Viewing entries tagged
OAIC

The OAIC’s new approach: An enforcement memo in complaints clothing

Comment

The OAIC’s new approach: An enforcement memo in complaints clothing

By Chong Shao and Malcolm Crompton

On 2 March 2026, Privacy Commissioner Carly Kind published a post announcing a ‘new approach’ to how the Office of the Australian Information Commissioner (OAIC) will handle individual privacy complaints. At one level, the post is about complaint handling. IIS reads this as an enforcement memo in complaints clothing.

Commissioner Kind has made a statement about regulatory priorities: in an environment of growing privacy risks, rising complaint volumes, and constrained public resources, the OAIC intends to focus its effort where it can have the greatest impact. The complaints-handling changes flow from that. They are a consequence of the strategy, not the story.

What the OAIC has announced

Four elements of the announcement are worth noting, all of which point in the same direction:

  1. Enforcement focus is now the headline. The OAIC describes an intentional shift over the past 12 months toward a greater focus on enforcement, citing deterrent and educative benefits, and a desire for ‘maximum impact’ across sectors. The results are already tangible: a $5.8 million civil penalty against Australian Clinical Labs, civil penalties proceedings filed against Optus and Medibank, and a $50 million settlement from Meta Platforms.

  2. Complaint handling will be more selective and threshold-driven. Not all complaints will be taken through to investigation. The OAIC will conduct a ‘strategic assessment’ and may decide not to investigate after considering all circumstances, including regulatory priorities.

  3. Complainants are being coached to bring better-formed complaints. The OAIC has published checklists, templates, and is clear about what information is required from the outset (including what happened, when, and the impact).

  4. Timing expectations are being reset. As of February 2026, new validly lodged complaints are unlikely to be substantially progressed for 6-12 months. That is a frank admission, and a deliberate signal.

It’s rare for a regulator to be this candid about the trade-offs it is making. The OAIC isn’t just explaining process – it is publicly setting out why individual casework is being deprioritised in favour of enforcement.

So what for organisations?

IIS advises four things with respect to this shift in focus:

1. Don’t confuse ‘slower complaint handling’ with ‘lower risk’

The OAIC is concentrating its effort, not retreating from the field. Organisations whose practices generate repeated complaints or patterns of non-compliance are now more likely to attract attention, not less.

The relevant question isn’t whether your next complaint gets processed in three months or twelve. It’s whether your privacy practices are the kind the OAIC will decide are worth pursuing at scale.

2. Complaints will increasingly function as signals, not just casework

The OAIC is deliberately narrowing the front door. Complainants are being directed to raise matters with organisations first, to use alternative pathways where available, and to understand that even a well-formed complaint may not be investigated.

The practical effect is that organisations become the primary forum for resolution. The complaints that do reach the OAIC will increasingly arrive as signals of something worth looking at, not as individual grievances to be managed. Treat your complaint themes accordingly. A pattern of similar issues across customers or channels is exactly what an enforcement-focused regulator scans for.

3. This is consistent with the direction the OAIC has been signalling

None of this is a surprise. IIS’ reflections on Privacy Awareness Week 2025 highlighted Commissioner Kind’s emphasis on organisational accountability, systemic power imbalances, and a more proactive regulatory posture. The March 2026 post is another milestone on that same trajectory: greater willingness to use the regulator’s full toolkit, and a clearer focus on shaping organisational behaviour and resilience at scale.

The direction of travel is clear: privacy compliance is increasingly about governance and accountability, not just documentation and process.

4. Privacy complaint handling still matters

Finally, and straightforwardly, make sure your privacy complaint handling process is in good shape. The OAIC requires complainants to raise matters with the organisation first and allow 30 days for a response. That makes the organisation the first and most important forum for resolution. The process does not need to be elaborate – but it does need to reach the right people, produce a genuine response, and generate enough of a record to identify repeat issues. Pattern detection, at even a basic level, is now a governance capability.

The way forward

Don’t read the Privacy Commissioner’s post as ‘complaints will take longer to process, so we can relax’. Read plainly, it signals the opposite: the OAIC is being explicit that it will deploy its resources toward enforcement and systemic impact. It will apply more robust thresholds to individual complaints to make that shift possible.

