APP 11 requires agencies to take reasonable steps to protect information from
interference, in addition to protection against misuse, loss, and from unauthorised
access, modification or disclosure.
Unlike IPP 4, APP 11 contains no obligation for an agency to protect information disclosed
to third parties providing services to the agency. The only equivalent provision under the
APPs is in APP 8, where an agency that discloses personal information to an overseas
recipient, must take reasonable steps to ensure that the overseas recipient does not
breach the APPs in relation to the information. APP 8 is discussed further under IPP 10
Under APP 11, agencies must take reasonable steps to de-identify or destroy personal
• it is no longer needed for any purpose for which the information may be used or
disclosed under the APPs
• the information is not contained in a Commonwealth record, and
• the agency is not required by or under an Australian law or a court/tribunal order,
retain the information.10
No such express obligation exists in the IPPs.