Privacy engineering – plan early! 

Information privacy activities continue to enjoy media attention. Recent articles – summarised below – highlight the need to ensure personal information is handled both within regulation and community expectations. At GWI, we advocate for the early planning of information privacy as a risk-based activity.

Firstly, personal information is more pervasive than some realise. In a recent ruling, the Office of the Australian Information Commissioner found that Cupid failed to take reasonable steps to ensure the security of personal information it held, and also failed to destroy or de-identify personal information after it was no longer needed.

Because Cupid did not ask users to verify their identities, they considered that some of the names and associated details were not personal information. This was disputed by the OAIC, who also found that some of the personal information would be considered to be sensitive as per the definition of the Commonwealth Privacy Act. In contrast, Cupid’s technical response to the breach was found to be appropriate. This case highlights the need to consider broader community expectations when it comes to personal information – it’s not just your organisation’s perspective that needs to be considered.
Read more

The management of legacy personal information has also been highlighted in recent press reports. A Melbourne medical centre was recently reported to have a serious privacy breach were sensitive health records were compromised after a shed that they were stored in was broken into. As the Privacy Commissioner Timothy Pligrim stated, it’s difficult to imagine circumstances when storage of sensitive records in an unsecure structure such as a garden shed would be considered appropriate.
Read more

Finally, not only is personal information turning up in more places and for longer, it’s being accessed in new ways. Mobile applications were the latest target in Victoria, where the Victorian Privacy Commissioner has raised concerns after a sweep of government-developed mobile applications found little offered a privacy policy to users. A number of good practice findings were also highlighted, including requiring users to accept a privacy statement after downloading an app in order to use it; child-focused apps requiring parents to complete a consent form before use, and a ‘report anonymously’ option integrated within crime reporting apps. The privacy body will produce guidance for mobile applications towards the end of the year to help enhance mobile application privacy.
Read more

All of these examples highlight the need to consider privacy issues early in projects and business changes. Taking a privacy engineering approach, where privacy assurance is the default mode of operation should be at the forefront of business planning in the digital age.

At GWI, we can help your organisation to avoid issues outlined above and potential investigations by regulatory bodies.

Dr Vanessa Douglas-Savage

Consulting Director