E-security Awareness: When it comes to Personal Information, it’s Security AND Privacy ‘cos there is no trade-off
The experiences of handling (and losing) personal information have a lot to tell us about better security in any organisation.
How often have you heard somebody argue that there has to be a trade off between security and privacy?
The argument usually runs something along the lines that in order to keep you secure, you have to give up some aspect of your privacy. For example, you must exhibit a lot of evidence of identity before completing a transaction or joining a group or organisation.
But the tide is turning. On 29 May, the US President released the 60-day Cyberspace Policy Review. Item 10 in the Near Term Action Plan put forward by the review calls for the nation to:
“Build a cybersecurity-based identity management vision and strategy that addresses privacy and civil liberties interests, leveraging privacy-enhancing technologies for the Nation.”
Read the US President’s remarks at the time of the release and count how many times he remarks on the importance of getting privacy AND security right.
Why is this relevant to the themes of National E-Security Awareness Week?
Because you can improve the security settings in your organisation by applying the National Privacy Principals (NPPs) in the Commonwealth Privacy Act intelligently.
For example, consider the security guidance supplied by the following NPPs:
NPP1, The Collection Principle: “An organisation must not collect personal information unless the information is necessary for one or more of its functions or activities.” From a security perspective, the less personal information you collect, the less there is to keep secure and the less to lose. And the less attractive your data sets are to those who want to steal it. 
An additional bonus: this should also reduce your data handling costs.
NPP2, The Use and Disclosure Principle: “An organisation must not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose of collection unless” certain limited exceptions apply. This is totally in line with the ‘need to know’ adage in any security framework.
NPP3, The Data Quality Principle: “An organisation must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date.” One of the most significant weaknesses in any organisation’s security framework is 
its ability to ensure not only that new staff and contractors are properly provisioned with resources when they commence, but are also DE-provisioned when they leave.
NPP4, The Data Security Principle: “An organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.” and “An organisation must take reasonable steps to destroy or permanently de-identify personal information if it is no longer needed…” Enough said!
And so you can work your way through the NPPs in this way.
That’s where we are right now. But if you want to make more use of cloud computing than you are already with Search, Data Storage, Email etc, then read “It’s 6 O’Clock — Do You Know Where Your Cloud’s Data Center Is?” that was carried in Information Week on 2 June 2009.
But sadly, there will be data losses even in the best run organisation. What to do then? Again, you could do a lot worse than start your response based on the hard learned lessons of recent years from the losses of personal information.
The 2009 Data Breach Investigations Report, a study conducted by the Verizon Business RISK Team will give you some surprising insights as to where your security weaknesses might really be. The Office of the Privacy Commissioner of Australia has also published a “Guide to handling personal information security breaches”. At IIS, we have published a Privacy Breach Check List. The check list provides immediate help in the first 24 hours of a major data loss and suggests what to do as matters unfold over the first week and what to think about in the longer term.
Security AND Privacy: they are both elements of E-Security Week.
Malcolm Crompton is Managing Director of Information Integrity Solutions (IIS), a globally connected company that works with public sector and private sector organisations to help them build customer trust through respect for the customer and their personal information. He is also foundation President of the International Association of Privacy Professionals, Australia New Zealand, www.iappANZ.org.
____________________________________
Malcolm Crompton is a guest blogger of our “e-Secuity & Small Business” forum which is part of the National e-Security Awareness Week, an annual initiative aiming to raise awareness about the importance of e-security among Australians.
To learn more, visit http://www.staysmartonline.gov.au/ today.
To find out about how to protect your business and your customers and stay safe when working from home, go to http://www.staysmartonline.gov.au/small-business-security, or sign up for the following free services:
__________________________________________
Malcolm Crompton is the Founder and Lead Privacy Advisor of IIS Partners (IIS), a company that works with public and private sector organisations to build trust with customers through protecting their personal information.
Trevor Kerr
June 15, 2009 at 11:13 pm
National Privacy Principals (NPPs)
Malcolm – how long will it take to harmonise the NPPs with the IPPs?
Malcolm Crompton
June 16, 2009 at 12:26 pm
how long it might take to harmonise the NPPs with the IPPs?
Trevor – I am hearing that the government might announce its response to the ALRC report recommending the introduction of Uniform Privacy Principles by the end of 2009 with legislation to be introduced some time in 2010. But this is now the prerogative of the new Minister with responsibility for privacy issues, Senator Ludwig to decide & he may not yet have reached a view on this question.