Overview — Australian data protection strategy

The aim of your Australian data protection strategy is to establish and maintain a culture of information security awareness and compliance within your organisation taking into account the Australian regulatory environment.

Securing information is not just protecting it from being accessed by third parties. A commonly used way to summarise the key objective is to refer to the “CIA” — Confidentiality, Integrity and Availability or, to avoid confusion with the USA Central Intelligence Agency, the “AIC” triad. The AIC triad is an important reminder that information security is not just about confidentiality but also recognising that information can lose its value if it cannot be trusted, perhaps because it has been compromised by error or deliberate interference or has not been maintained accurately. The lack of availability of information when required can have the same consequences as loss or loss of integrity.

The first step in the preparation of a data protection strategy is to understand the regulatory context in which you operate and identify applicable rules and guidelines. Next, you should identify the relevant classes of information that you need to protect, consider the risk exposure that accompanies each class of information and whether or not the measures currently in place are adequate having regard to the potential risk to your organisation.

It is important to consider the components that make up a secure framework. It is a common mistake to focus on the protection of IT systems. While the protection of IT systems from unauthorised access and careful control of access privileges is a critical component, it is also necessary to consider employee related issues such as background checking, the terms and conditions of employment, the adequacy of training, supervision and audit. Control of the physical environment is also relevant.

For more information on practical considerations in developing and implementing a data protection strategy in Australia, see: Developing a strategy for Australian data protection, Procedures for implementation and Systems for improvement.


Overview — Personal data security breach management

Best practice before a breach occurs

An organisation can seek to prevent or minimise a personal data security breach occurring by implementing an effective organisational data security compliance framework.

An effective organisational data security compliance framework can avoid or minimise the risk of an organisation and individuals within it breaching personal data security obligations.

Such a framework should usually include:

  • regular audits of the organisation’s IT security policies, systems, controls, processes and practices;
  • effective IT security policies, systems, controls, processes and practices;
  • staff training and awareness of data security obligations;
  • a positive and strong compliance culture; and
  • ongoing governance oversight.

An organisation should conduct regular audits of the organisation’s IT security systems, processes, practices and policies.

An organisation should develop and maintain effective IT security policies, systems, controls, processes and practices to prevent or minimise the risk of breach of data security obligations.

Employees should receive regular training on compliance with data security requirements.

The main objective of the training should be to build and maintain a good level of current awareness of how to comply with, and avoid breaching, data security obligations.

Employees of an organisation whose roles involve performing services for the organisation’s customers should be familiar with any contractual obligations that the organisation has to the customer concerning data security requirements.

Organisations should develop and maintain a positive and strong compliance culture in relation to data security obligations.

A positive and strong compliance culture can embed best practice with respect to data security awareness and compliance within the values of an organisation and the values and behaviours of its staff.

An organisation should also implement effective internal governance processes and oversight of data security issues.

Internal governance processes should enable the timely and accurate reporting of data security compliance issues and breaches to relevant internal stakeholders.

Responding to a data security breach as it occurs

To determine how to respond to a data security breach involving the personal information of one or more individuals, the organisation should determine:

  • what is the nature of the data security breach;
  • what is/are the cause(s) of the data security breach;
  • who is affected by the data security breach; and
  • what are the potential consequences for the organisation and those affected by the data security breach.

An organisation should have one or more decision-makers (ie a response team) who are responsible for:

  • assessing the nature and cause(s) of a data security breach;
  • identifying who is affected and what the potential consequences are; and
  • deciding upon an appropriate course of action for the organisation in relation to a data security breach.

It is important for an organisation to first identify the nature of a data security breach, to help it determine and plan an appropriate response.

It is also important for an organisation to identify the actual and potential consequence(s) of a data security breach.

This will help the organisation to prepare an appropriate response to the data security breach, including what actions and organisational resources are required to achieve an appropriate response.

Promptly upon becoming aware of a data security breach, an organisation should ensure that key internal stakeholders are:

  • alerted to the occurrence of the data security breach; and
  • given sufficient information in relation to the data security breach as soon as possible to enable them to assess the potential impacts of the occurrence.

