Australian Privacy Principle 11, or APP11, is a set of guidelines built around data privacy and document governance. Its primary goal is to establish frameworks for protecting customers’ personal information — and that’s particularly relevant in financial services, where such data is both a necessary tool for daily operations and a potential security risk. On top of that, APP11 overlaps with many other rules from Australian regulators, particularly those related to protecting digital information and reporting breaches.

Let’s take a closer look at APP11, from its definitions and key terms to tips for ongoing compliance.

Defining APP11

APP11 is part of the Australian Privacy Principles, the overarching set of regulations intended to prevent acts and practices that impact individual privacy. The Office of the Australian Information Commissioner (OAIC) interprets, oversees and enforces these rules, exercising functions and powers to ensure relevant entities act in accordance with the APPs in different contexts. 

It’s important to note that the APP guidelines, including APP11, are “not legally binding and do not constitute legal advice about how an entity should comply with the APPs in particular circumstances.” However, it’s important to clarify that the APPs themselves are principles based laws and are a core part of the Privacy Act 1988. This means they are legally enforceable, and non-compliance can have serious consequences. This can leave financial institutions with questions about how APP11 should shape their day-to-day processes.

Broadly speaking, APP11 states that an entity must:

  • Take reasonable steps to protect personal information from misuse, interference, loss, unauthorised access, modification and disclosure.
  • Take reasonable steps to destroy or de-identify information that is no longer needed for any purpose covered under the APPs.
  • Actively consider whether it’s permitted to retain personal information.

This applies to APP entities, defined as agencies or organisations. The latter may include an individual, body corporate, partnership, unincorporated association or trust. 

To put these basic principles into practice, it’s crucial to understand several key terms:

Personal Information

The exact nature of “personal information” differs between organisations. For financial institutions, this can refer to contact information, account numbers and confidential monetary details. This data can be either physical (such as hard copies, handwritten notes or even a printed email) or digital (such as cloud files and digital images).

Reasonable Steps

The definition of “reasonable steps” can differ depending on several factors:

  • The nature of the APP entity, including its size, resources, operational complexity and business model.
  • Amount and sensitivity of the personal information.
  • Possible adverse consequences resulting from a breach.
  • Practical implications of implementing security measures, including time and cost.
  • Whether a security measure is in itself privacy invasive. 

This means that reasonable steps can include a variety of governance, culture, training and process improvements — for example, improving both physical and digital security. APP entities must consider these steps at all stages of the information lifecycle.

Security Considerations

APP11 outlines expectations in six key areas:

  • Misuse refers to any utilisation not covered by the Privacy Act. 
  • Interference is an attack that touches but doesn’t necessarily modify personal information — for example, including data exposure.
  • Loss specifically refers to accidental or inadvertent data loss, including as a result of thefts or natural disasters; it does not cover intentional destruction or de-identification in pursuance of AP111.
  • Unauthorised access occurs when a person without appropriate permission accesses personal information.
  • Unauthorised modification refers to alterations by any user without appropriate permission or in ways not permitted under the Privacy Act.
  • Unauthorised disclosure covers any release of personal information that isn’t compliant with the Privacy Act or enables unapproved third-party access.

Why APP11 Matters for Financial Institutions

It’s especially important for financial institutions to understand APP11 details. Here are just a few reasons why:

Compliance Considerations

Failing to comply with APP11 can have consequences beyond the requirements themselves. The OAIC actively enforces privacy regulations through various means, including conducting investigations, accepting enforceable undertakings from organisations, and initiating civil penalty proceedings in cases of serious breaches. Recent OAIC actions demonstrate their commitment to holding organisations accountable for protecting personal information, as in these examples:

  • Hacking: This 2015 case involved suspicious trades, market manipulation and money laundering by a suspected Russian hacker. The court ordered nearly $78,000 to be restrained and acts as a reminder of ASIC’s suspicious activity reporting rule — which, like APP11, demands constant vigilance, strong internal security and notification procedures, breach management and more. It’s crucial to note that penalties under the Privacy Act have significantly increased since this case. Currently, organisations can face fines of up to $2.5 million for individuals and $50M for companies depending on the nature and severity of the violation.
  • Cybersecurity: In 2022 ASIC found that an AFSL holder failed to adequately manage cybersecurity risks related to thousands of clients’ sensitive personal information — an issue that could have been rectified in part with more stringent APP11 compliance. The court ordered the licensee to pay $750,000 toward ASIC’s costs.

