Privacy Bites Newsletter
Privacy It's Everybody's Business
Welcome
Welcome to the third edition of Privacy Bites, the newsletter of the Right to Information and Privacy Office. This edition will look closely at the requirements for storage and security of personal information.
Storage and Security of Personal Information
Information Privacy Principle (IPP) 4 – Storage and Security of the Information Privacy Act 2009 requires the university to protect documents against loss, unauthorised access, use, modification or disclosure. The protections under IPP4 include security safeguards adequate to provide the level of protection that can reasonably be expected to be provided.
What is reasonable will depend on the circumstances, but in general, every employee has an obligation to ensure personal information held by them is secure and protected from unauthorised use or disclosure. The Information Commissioner identifies the following information as being more sensitive and requiring more stringent protections:
- Information that involves extensive amounts of personal information;
- Information that involves information about vulnerable persons;
- Information that is sensitive, such as racial and ethnic origin, political opinions, sexual orientation or criminal records;
- Information that carries a risk of identity theft or financial harm;
- Information that carries a risk of harm to a person's life, safety, liberty, reputation or livelihood.
The University holds a lot of personal information on student files, some of which would be classified as sensitive personal information. While Records and Archives Management Services have implemented safeguards surrounding the electronic student file, operational units are encouraged to review protections surrounding files containing personal information and impose more stringent security measures on those files containing sensitive personal information.
Here are some handy tips to ensure you protect personal information when at work:
- Ensure hard copy documents that contain personal information are stored in lockable filing cabinets and receptacles when not needed;
- When away from your office, ensure that you lock it to protect any working documents that contain personal information;
- Properly dispose of records in accordance with the University's Records Management Policy;
- Limit access to databases and systems to those employees that have a legitimate work related need to access them;
- Review access to databases regularly and remove those staff that no longer have a legitimate work related need to access the database;
- Don't share your UQ password.
The following is a summary of a case heard before the Australian Privacy Commissioner and summarised in Privacy Matters Summer Newsletter 2010.1
Own Motion Investigation v Retailer [2009] PrivCmrA 25
A scrapbook containing personal information about a retailer's customers was found in public and forwarded to the Privacy Commissioner, who commenced an investigation to determine whether the retailer had taken reasonable steps to protect personal information under NPP 4.
The Commissioner was satisfied that the scrap book and its loss was an anomaly. The retailer had appropriate processes and procedures in place to protect privacy. The retailer also took steps to make sure the incident would not happen again. The Commissioner was satisfied that the retailer had fulfilled its NPP 4 obligations and ceased the investigation. The requirement for every operational unit to have systems to ensure the storage and security of personal information will greatly assist any investigation for a breach of privacy.
Do you have policies surrounding the use of portable storage devices (portable external hard drives, CDs/DVDs, USB keys, laptops/notebooks) and the storage of personal information? The storage of personal information on these devices has the potential to pose a significant risk to the security of that information.
The Federal Privacy Commissioner has identified the five interrelated steps that will enhance the security of personal information stored on portable storage devices:
- Risk assessment
- Documented policies
- Active staff awareness
- Appropriate software controls
- Effective response to security breaches
Further information on the risks of using portable storage devices can be found from http://www.privacyawarenessweek.org/2009/documents/info_sheet3_psd.pdf [pdf, 889kb]. If your organisational unit does rely on the use of portable storage devices, it is recommended that you at least undertake a risk assessment of the use of these devices and the potential impact on information security.
Focus on …..
Storage and security of personal information
Risk of privacy breach – photocopier hard drive
Disclaimer
The information contained in this newsletter is of a general nature only and is not legal advice. Specific legal advice should be sought rather than relying on this newsletter.
Anthony Zgrajewski,
Right to Information and Privacy Coordinator
E-mail: a.zgrajewski@uq.edu.au
Ph: (07) 3365 2571 Fax: (07) 3365 1058
|
