The Office of the Australian Information Commissioner’s (OAIC) has released the latest update to their Guide to Securing Personal Information. It emphasises the five steps that are necessary for agencies and organisations to take in assessing whether to collect personal information, how to protect it, and what to do with it once it is no longer needed.
The focus of this update is the information lifecycle … discussing privacy by design, risk assessment and that unnecessary collection of personal information increases the likelihood that it may be mishandled.
‘The information lifecycle illustrates the dynamic nature of personal information handling, and demonstrates why personal information security must be embedded in day-to-day processes, rather than only being considered in the context of specific projects or activities’, said Privacy Commissioner Timothy Pilgrim.
The Guide includes steps and strategies to minimise the risk of a ‘trusted insider’ breach, and to emphasise the necessity of designing and building-in security measures that factor in human error. The 5th step in the information lifecycle involves ‘destroying or de-identify the personal information when it is no longer needed’.
The Guide to Securing Personal Information also places emphasis on the importance of governance, the creation of a privacy and security aware culture within the workplace, and the necessity for a privacy culture to be driven from the board-level within organisations. A section on using cloud storage solutions outlines the continued requirements that apply when information handling is outsourced to a third party provider.
Here’s a quick breakdown of it’s contents.
Contents
- What is personal information security?
- Personal information security
- Why is it important?
- The information lifecycle
- Consider whether to collect personal information
- Privacy by design
- Assessing the risks
- Taking appropriate steps and putting into place strategies to protect personal information
- Destroy or de-identify personal information
- Part A — Circumstances that affect assessment of reasonable steps
- Nature of the entity
- Amount and sensitivity of personal information held
- Adverse consequences for an individual
- Practicality of implementation
- Privacy invasiveness
- Part B — Steps and strategies which may be reasonable to take
- Governance, culture and training
- Internal practices, procedures and systems
- ICT security
- Access security
- Third party providers (including cloud computing)
- Data breaches
- Physical security
- Destruction or de-identification of personal information
- Standards
Download the Guide to Securing Personal Information from the OAIC website.
For nearly 15 years Shred-X Document Destruction has been the leader in secure destruction services. We assist organisations in complying with the Privacy Act 1988 and its Amendments providing tailored services to thousands of commercial sites and households across Australia. Our NAID AAA Accredited Destruction Facility in Wingfield services Adelaide and the surrounding regional areas on a regular basis.
In addition to destroying documents we also degauss data on hard drives and offer physical destruction of e waste, a more secure alternative to computer recycling.