Information privacy activities continue to enjoy media attention. Recent articles – summarised below – highlight the need to ensure personal information is handled both within regulation and community expectations. At GWI, we advocate for the early planning of information privacy as a risk-based activity.
Firstly, personal information is more pervasive than some realise. In a recent ruling, the Office of the Australian Information Commissioner found that Cupid failed to take reasonable steps to ensure the security of personal information it held, and also failed to destroy or de-identify personal information after it was no longer needed.
Because Cupid did not ask users to verify their identities, they considered that some of the names and associated details were not personal information. This was disputed by the OAIC, who also found that some of the personal information would be considered to be sensitive as per the definition of the Commonwealth Privacy Act. In contrast, Cupid’s technical response to the breach was found to be appropriate. This case highlights the need to consider broader community expectations when it comes to personal information – it’s not just your organisation’s perspective that needs to be considered.
The management of legacy personal information has also been highlighted in recent press reports. A Melbourne medical centre was recently reported to have a serious privacy breach were sensitive health records were compromised after a shed that they were stored in was broken into. As the Privacy Commissioner Timothy Pligrim stated, it’s difficult to imagine circumstances when storage of sensitive records in an unsecure structure such as a garden shed would be considered appropriate.
All of these examples highlight the need to consider privacy issues early in projects and business changes. Taking a privacy engineering approach, where privacy assurance is the default mode of operation should be at the forefront of business planning in the digital age.
At GWI, we can help your organisation to avoid issues outlined above and potential investigations by regulatory bodies.