An organisation may need to develop a different response depending on whether it is at fault or whether another organisation or person is at fault.

Such response should take into account a range of considerations, including complying with any relevant contracts with affected parties and communications with affected parties.

Compliance after a data security breach has occurred

Once an organisation has responded to and resolved a data security breach issue, it should:

  • conduct an internal audit to determine the root cause(s) of the data security breach;
  • determine what remediation measures are required to prevent or minimise the possibility of any recurrence of the data security breach; and
  • implement the necessary remediation measures and monitor their effectiveness.

Consideration should be given to whether offshore data transfers comply with APP 8 and whether an offshore data transfer agreement is required.

For more information on practical considerations in personal data security breach management, see: Best practice before a breach occurs, Responding to a data security breach as it occurs and Compliance after a data security breach has occurred.


Overview — Ensuring data protection compliance

Perhaps the most difficult challenge in ensuring effective cybersecurity is making sure that the elements of your strategy are implemented in practice.

Allocation of responsibility

The analysis necessary to identify relevant information, relevant risks and the steps necessary to devise appropriate remediation procedures and solutions can be undertaken at a point in time as a discrete project. It is relatively straightforward to complete such a project, publish your policies and to conduct initial training. The temptation and natural tendency is to regard the completion of that work as a job done. This is particularly the case because your policies can serve as evidence of compliance and may even be referenced to clients as evidence of your awareness of the relevant issues and an indication of your commitment to cybersecurity.

Induction and training

Policies and procedures buried on the intranet or forgotten at the bottom of the drawer will not impact the cybersecurity risks faced by your organisation. In order to be effective policies and procedures must be integrated in data to day operations, be used in decision making and training, and be revised and updated in response to changes in technology, changes to the business and experience with risks and incidents. If not implemented, your well-documented strategy can serve as a benchmark available to be called upon as evidence of proper practice should a third party claim or formal investigation by a regulator take place as a result of a security incident. It is vital that your security strategy be embedded in the operational life cycle of your organisation.

Monitoring, testing and responding to change

In this subtopic, we discuss steps that you can take to embed your cybersecurity strategy and the management culture and business life cycle of your organisation. As part of the privacy operational life cycle, data protection compliance is achieved through the monitoring, auditing and communication aspects of the management framework, where:

  • monitoring identifies any gaps and weaknesses in an organisation's privacy program;
  • auditing ensures consistency, effectiveness and sustainment of the privacy practices; and
  • communication creates internal and external awareness of the privacy program, ensuring flexibility to respond to legislative and industry changes.
For more information on the practical considerations in ensuring compliance of a data protection strategy, see Allocation of responsibility, Induction and training, and Monitoring, testing and responding to change.

Overview — Planning and Implementing New Projects

In order to mitigate the risk of privacy issues, cyber security threats and achieve data resilience, it is important to take a proactive approach to privacy.

This means thinking critically about privacy during the planning and implementation stages of a project.

Conducting a privacy impact assessment

A privacy impact assessment (PIA) is an essential part of implementing new projects in order to achieve privacy by design.

A PIA is a systematic evaluation of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimising or eliminating that impact.

Obtaining consent to collect personal information

For any new project where personal information is collected, it is vital to consider the issue of consent. Consent is relevant to the operation of a number of Australian Privacy Principles (APPs). In some APPs, consent is an exception to a general prohibition against personal information being handled in a particular way (for example, an APP entity can only collect “sensitive information” if an individual consents, unless an exception applies. In others, consent provides authority to handle personal information in a particular way (for example, sensitive information cannot be used for marketing with out express consent and obtaining express consent after disclosure that the relevant information will not be protected by APP1 allows disclosure of personal information overseas).

The Information Commissioner has made clear that consent is a particular regulatory focus. She has stated publicly that “The practical application of concepts of fairness and the role of consent will be central to the future of privacy in Australia. It is a key issue that unites my regulatory priorities and, accordingly, I also think it should be a key focus point for every organisation moving forward.”

