Mr. Dale Sunderland:

The Senator raised a very important point indicating what good practice means. It would be a demonstration of how a data controller would meet its obligations. We in the Office of the Data Protection Commissioner do not necessarily set precise obligations because the law is principle based and there are general high-level obligations on data controllers. The onus is on each individual organisation to work out what systems, governance measures, protections and audit trails it needs to make sure it meets all its data-protection obligations. What the Senator is talking about is certainly an example of good practice, and we would certainly advocate that every organisation be able to demonstrate to us how it protects data and prevents unauthorised accessing of information by its employees where they have no grounds for doing so.