Protecting Information Rights – Advancing Information Policy

Phone iconCONTACT US: 1300 363 992
 
We're now a part of the Office of the Information Commissioner. Go to www.oaic.gov.au to find out more.

Site Changes

Types

Topic(s): Data security / breach
 

Information Sheet (Private Sector) 6 - 2001: Security and Personal Information

document icon pdf (77.27 KB)


National Privacy Principle (NPP) 4.1 provides that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.

Data security is an important way of ensuring that personal information is only used for permissible purposes. In general, personal information should be treated as confidential and sensitive information as highly confidential.

The key to effective compliance with NPP 4 is developing an organisational culture that respects privacy. Organisations need to ensure that management and staff have a good understanding of their responsibilities in protecting personal information from misuse, loss, corruption or disclosure.

Tip for compliance

One way to promote a respect for privacy would be to develop a security policy. A security policy would cover all organisational systems used for processing, storing or transmitting personal information. The security risks faced by the organisation could be assessed in the development of the policy, and then cost-effective measures devised to reduce the risks to acceptable levels. To be effective, a security policy would need to be monitored and periodically reviewed. Staff and management would need to be made aware of the protective security policies and how to implement them.

Reasonable steps

In deciding what are reasonable steps to ensure data security there are several factors to consider. What is reasonable depends on the circumstances in which personal information is held. The sensitivity of personal information being stored is an important factor and higher levels of security could be expected for sensitive information. The costs of any security systems also need to be considered in relation to the risks faced by the organisation. In the case of an organisation holding non-sensitive information, with a low risk of unauthorized access and little likelihood of serious consequences to the individual, then basic security measures may be adequate. However, for a large organisation with vast amounts of personal information and the risk of significant detriment from improper access, higher levels of security may be expected.

Tip for compliance

Particularly for larger organisations or organisations where security breaches are high risks, it is worth considering compliance with relevant Australian Standards Organisation (ASO) and International Standards Organisation (ISO) standards including:

  • AS/NZS ISO/IEC 17799:2001 Information technology - Code of practice for information security management
  • AS/NZS 7799.2:2000 (Previously known as 4444.2) Information security management - Specification for information security management systems
  • HB 231:2000 Information security risk management guidelines
  • HB 248-2001 Organisational experiences in implementing information security management systems
  • AS 4400-1995 Personal privacy protection in health care information systems
  • AS/NZS 4360:1999 Risk management
  • HB 139(Int):1999 Step by Step Guidance on Integrating Management Systems - Health and Safety, Environment, Quality
  • AS 4590-1999 Interchange of client information
  • AS 4390 (Set) Records management
  • BS 7799 - ISO
  • Internet Engineering Task Force's Site Security Handbook No. RFC 2196.

Aspects of security to consider

The range of security measures to consider covers physical security, computer and network security, communications security and personnel security.

Physical security

Information may be stored in a range of paper based and electronic forms. Physical security measures prevent unauthorised access to information and are relevant to all forms of storage.

Tips for compliance

    Physical measures could include:

    • barriers such as locks;
    • security keys and containers such as filing cabinets, safes and compactuses;
    • security alarm systems to detect unauthorised access; and
    • access control measures.

      These may be complemented by procedural measures such as:

    • recording file movements, especially if files are sent to different offices;
    • encouraging a clean desk policy;
    • storing all files after use; and
    • a security classification system to identify information needing special protection

      Computer and network security

      Information technology systems have the potential to increase the risk of unauthorized disclosure of personal information. Organisations need to assess their security risks and take appropriate measures to protect the integrity of their information systems and networks. Risk assessments could cover information systems for storing, processing and transmitting information. The appropriate protective measures will depend on the circumstances and risks involved.

      Tips for compliance

        Depending on the organisation's risk profile, measures could include:
        • access control for authorised users, such as user passwords, screen saver passwords and limiting access to shared network drives to authorised staff;
        • virus checking;
        • IT support to deal with security risks; and
        • auditing procedures and data integrity checks.

        Data security tools representing good practice include audit trails and digital signatures that authenticate authorship and guarantee detection of unauthorised modification.

        Communications security

        As many computing systems make use of telecommunications networks, security of computing and communications are increasingly interrelated. There are two kinds of communication risks to consider: interception of transmissions and unauthorised intrusion into networks.

        Transmission of information may involve insecure telecommunications lines that may be vulnerable to interception.

