5 – Security and offshore disclosure

Building upon the Government's Cyber Security Strategy 2020


The Discussion Paper has recommended that APP 11.1 be amended to set out:

  • that 'reasonable steps' include both technical and organisational measures; and
  • a list of factors that indicate what reasonable steps may be required.

This is not surprising, and effectively codifies existing OAIC guidance on what factors organisations should consider when protecting personal information. It also follows increased legislative and regulatory activity in this space.

In addition, however, the Government proposes to develop an APP code to specify minimum cybersecurity standards. This follows the Government's Cyber Security Strategy 2020, which committed to clarifying cybersecurity obligations for Australian businesses, including in the areas of privacy laws, consumer protection laws and corporate governance.

Offshore disclosure

The Discussion Paper proposes a number of changes to APP 8 which would facilitate greater ease and clarity around the requirements to transfer personal information overseas. Overall we expect such changes, if implemented, would be welcomed by organisations. Proposed changes include:

  • the introduction of a mechanism to prescribe countries and certification schemes under APP 8.2(a)1;
  • making available standard contractual clauses for transferring personal information overseas to facilitate overseas disclosures of personal information2;
  • removing the informed consent exception under APP 8.2(b). In practice, this exception was very difficult to rely on, and we do not expect its removal to have a substantial impact on an organisation's ability to transfer personal information overseas3;
  • strengthening the transparency requirements in relation to potential overseas disclosures to include the countries that personal information may be disclosed to, as well as the specific personal information that may be disclosed overseas in an entity’s privacy policy4;
  • introducing a definition of 'disclosure' to assist with determining the application of APP 8 to overseas transfers of personal information5; and
  • amending the Privacy Act to clarify the circumstances that would be relevant to determining 'reasonable steps' for the purposes of APP 8.1.6

Impact of the Notifiable Data Breaches Scheme

The Discussion Paper raised only one specific reform proposal in relation to the current notifiable data breach scheme. This would be to require organisations to set out in their statements to the OAIC the steps taken, or intended, in response to a data breach, including (where appropriate) steps to reduce any adverse effects on affected individuals.

This change aligns the scheme with the New Zealand approach and is designed to assist individuals (and the OAIC) in understanding how an organisation has dealt with an eligible data breach.


  1. Discussion Paper, 161.

  2. Discussion Paper, 162.

  3. Discussion Paper, 163.

  4. Discussion Paper, 163.

  5. Discussion Paper, 165.

  6. Discussion Paper, 165.