For organisations, the practical response has two dimensions. The first is operational: ensure privacy complaint handling is genuinely effective and allows for pattern detection over time. The second is strategic: treat complaint patterns as an early warning system for the kinds of systemic issues and market practices that the OAIC is now most focused on. That is where the real regulatory risk sits, and where board and executive attention should be directed.

IIS can help – if you would like assistance with this or any other privacy or data protection matters, please contact us.

Comment

FIIG and beyond: How regulators are converging on the same cyber standard

Comment

FIIG and beyond: How regulators are converging on the same cyber standard

By Chong Shao

On 9 February 2026, the Australian Securities and Investments Commission (ASIC) announced that the Federal Court ordered FIIG Securities Limited to pay $2.5 million in pecuniary penalties, following ASIC action over cyber security failures spanning more than four years.

This is the first time the Federal Court has imposed civil penalties for cyber security failures under the general Australian Financial Services (AFS) licence obligations. ASIC didn’t treat this as a one-off IT mistake. Its message was simple: cyber resilience is now part of doing business.

Whether or not you are in financial services, this case is significant. Across Australia’s regulatory ecosystem, we are seeing a steady convergence towards a practical, outcomes-focused cyber security standard, often described as ‘reasonable steps’.

FIIG in brief and why this outcome matters

ASIC’s media release sets out the core narrative clearly:

  • FIIG’s failures related to protecting thousands of clients from cyber security threats over a sustained period.

  • A 2023 cyber-attack resulted in around 385GB of confidential information being stolen, with highly sensitive client data leaked online (including identity documents and financial identifiers).

  • FIIG notified around 18,000 clients that their personal information may have been compromised. 

  • FIIG admitted that adequate measures suited to a firm of its size and the sensitivity of the data would likely have enabled earlier detection and response, and that complying with its own policies may have prevented some or all of the client information from being downloaded.

There are two takeaways from the FIIG case. Firstly, cyber security hygiene is being treated as a matter of ongoing governance, not just technology. Secondly, regulators and courts are increasingly interested in whether controls are operationalised – that is, implemented, monitored, tested and evidenced – not merely documented.

That shift is not unique to ASIC. It’s part of a broader move (including in privacy regulation) from policy compliance to demonstrable protection.

The cyber hygiene checklist: what regulators now expect as basics

ASIC was unusually specific about what FIIG did not have in place. This gives organisations a simple and helpful prompt: Are we covering the basics, and can we prove it? 

Here’s a practical checklist, using the categories ASIC highlighted:

  • Identity and access

    • Multi-factor authentication for remote access users

    • Strong passwords

    • Access controls for privileged accounts

  • Network and endpoint protection

    • Appropriate configuration of firewalls and security software

  • Testing and scanning

    • Regular penetration testing and vulnerability scanning

  • Patching and updates

    • A structured plan to ensure key software systems were updated to address security vulnerabilities

  • Monitoring

    • Qualified IT personnel monitoring threat alerts to identify and respond to cyber-attacks

  • Training

    • Mandatory cyber security awareness training to staff

  • Incident readiness

    • An appropriate cyber incident response plan, tested at least annually.

A key subtext in the FIIG outcome is that the ‘what’ is only half the story. The other half is whether controls are actually in place and operating day-to-day.

Most organisations can point to policies. Fewer can answer simple operational questions like:

  • Do we have multi-factor authentication in place for remote access users, and is it consistently enforced?

  • When did we last run penetration testing and vulnerability scanning, and what did we do about the findings?

  • When did we last test our incident response plan, and what changed as a result?

Operationalising the controls is how ‘reasonable steps’ become real.

The bigger shift: ‘reasonable steps’ is becoming the common standard

It’s tempting to read FIIG as a financial services story: AFSL obligations, ASIC enforcement, court-ordered penalties. But the more important trend is cross-regime.

A similar ‘reasonable steps’ story has been playing out under privacy law. The OAIC has been increasingly explicit about its enforcement posture, including civil penalty proceedings anchored in APP 11.1 (security) and the expectation of ‘reasonable steps’ to protect personal information. 

In Australian Clinical Labs, the Federal Court imposed $5.8 million in civil penalties, including $4.2 million for failing to take reasonable steps under APP 11.1 to protect personal information held on Medlab Pathology’s IT systems. The Court’s analysis focused on concrete security shortcomings – such as weak authentication, inadequate logging, lack of file encryption, unsupported systems and limitations in antivirus controls – reinforcing the same core message as FIIG: principles-based obligations are now being tested against real-world cyber hygiene.