        Tips for compliance

          Where appropriate, protection of personal information could include:
          • checking facsimile numbers before sending personal information, and confirming receipt;
          • PIN numbers and passwords for some telephone transmissions, for example, telephone banking services;
          • checking identity before giving out personal information over the telephone; and
          • encryption of data for high risk transmissions.

          Good practice computer and network security would include both systems, such as firewalls, routers, network intrusion detection systems, host intrusion detection systems, appropriate encryption and expert monitoring.

          Unauthorised intrusion into computer networks not only jeopardises the confidentiality of information, it also threatens network integrity by corrupting data. Connections to public networks are often useful and convenient but they can create a route for 'hackers' to intrude into an organisation's information system.

          What are considered 'reasonable steps' will depend on the particular circumstances of the organisation and the information it holds.

          Personnel security

          Personnel security refers to limiting access to personal information to authorised staff only. Organisations could also ensure that those who do have access respect the organisation's culture of privacy. In general, personal information should only be accessed by those people who 'need-to-know', that is, they need it to carry out their duties.

          Tips for compliance

          • Training staff and management in security awareness, practices and procedures.
          • Developing policies on who can access and use particular categories of information.
          • Specifying and reviewing access privileges for shared computer drives containing personal information.

          Destruction and de-identification

          NPP 4.2 requires an organisation that no longer needs to hold personal information for any purpose to take reasonable steps to destroy or permanently de-identify the information. A legal requirement to retain the personal information is considered to be a purpose to continue holding it.

          What are considered 'reasonable steps' in destruction or de-identification of the information will depend on the circumstances. For example, if a small organisation holds non-sensitive personal information in secure storage, at low risk to the individual, it may be sufficient to destroy the information only as the organisation becomes aware of it in the normal course of its activities. For other organisations with higher risks and adequate resources it may be more appropriate to develop procedures that include criteria for retaining, destroying or de-identifying personal information. Periodic audits could then be conducted and old information destroyed or de-identified according to specified procedures.

          Destruction

          To protect individual's privacy rights destruction needs to occur by secure means. Garbage disposal of intact documents leaves personal information extremely vulnerable to unauthorised access and misuse. This method of disposal should generally be avoided. Electronic records that are no longer needed should be deleted. However, it is very difficult to reliably remove all traces of electronically stored information. Organisations will need to be aware that deletion may only remove the file-reference but leave all the other information intact.

          Tips for compliance

            Secure disposal of paper-based records could include:

            • shredding, pulping or disintegration of paper files; or
            • contracting an authorised disposal company for secure disposal.

              Secure disposal of electronic records could include:

            • overwriting records before they are deleted; or
            • for very sensitive information at high risk, degaussing might be considered (demagnetisation of the medium using alternating electric currents).

            Good practice could also include the deletion of back-up files.

            De-identification

            Permanently de-identifying information means removing from the record any information by which an individual may be identified. Simply removing the name and address may not be sufficient to de-identify the information. Permanent de-identification also means that an organisation is not able to match the de-identified information with other records to re-establish the identity of individuals.

            Tips for compliance

              The test for whether information is identifiable is whether the identity of the individual is apparent, or may reasonably be ascertained, from the information using the definition of 'personal information' in section 6 of the Privacy Act.

              A de-identification procedure would not be complete if, from the resulting information, the identity of an individual could be reasonably ascertained. Reasonable steps to de-identify information may include:

              • considering the capacity of the organisation to re-identify the information;
              • careful consideration of the identifying nature of every aspect of the information; and
              • setting up safeguards that ensure that future collection or uses will not re-identify the information. An organisation may need to include in contractual arrangements with a receiving organisation that the receiving organisation will not re-identify the information.

              About Information Sheets

              Information sheets are advisory only and are not legally binding. (The NPPs in Schedule 3 of the Privacy Act 1988 (Cth) (the Privacy Act) do legally bind organisations.)

              Information sheets are based on the Office's understanding of how the Privacy Act works. They provide explanations of some of the terms used in the NPPs and good practice or compliance tips. They are intended to help organisations apply the NPPs in ordinary circumstances. Organisations may need to seek separate legal advice on the application of the Privacy Act to their particular situation.

              Nothing in an information sheet limits the Privacy Commissioner's freedom to investigate complaints under the Privacy Act or to apply the NPPs in the way that seems most appropriate to the facts of the case being dealt with.

              Organisations may also wish to consult the Commissioner's guidelines and other information sheets.

              Office of the Privacy Commissioner ISBN 1 - 877079 - 28 - 6 Privacy Hotline 1300 363 992 (local call charge)