Australia

The most relevant IT security obligations are:
• Organizations must take reasonable steps to protect the information they hold from misuse, interference, and loss, and from unauthorized access, modification or disclosure. There are no prescribed information security standards under Australian law and what are “reasonable steps” must be determined on a case-by-case basis.
• Organizations must take reasonable steps to destroy or de-identify any personal information it holds that the organization no longer needs for any purpose for which the information can be lawfully used or disclosed.
• Organizations must take reasonable steps to ensure that the information it uses or discloses is complete, accurate, up-to-date, and relevant having regard to the purpose of the use or disclosure.
• Organizations must take reasonable steps to implement practices, procedures and systems relating to the organizations functions or activities to ensure that the organization complies with the APPs (or the IPPs, as applicable).
• Under the Privacy Act, organizations must:
o investigate a suspected “eligible data breach” within 30 days of the organization suspecting that an eligible data breach has occurred; and
o notify the OAIC and affected individuals as soon as practicable if the organization has reasonable grounds to believe that an “eligible data breach” has occurred.
An “eligible data breach” means any unauthorized access to, unauthorized disclosure of, or loss of personal information that is likely to result in serious harm to any affected individuals, and which the organization has been unable to remediate.
• Under the Privacy Act, an organization must co-operate with the Australian privacy regulator, the Office of the Australian Information Commissioner (OAIC), during an investigation. If requested by the OAIC, the organization must give the OAIC information, answer questions, produce a doc-ument or record, or attend before the OAIC to give evidence. Criminal penalties can apply to an organization or individual who fails to comply with a lawful direction by the OAIC in the course of an investigation. There are equivalent obligations under the State and Territory laws for organi-zations to co-operate with the relevant State and Territory regulators.