When you put FIIG alongside recent privacy enforcement, a clear pattern emerges. Through different regulators and different statutes, there is a shared test: do you have security controls that match your data and risk profile, and can you demonstrate that in practice?

The shared test also points to why silos don’t work. You can’t assess whether controls are proportionate without understanding what data you hold, why you hold it, how long you keep it, and what expectations you’ve set with customers. In practice, cyber hygiene, data governance and privacy compliance end up being assessed together – because together they explain whether your safeguards are reasonable for your context.

Regulators are rarely interested in the elegance of any single framework. They’re interested in whether your organisation:

  • invested appropriately (people, process, technology) 

  • operated controls consistently over time to manage data risk

  • learned and improved

  • can demonstrate that through clear records.

Turning checklists into confidence: a practical next step

For many organisations, the right response to FIIG is not a massive multi-year program. It’s a practical sequence:

  1. Start with the data – confirm what sensitive data you hold, where is it held and who can access it; then check that you have the FIIG ‘baseline’ controls in place for that environment.

  2. Validate the controls work in practice – and that they’re prioritised around your highest-risk data and systems.

  3. Make it easy to demonstrate – keep clear, simple records that link your data and governance decisions to the controls you operate.

How IIS can help

We help organisations translate ‘reasonable steps’ into something practical. Depending on where you are starting from, that can include:

  • A short, targeted review of your current cyber hygiene controls, focusing on the gaps that matter most and what you can readily demonstrate.

  • Bringing privacy, security and data governance together so you have one joined-up view of what data you hold, how it's protected, and who is accountable.

  • Sharper governance and reporting for executives and boards – clear ownership, a realistic view of risk, and a sensible uplift plan rather than a long list of ‘to-dos’.

  • Practical incident response exercises that test how things work under pressure and result in concrete improvements.

Please contact us if you have any questions or would like assistance.

Comment

What’s next for Australian privacy regulation – Reflections on PAW 2025

Comment

What’s next for Australian privacy regulation – Reflections on PAW 2025

By Chong Shao

On Monday, 16 June 2025, IIS joined other IAPP members in Sydney for the launch of Privacy Awareness Week. Together we heard an address from, and fireside conversation with, Privacy Commissioner Carly Kind.

The past 12 months have been eventful for Commissioner Kind and the Office of the Australian Information Commissioner (OAIC). Here are some highlights:

At the Sydney PAW launch, Commissioner Kind gave further remarks about her office’s regulatory approach, given the current technological landscape and the uncertain timeframe of further privacy legislative reform.

This post summarises the key themes from those remarks, along with some practical takeaways to help you navigate both privacy compliance and good practice today.

1. The Commissioner takes a holistic view of privacy that emphasises organisational accountability and power imbalances

Throughout her remarks, Commissioner Kind highlighted the need for a broader conception of privacy than simply the protection of personal information.

This broader notion of privacy – autonomy to make decisions, free from interference and intrusion – is more important than ever in a world that is marked by technology that is always-on, collects data passively, subtly conditions our thoughts and behaviours, and removes friction from all manner of experiences.

Commissioner Kind noted that the problem is not that people aren’t aware of the importance of privacy these days, but that they feel helpless, fatalistic and disempowered. In pushing back against overreliance on individual responsibility for privacy, she memorably invoked a climate change analogy – ‘privacy settings are the plastic straws of the privacy world’.

Instead, Commissioner Kind wants entities to take accountability for doing the right thing in the first place, and for various groups and associations in our society to leverage their power as a counterbalance and advocate for more privacy-friendly approaches.

She noted that the scale of technological impact is a novel problem in our era, and that this informs her thinking with respect to regulatory priorities. In particular, she foreshadowed that her office will be looking at spaces where there are power disparities between individuals and organisations. As examples, she listed credit reporting, data brokerage and emerging technologies (such as AI and biometrics).

Practical takeaways:

  • Take accountability as an organisation to embed privacy into your culture and practice:

    • Set privacy culture from the top through strong messaging and financial investment in privacy; and

    • Limit over-collection of data and destroy what you don’t need.

  • Undertake a privacy review to identify potential gaps and opportunities to improve practice.

