹ These are referred to as “Data Protection Impact Assessments” or “DPIAs” under the GDPR.

² Under the Privacy Act there is no right for individuals to request their personal data be erased but APP 11.2 does require the deletion or de-identification of personal information once used for its primary purpose(s) for collection.