The Notifiable Data Breaches (NDB) scheme, introduced in 2018, requires APP entities to notify the OAIC and affected individuals of eligible data breaches. The NDB scheme requires entities to assess breaches or suspected breaches to determine if they are likely to result in serious harm to individuals. This assessment considers factors like the type of information involved, sensitivity, and potential impact on affected individuals. If a notifiable data breach has occurred, organisations must notify the OAIC and affected individuals as soon as practicable, and within 30 days.

Challenges

For financial institutions, APP11 comes with a few key challenges:

  • Processes: By definition, financial organisations require large amounts of highly sensitive information, especially when providing personal advice. These processes are necessary, but they can also introduce APP11 risks.
  • Data utilisation: When you need multiple physical and digital copies in the course of everyday client service, it’s challenging to keep track of data in all its forms.
  • Data destruction: Many companies are unclear on data storage and destruction timelines. It’s essential to have clear policies and procedures for data retention, destruction, and de-identification to comply with APP 11 and minimise the risk of unauthorised access to outdated information.
  • Technology: It’s often expensive and time-consuming to find a system that assists with data management and the increasing sophistication of cyber threats requires a robust cybersecurity strategy. This includes measures like strong encryption, multi-factor authentication, regular security assessments, and incident response planning. Financial institutions must stay ahead of the curve to protect sensitive information from evolving threats.

Benefits

Fortunately, APP11 compliance also has numerous benefits. Beyond avoiding OAIC action, appropriate attention to data privacy and document governance help lay the groundwork for other efforts — for example, following ASIC’s breach reporting requirements. You’ll also get valuable insights and improvement opportunities by carefully considering:

  • How and why you collect data.
  • What data you collect in relation to which product or service.
  • How that data is secured in a storage system or application.

Ready to get started? Download our FREE tip sheet for guidance on APP11 compliance.

How MIntegrity Can Support Your APP11 Processes

Complying with APP11 means understanding your responsibilities at every stage of the data lifecycle — and that requires taking the right “reasonable steps” at the right times. Fortunately, MIntegrity can help.

As compliance and governance experts, we’re prepared to support your APP11 processes in ways that complement your existing resources. For example, if you have a compliance team in place, we’re here to help you get and stay on the right path; if you have limited or no in-house expertise, we can provide supplementary services at regular intervals. 

We can also tailor our support for your unique needs, especially your risk profile. The longer you keep data that should have been destroyed under APP11, the more likely you are to face increasingly serious repercussions — which is why we prioritise your highest-risk concerns and build our approach from there. Additionally, we help you focus your efforts on forward progress, as provable efforts to address data management concerns can potentially minimise regulatory outcomes.

Perhaps most importantly, we provide ongoing service in the form of audits, tests and even technology recommendations customised for your firm. We build lasting relationships with our clients, helping ensure long-term compliance with APP11 and more.

Case Study: AFSL holder Gains Control of its Data with MIntegrity

A client, a financial advisory firm, needed to improve its data management to comply with APP 11. They lacked a clear picture of their data landscape, posing challenges for compliance and efficiency.

MIntegrity partnered with the Client to conduct a comprehensive data discovery and mapping exercise. This involved identifying all personal information held, mapping data flows, assessing security controls, and prioritising data for deletion based on risk and legal requirements.

Results:

  • Clearer Data Landscape: The Client gained a comprehensive understanding of their data, enabling better data governance and compliance with APP 11.
  • Reduced Risk: Security vulnerabilities were identified and addressed, minimising the risk of data breaches.
  • Enhanced Efficiency: Streamlined data processes improved operational efficiency.
  • Increased Compliance: A robust data retention and destruction policy was implemented, ensuring compliance with legal obligations.

Simplify Compliance, Data Management and More

APP11 is a regulatory consideration that goes far beyond basic data protection, requiring financial institutions to consider cybersecurity, suspicious activity reporting, storage systems, documentation habits and more. 

While there’s much to review, the most important question is also the simplest: Are your privacy practices up to date and compliant?

MIntegrity can help with policies, procedures and reviewing compliance with privacy regulations. Contact us today to see how we can support your organisation.

Back to Blog