Given these statements, consent, when relied on as a basis for complying with the Privacy Act needs to be carefully considered by organizations.

Separately, once an APP entity collects personal information from an individual, APP 5 — Notification of the collection of personal information requires that the individual be notified of certain mandatory issues.

For more information on practical considerations when planning and implementing a privacy-based approach in projects, see: Implementing a privacy by design approach, Conducting a Privacy Impact Assessment, and Obtaining consent to collect personal information.

Lessons from the IOOF Case

A recent decision of the Federal Court in Australian Prudential Regulation Authority v Kelaher [2019] FCA 1521 provides some guidance to regulators, trustees of superannuation funds and their advisers on issues related to administering superannuation funds and conducting litigation, explains Noel Davis, Barrister and author of The Law of Superannuation in Australia.

In this case APRA sought disqualification orders in several ways against directors of the trustee of a public superannuation fund, and against three responsible officers of the trustee, for having breached the Superannuation Industry (Supervision) Act. The court, therefore, had to determine whether the breaches alleged had occurred. Ultimately the view was that the evidence was not enough to show the respondents were responsible for breaches.

The evidence

APRA sought to prove its case that breaches had occurred by relying solely on documents brought into existence by the respondents to APRA’s claims, as admissions against interest by the respondents. The judge disagreed that those documents constituted admissions by the respondents. She said it was for APRA to prove its case of contraventions of the legislation by such evidence as it saw fit and the documents put into evidence were not enough proof to warrant disqualification [4].

APRA will, therefore, be mindful, in future cases, of the need to lead written and oral evidence which clearly demonstrates that there were breaches of the legislation and that those before the court were responsible for the breaches.

Covenants of trustees

The Superannuation Industry (Supervision) Act imposes in s52 several covenants on trustees of superannuation funds, with which they must comply. Some of them were considered in this case, in the course of considering whether the respondents had breached them.

  1. S52(8) Duty to have an operational risk reserve

    A reserve is an amount in a fund that is not allocated to members’ accounts or, in a defined benefit fund, is not maintained to pay defined benefits.

    The conclusions in this case in relation to the use of operational risk reserves are significant for trustees and their advisers because this is the first case in which it has been considered when trustees can take money out of an operational risk reserve to compensate members who have lost money.

    The requirement in s52(8) to have an operational risk reserve was imposed by the Superannuation Legislation Amendment Trustee Obligations and Prudential Standards Act, 2012, supported by standards issued by the Australian Prudential Regulation Authority in the form of the Superannuation (Prudential Standard) Determination No. 1 of 2012. It defines operational risk as the risk of loss from inadequate or failed internal processes, people and systems or from external events (paragraph 6).

    The trustee is required to have a strategy for determining when and how the operational risk reserve can be applied (para 19(f)).

    The APRA Prudential Practice Guide SPG114 requires that the amount of the reserve must be at least 0.25% of the total amount of the fund-paras [7] and [9].

    An important  issue in the case was whether, if there are losses in a fund because of the actions of the trustee or its investment managers or otherwise, can the reserve be applied to compensate the members who have lost money or will the trustee or anyone else who caused a loss have to compensate the fund, thus leaving the reserve intact? If the reserve is reduced, it will have to be topped up by the existing members.

    There were losses to the fund caused by some companies who were providing services to the fund and the trustee applied money from the reserve to compensate those members who lost money. APRA argued in this case that the trustee should have first attempted to obtain payment from the companies that caused the losses before compensating the members out of the reserve, because the money in the reserve was the members’ own money and they were, in effect, compensating themselves rather than being compensated by those who caused the losses.

    APRA’s arguments were not accepted by the judge. She said that it was misconceived to describe the reserve as the members’ own money. Rather, she said, it was money held for the express purpose of compensating members for operational risk, including risks arising from the conduct of the trustee or others. Compensating members from it did not, therefore, involve compensating members from their own money. Rather, it is the use of the money for the very purpose for which it was created: [126].

