APF Policy Statement on Information Security

Organisations hold a great deal of personal data. All of it is at least to some degree sensitive, and some of it highly so. Inappropriate handling of personal data represents a threat variously to the safety, wellbeing and peace of mind of the people it relates to. Primary privacy concerns are in the areas of unauthorised use and disclosure of data, with other issues including loss of data and threats to data integrity. Personal data needs the same level of care as financial information.

The privacy interest shares a great deal of common ground with organisations' own needs for protection of data of financial and competitive value, with commercial confidentiality, and with government and national sovereignty desires for the protection of sensitive data.

Information and Information Technology Security are well-established fields of professional endeavour, supported by a substantial array of products and services and a busy industry.

Organisations have moral and legal obligations to apply the available knowledge and to thereby ensure privacy protection. This applies to:

The following, specific obligations exist, must be recognised by organisations throughout the public and private sectors, and must be enforced by regulatory agencies.

Security Governance

All organisations have obligations to:

Resources to guide and support these activities include:

Security Safeguards

All organisations have obligations to establish and maintain a sufficiently comprehensive set of information security safeguards in the following areas, commensurate with the sensitivity of the data:

Resources to guide and support the design and implementation of effective safeguards include:

Sanctions

All organisations, and individuals within organisations, must be subject to sanctions where they fail to fulfil their information security obligations.

Sanctions must exist, and must be applied, at all of the following levels: