OAIC spells out problem areas in protecting personal information

John Kavanagh
Credit providers and other organisations handling personal information typically strike trouble meeting their obligations to protect that information when they "over-collect", when they fail to control access to information and when they fail to develop clear policies for oversight and accountability.

The Office of the Australian Information Commissioner has published a guide to the steps entities must take to protect the personal information they hold from loss, unauthorised access or disclosure, misuse and interference.

It also includes guidance on the steps entities are required to take to destroy or de-identify personal information once that information is no longer needed. And it spells out some of the problems often faced in this area.

The guide is for use by entities covered by the Privacy Act, including credit providers, credit reporting agencies and any tax file number recipient.

Personal information is information which enables the identification of an individual. This includes names and addresses, medical records, bank account details, photos and videos, details of where a person works and even their opinions and preferences.

The guide is not legally binding but the OAIC will refer to it when investigating whether an organisation has complied with the personal information security obligations of the Privacy Act.

The guide says organisations handing personal information need to recognise that information has a dynamic "life cycle" and their strategies for protecting that information must be responsive to changes through that life cycle.

The information lifecycle has five stages. Organisations should:
•    Consider whether it is actually necessary in the first place to collect and hold personal information in order to carry out business activities.
•    Embed privacy protection into the design of information handling practices. Privacy and information-handling practices should be part of business planning.
•    Assess the risks associated with collecting personal information caused by new legislation, business practices and changes business strategies. Businesses should conduct a privacy impact assessment to identify the variety of security risks they face.
•    Put strategies in place to protect the information. When assessing what steps should be taken to protect information, the entity should consider the possible adverse consequences for the individuals concerned if the information is not secured. Entities should also have a response plan in the event of a data breach.
•    Destroy or de-identify personal information when it is no longer needed. This obligation apples even where the entity does not physically possess the information but has the right to deal with it.

Problems arise where entities "over-collect" - that is, they collect more than they need to carry out their activities. The guide recommends that entities look to minimise the collection of personal information.

Another common cause of problems is where people in the organisation assume that information protection is someone else's problem. The guide says: "Organisations should have clear procedures for oversight, accountability and lines of authority for decisions regarding personal information. A body or designated individual should have a full brief on personal information held."

The guide says entities should assume that human error will occur and plan for it. Privacy training may be required to make staff understand the importance of good information handling practices.

Entities are not excused from taking steps to protect information just because it would be inconvenient, time-consuming or costly to do so.

If an organisation adopts cloud computing it should assess the security controls of the cloud service provider to ensure it continues to comply with its privacy obligations.