2. The Commissioner is committed to using the full toolkit of her regulatory powers

On the topic of enforcement, Commissioner Kind gave some additional thoughts on the powers now available to her office.

She noted that the power to issue infringement notices is limited to a relatively narrow set of APPs (e.g., Privacy Policy deficiencies, failure to offer direct marketing opt-out). However, it could potentially be used as part of a ‘compliance scan’ of a particular sector or market in relation to those privacy practices. This is similar to what the Australian Competition and Consumer Commission (ACCC) and the UK’s Information Commissioner’s Office (ICO) have done in the past.

Commissioner Kind reiterated that her office will prioritise enforcement action for violations that are persistent, egregious and/or manifest in real-life harms, as well as in places where intervention is likely to change market practices or help clarify aspects of policy or law.

She flagged that her office will be conducting more investigations and making more determinations this year, as well as taking more enforcement actions in a similar vein to the recent Australian Clinical Labs (ACL) and Medibank cases.

In response to an audience member question about what more can be done to get the C-suite to appreciate the importance of privacy, Commissioner Kind recognised the power of fines to highlight the risk of not taking sufficient action. She remarked matter-of-factly that her office is seeking to extract the largest fines possible.

Practical takeaways:

  • Review your Privacy Policy to ensure it is compliant, up-to-date and fit for purpose.

  • Revisit your organisation’s privacy risk appetite and posture (including raising this at the Board level), in light of the large fines now available under the Privacy Act and the OAIC’s more proactive enforcement stance.

3. The Commissioner recognises the importance of regulatory certainty and is willing to go to court to obtain it

One of the more interesting threads was what Commissioner Kind thought about her office’s role in providing regulatory certainty. She recognised that regulatory certainty is important because it helps entities know how to comply with the law and to innovate confidently.

Compliance can be challenging without guidance, examples and ultimately court cases that provide a firm interpretation and application of the law.

To this end, Commissioner Kind indicated that she not only wants to develop clear guidance and make regulatory decisions, but she also wants to actively pursue court cases (including inviting challenges to her investigations and determinations) that will either endorse or repudiate the OAIC’s position.

In taking this approach, it appears that she considers court cases to be a ‘win-win’ scenario – even if the court rejects the OAIC’s interpretation, this still moves the ball forward in terms of clarifying the law for everyone.

Commissioner Kind pointed to current cases on foot in the Federal Court (ACL, Medibank) that could bring more clarity on what is considered reasonable security steps under APP 11.1.

She also flagged other areas where regulatory and judicial interpretation is desirable:

  • Definition of personal information and what is ‘de-identification’ – especially in the relatively unchecked practices of data tracking and profiling where she is keen to establish clearer ‘red lines’ for that industry.

  • Definition of ‘reasonable expectations’ in the context of APP 6.2, which permits the use or disclosure of personal information for a secondary purpose where it is related to the primary purpose of collection, and it is reasonably expected by the individual.

Practical takeaways:

  • Keep watching this space for potential clarifications and (re-)interpretations of the current law, especially during a time when privacy law reforms are on a slow burn. [1]

4. The Commissioner is interested in fresh interpretations of current principles in the Privacy Act to keep pace with today’s privacy challenges

Speaking of the current law, the most significant insights from Commissioner Kind came when she was reflecting on how to make the most of the Privacy Act that we have, given the slow pace of legislative reform.

Commissioner Kind noted that many of the terms in the Act and the APPs are flexible in nature. She considered that they should be subject to a ‘purposive interpretation’ to keep pace with modern privacy risks and harms.

The key examples she gave come from APP 3, the collection principle:

  • APPs 3.1 (for agencies) and 3.2 (for organisations) posit that collection must be reasonably necessary for the entity’s functions or activities

  • APP 3.5 states that collection must take place via lawful and fair means.

Commissioner Kind noted that the language of ‘reasonably necessary’ and ‘lawful and fair’ approximate the ‘fair and reasonable’ test that has been proposed by the Privacy Act Review.

To consider what is reasonably necessary is to engage in an exercise of gauging reasonableness, proportionality and necessity. To consider what is fair is to incorporate notions of community values that evolve over time and adapt to changing circumstances.

Commissioner Kind gave an example of what (un)fairness could look like in the digital era – the scraping of publicly available information, bringing it together for profiling, and supporting predatory business practices. Assessing fairness should extend beyond the technical means of collection and extend to the purposes for which the collection takes place.

