Basic guide to IPP 4 - Storage and security

Under Information Privacy Principle 4 (IPP 4), agencies1 must ensure that documents containing personal information are protected from:

  • loss
  • unauthorised access, use, modification or disclosure2
  • any other misuse.

The level of storage and security will depend upon the nature of the personal information in the document and the risk of a security breach occurring. If a document contains extremely sensitive information, such as health or criminal records, an agency should take maximum care in protecting the information.

Security measures may be both physical (eg. locks and swipe cards for rooms and compactuses) and electronic (eg. passwords and encryption for computers and USB devices) and operational (eg. restricting access on a needs basis).

Information Standard 18 (Information Security) will be a starting point for agencies in determining what basic security measures are required, however, the specific requirements for each agency will differ depending on the type and amount of personal information held.

Agencies may wish to consider implementing internal policies and providing training on:

  • levels of access to information
  • a mechanism of internal authorisation for access
  • use of portable storage devices such as USB devices, mobile phones, Blackberrys and laptops
  • password and encryption protections
  • use of e-mail and facsimile.

Disclosure to third parties

An agency must also ensure that if it is necessary to disclose a document to a third party, the agency takes all reasonable steps to prevent unauthorised use or disclosure by that third party.

  • 1 In this Guideline references to an 'agency' also include Ministers and bound contracted service providers, unless otherwise specified.
  • 2 Please refer to the key privacy concepts on what constitutes "use" and "disclosure" for further guidance.

Current as at: January 10, 2012