    The basis for APRA’s argument was that the money in the reserve was contributed by the members out of the earnings on their money in the fund and any top up to keep the reserve at the minimum level, after compensating the members, would have to be contributed by the members.

    APRA’s argument has some validity. When an amount is paid out of the operational risk reserve and that reduces the amount of the reserve below the minimum required level, the trustee will require that the reserve be restored to the minimum level and, generally, that will be achieved by taking the money out of members’ earnings or by deducting from the members’ accounts the amount required to top up the reserve.

    The members, therefore, pay for any money paid out of the reserve to compensate members.

    If the members who are compensated are the same as the members whose accounts are debited to top up the reserve (which will be the case if all the current members are being compensated), the members will have paid for their own compensation.

    This circular movement of money from the members’ accounts to the reserve as a result of a payment out of the reserve to compensate members gives rise to a strong argument that the money in the reserve is the members’ money and that this aspect of the IOOF decision is not correct.

    The judge also disagreed with APRA’s submission that the use of the reserve without exhausting other means of being able to compensate the members was not in the best interests of members and was, therefore, in breach of the trustee’s obligation to act in the members’ best interests. The judge added that the trustee does not have a duty to make claims against anyone who may be potentially liable for a loss of the members before the trustee accesses the reserve: [124].

    The judge recognized, however, that, on the winding-up of the fund, the reserve would have to be allocated and for the trustee to allocate the reserve to itself rather than to the members would be a clear breach of the trustee’s duties.

  2. S52(2)(c) To exercise care, skill and diligence

    It was said in the judgement that a trustee’s duty under this covenant does not amount to a duty to avoid all loss and that errors of judgement can be committed without being liable under this covenant [39].

  3. S52(2)(d) To deal with conflicts of interests by giving priority to members’ interests

    An obligation is imposed by this covenant, where there is a conflict between the duties of the trustee to the beneficiaries and the duties of the trustee to any other person or entity,

    (i)     to give priority to the duties to and interests of the beneficiaries over the duties to and interests of other persons; and

    (ii)    to ensure that the duties to the beneficiaries are met despite the conflict; and

    (iii)   to ensure that the interests of the beneficiaries are not adversely affected by the conflict; and

    (iv)   to comply with the prudential standards issued by APRA in relation to conflicts.

    The covenant was considered in this case and it was said in the judgement that the no conflict covenant is not about avoiding conflicts of interest. Rather it’s about managing conflicts because they are inevitable. The conflicts which need to be managed are actual conflicts which have the capacity to significantly impact on the duty to act in the best interests of beneficiaries: [79]

  4. Duty to get in fund assets

    This is a duty imposed by principles of trust law and requires trustees to ensure that they and their custodians have title to all the assets of the fund and that all entitlements are received including capital and income entitlements. It is a duty of trustees, as the legal owners of the assets of the fund, to take proceedings against other parties to obtain payment of amounts to which the fund is entitled and to recover losses. It was said in the judgement in this case that a trustee is not obliged to make such a claim if, in the opinion of the trustee, it would not produce any result. That is a discretion that a trustee must consider in evaluating all the relevant considerations, including the amount at stake, the prospects of success, the issues involved and the available alternatives: [154].


What was decided in this case warrants careful consideration by trustees and their advisers in determining how the trustees’ obligations should be carried out and whether amounts can be paid from the operational risk reserve to compensate members where losses have occurred. It goes without saying that the judgement will be carefully considered by APRA in relation to the conduct of future litigation.

It will be interesting to see whether courts, in future cases, agree with the decision in this case that a payment out of an operational risk reserve is not a payment from the members’ own money and does not, therefore, amount to the members compensating themselves for losses.

Noel Davis, Barrister
Author of The Law of Superannuation in Australia

Contact your Relationship Manager for more information on The Law of Superannuation in Australia which is available as part of an online subscription to Lexis Advance. Alternatively email Sales.Enquiries@lexisnexis.com.au or call us on 1800 772 772

Contact our Experts Now

Contact Us