The Commissioner’s views cut against a legalistic and ‘minimum compliance’ reading of the current Privacy Act. Instead, she has laid down the challenge for organisations to take a ‘commonsense’ and proportionate approach to personal information collection and handling.

Practical takeaways:

  • Use commonsense and apply the ‘pub test’ to assess whether a proposed collection of personal information is reasonably necessary and fair.

  • With any personal information handling activity, ask ‘should we do this’ and not just ‘can we do this’.

  • Map how personal information collection leads to downstream uses and disclosures.

If you have any questions on the Privacy Act and its impact on your organisation, or would like assistance with any of the practical takeaways, please contact us. You can also subscribe to our newsletter to receive updates on the latest privacy developments, including law reform changes, further guidance and new interpretations.

[1] Asked about the status of the Tranche 2 reforms, Commissioner Kind observed that the timing was a matter for the Attorney-General’s Department. She did note that she had met with the new Attorney-General, the Hon Michelle Rowland MP, and was encouraged by her background and interest in privacy and digital regulation.

Comment

Key takeaways from the Privacy Amendment Bill 2024

Comment

Key takeaways from the Privacy Amendment Bill 2024

By Chong Shao

The Australian Government has introduced the Privacy and Other Legislation Amendment Bill 2024, as part of the first tranche of its long-awaited response to the Privacy Act Review. We knew that progress would be measured in years, and so far this is proving out.

The headline changes touted by the government include:

  • A new statutory tort to address serious invasions of privacy.

  • Development of a Children’s Online Privacy Code to better protect children from online harms (accompanied by further funding to support the OAIC in development the code).

  • Greater transparency for individuals regarding automated decisions that affect them.

  • Streamlined and protected sharing of personal information (PI) in situations of a declared emergency or eligible data breach.

  • Stronger enforcement powers for the Australian Information Commissioner.

  • A new criminal offence to outlaw doxxing (i.e., the malicious release of personal data online that could enable individuals to be identified, contacted, or located).

For many, these reforms are modest and therefore disappointing, given the scope and duration of the Privacy Act Review.

Notably missing from the Bill is:

  • Any update to the definition of Pl.

  • Inclusion in the Bill of the four elements along EU GDPR lines that make a consent valid.

  • The introduction of a ‘fair and reasonable test’ for the handling of PI.

  • A requirement for APP entities to conduct a Privacy Impact Assessment for activities with high privacy risks.

  • The right for individuals to request erasure of their PI.

Also missing is one of the more contentious recommendations, the gradual removal of the small business exemption.

On the other hand, the changes represent a moderate progression from the status quo, which needs to be monitored closely and will likely have bigger implications over time.

Some key takeaways:

1. Privacy as a major intersection point

The Bill confirms that privacy sits at the intersection of the major technological and societal issues of our time.

For example:

  • The statutory tort introduces a cause of action for individuals against another person or organisation where there is a serious invasion of privacy – organisations should be aware of this provision (no small business exemption here!); although it should not be an issue if they are focused on “doing the right thing”.

  • A Children’s Online Privacy Code will be developed alongside other initiatives in the online safety space, including Online Safety Codes and the eSafety Commissioner’s research and work on age assurance.

  • Greater transparency regarding automated decision-making comes as part of a broader push by the government around promoting safe and responsible AI.

  • The streamlining of PI sharing in emergency and eligible data breach scenarios is a welcome move but will have to be considered alongside notification requirements in other laws and schemes such as the Security of Critical Infrastructure Act 2018, Data Availability and Transparency Act 2022, and APRA’s Prudential Standard CPS 234 Information Security.

The Bill is a microcosm of the complex privacy, cyber security, and digital regulatory landscape that is taking shape in Australia. The picture is getting (understandably!) complicated, and the Bill contributes to this.

2. Enforcement will matter more

The government’s touting of ‘stronger enforcement powers’ for the Australian Information Commissioner is a bigger deal than it appears on the surface.

On closer inspection, the Bill provides a series of changes that enable more flexible and effective enforcement of the Privacy Act:

  • A civil penalty provision for interference with privacy of individuals (not just ‘serious’ interference).

  • Separately, the civil penalty for serious interference with privacy of individuals is retained, with better elaboration of factors that may be considered in determining if the interference is serious.

