white_paper_on_data_protection_in_india_171127_final_v2
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
pers<strong>on</strong> who processes pers<strong>on</strong>al <strong>in</strong>formati<strong>on</strong> for a resp<strong>on</strong>sible party <strong>on</strong> the basis of a c<strong>on</strong>tract)<br />
processes pers<strong>on</strong>al <strong>data</strong>, such operator is also bound to establish and ma<strong>in</strong>ta<strong>in</strong> adequate<br />
security measures. 695<br />
F<strong>in</strong>ally, <strong>in</strong> the event that the resp<strong>on</strong>sible party believes that the pers<strong>on</strong>al <strong>data</strong> of an <strong>in</strong>dividual<br />
has been accessed or acquired by an unauthorised party, then the resp<strong>on</strong>sible party must<br />
<strong>in</strong>form the Informati<strong>on</strong> Regulator. The resp<strong>on</strong>sible party must also notify the <strong>in</strong>dividual as<br />
so<strong>on</strong> as reas<strong>on</strong>ably possible after the discovery of the <strong>data</strong> breach, and also take steps to<br />
restore the <strong>in</strong>tegrity of the resp<strong>on</strong>sible party‘s <strong>in</strong>formati<strong>on</strong> system. 696<br />
Australia<br />
Although the Privacy Act does not have a specific provisi<strong>on</strong> relat<strong>in</strong>g to accountability<br />
pr<strong>in</strong>ciple, the Privacy Act addresses this topic by way of the APPs under the said Act. For<br />
<strong>in</strong>stance, APP 1 mandates open and transparent management of pers<strong>on</strong>al <strong>in</strong>formati<strong>on</strong>. As per<br />
this pr<strong>in</strong>ciple, an APP entity must take reas<strong>on</strong>able steps to ensure the implementati<strong>on</strong> of<br />
privacy practices and systems with<strong>in</strong> the entity, which would ensure compliance with other<br />
<strong>data</strong> protecti<strong>on</strong> obligati<strong>on</strong>s under the Privacy Act. 697 Additi<strong>on</strong>ally, the said pr<strong>in</strong>ciples also<br />
provide that any entity hold<strong>in</strong>g pers<strong>on</strong>al <strong>in</strong>formati<strong>on</strong> relat<strong>in</strong>g to an <strong>in</strong>dividual, must also take<br />
reas<strong>on</strong>able steps to protect this <strong>in</strong>formati<strong>on</strong> from misuse, <strong>in</strong>terference, loss, unauthorised<br />
access, modificati<strong>on</strong> or disclosure. 698<br />
Entities which come under the scope of the Privacy Act also have an additi<strong>on</strong>al obligati<strong>on</strong> to<br />
destroy or de-identify pers<strong>on</strong>al <strong>in</strong>formati<strong>on</strong> which is no l<strong>on</strong>ger required by an entity for any<br />
purpose. 699 The Privacy Act additi<strong>on</strong>ally mandates certa<strong>in</strong> obligati<strong>on</strong>s <strong>on</strong> entities transferr<strong>in</strong>g<br />
pers<strong>on</strong>al <strong>in</strong>formati<strong>on</strong> to overseas recipients. APP 8 provides that these entities must take<br />
reas<strong>on</strong>able steps to ensure that cross-border transfers do not breach any of the obligati<strong>on</strong>s set<br />
out under the Privacy Act and the APPs. 700 A breach of a privacy pr<strong>in</strong>ciple is said to occur<br />
when any activity of an entity is c<strong>on</strong>trary to or <strong>in</strong>c<strong>on</strong>sistent with the provisi<strong>on</strong>s set out under<br />
any of the APPs. 701<br />
Further, the OAIC has issued a ―Guide to secur<strong>in</strong>g pers<strong>on</strong>al <strong>in</strong>formati<strong>on</strong>‖, which provides<br />
some guidance as to the reas<strong>on</strong>able steps which entities are required to take <strong>in</strong> order to protect<br />
pers<strong>on</strong>al <strong>in</strong>formati<strong>on</strong> <strong>in</strong> their c<strong>on</strong>trol from misuse, <strong>in</strong>terference, loss, unauthorised access,<br />
modificati<strong>on</strong> or disclosure. It also provides guidance <strong>on</strong> the reas<strong>on</strong>able steps which entities<br />
695 Secti<strong>on</strong> 21(1), POPI Act.<br />
696 Secti<strong>on</strong> 22, POPI Act.<br />
697 APP 1, Privacy Act.<br />
698 APP 11, Privacy Act.<br />
699 APP 11, Privacy Act.<br />
700 APP 8, Privacy Act.<br />
701 Secti<strong>on</strong> 6A, Privacy Act.<br />
153