  • The Commissioner may seek civil penalty orders and issue infringement notices for breaches of certain Privacy Act provisions and certain Australian Privacy Principles (APPs).

  • Additional monitoring and investigation powers.

One of the biggest issues with compliance and enforcement of the Privacy Act has been the relative lack of flexibility with the existing law, where there is a (recently strengthened) civil penalty provision for ‘serious and repeated interferences with privacy’. OAIC enforcement actions have been few and far between, typically reserved for ‘high profile’ cases such as Meta (Facebook), Medibank, and Australian Clinical Labs.

These changes to the Privacy Act, especially in relation to civil penalty orders and infringement notices, provide the OAIC with a bigger ‘toolkit’ to enforce breaches of the Privacy Act and the APPs.

Privacy Commissioner Carly Kind, in a Privacy Awareness Week Sydney event earlier this year, spoke of the ‘exciting opportunity for the OAIC to become a more enforcement-based regulator’. During the Q&A, she noted that for the first time in a decade there are three dedicated commissioners, and that they would be thinking a lot more about how to conduct proactive and proportionate enforcement.

This was confirmed by the OAIC’s Corporate plan 2024-25, which commits the OAIC to a ‘risk-based, education and enforcement-focused’ posture.

The true effectiveness of the regulator will depend on the extent to which it is sufficiently resourced. We have been advocating for greater funding for the OAIC for over a decade in speeches, forums and submissions. We eagerly await the next budget to see if the government will put its money where its mouth is and that they are indeed serious about ‘ensuring the Privacy Act works for all Australians and is fit for purpose in the digital age’.

Nevertheless, the Bill and the OAIC’s recently publicised posture demonstrate a clear intent and capability for the regulator to conduct more enforcement. Organisations should take note.

3. Keep sticking to the basics

The Privacy Act Review was flagged five years ago, as part of the ACCC’s 2019 Digital platforms inquiry. In the meantime, organisations are facing an increasingly challenging environment:

  • Cyber security incidents (including data breaches and the sophistication of bad actors) continue to increase in size and scale.

  • The growing data economy and technologies like AI heighten business pressures to collect and use personal information, while exposing organisations to greater data governance risks.

  • Australians care more than ever about privacy – according to the OAIC’s Australian Community Attitudes to Privacy Survey 2023, 82% of respondents care enough about protecting their PI to do something about it, and 84% want more control and choice over the collection and use of their PI.

It has been a slow and winding journey to reach the first tranche of changes to the Privacy Act. 

Our key takeaway is not to get over-excited, nor complacent. Not over-excited, because in many ways these are modest changes that will take time to realise their full effects. Not complacent, because the Bill heralds a new era of enforcement for the OAIC, including compliance with the existing Privacy Act and its APPs.

Instead, we think it is best to keep calm and stick to the basics. This means:

  • Assess your privacy practices against the existing APPs with a focus on Pl collection and handling practices and ensure you are taking ‘reasonable steps’ (including technical and organisational measures) in securing and protecting personal information. [1]

  • Know what PI (including sensitive information) you have now, where it is, whether you should still have it and the ways in which you are using it.

  • Assess cyber security risks and controls and consider certification against relevant standards.

  • Establish an improvement and remediation plan based on the findings of points 1, 2 and 3.

Putting the foundations in place now will give you a simpler path to compliance and good practice for both the current legislative requirements and the new requirements to come, including whatever Tranche Two will bring.

IIS can help

IIS and our subsidiary TrustWorks 360 can help you:

  • Navigate the complexity of the privacy, cyber security, and digital regulatory landscape.

  • Get the basics right and help you comply with current and incoming requirements, to satisfy customer expectations and to avoid regulator scrutiny and enforcement.

  • Move beyond compliance to performance and resilience that builds trust and achieves business objectives in a fast-changing world.

Why? Because as we have said at IIS for two decades, “It is just good business.”

Please contact us if you have any questions about the Privacy Act reforms and how it may affect your organisation. You can also subscribe to receive regular updates from us about key developments in the privacy and security space.

[1] In a separate interview, Commissioner Kind discussed the OAIC’s enforcement action against Medibank, for activities leading up to the data breach. The OAIC is making the case that Medibank didn’t take ‘reasonable steps’ to protect the personal information they collected and held. Reasonable steps are described as:

  • State of the art security

  • Good governance

  • Organisational responsibilities.

Comment