As part of some background research I have been doing I was looking into the workings of the Australian Privacy Act (1988), and the impact on the organisations that are governed by it.
Happily, my research coincides with the upcoming Privacy Awareness Week on 15-21 May 2016, found at : https://www.oaic.gov.au/paw2016/
The Privacy Act is compulsory for most Government Agencies and many Private Sector agencies where sensitive data about individuals is being held. These are referred to as APP entities.
Data classified as sensitive are subject to the Australian Privacy Principles (APP’s) and includes items like health information.
Under the Australian Privacy Act the entities must take “reasonable steps to protect personal information (including sensitive information) from misuse, interference and loss, as well as unauthorised access, modification or disclosure.”
My post on this subject is focused on the process by which these reasonable steps are arrived at, and how this is relevant to organisations not subject to the Privacy Act as a model for better personal information security practice.
It’s my personal view that many companies can benefit from strengthening their privacy controls by taking a structured approach and that utilising a whole organisation information modelling approach can help this.
It makes good business sense to foster a privacy and security aware culture that engenders trust in the organisation holding the data and gives clarity through knowing how that data is being used.
There are a few things that have changed the game in the privacy space, namely:
- The rise and rise of Cloud technology.
- The rise of Mobile technology and the collection of user and location data.
- The inter dependence of business processes.
- Using the above, the ability of data to ‘jump’ boundaries previously not considered.
- The ability to transform, merge and ‘machine learn’ disparate datasets into intelligence.
Organisations can carry out a Privacy Impact assessment (PIA) on their operations to empower a culture of privacy by design.
The OAIC website https://www.oaic.gov.au/agencies-and-organisations/guides/guide-to-securing-personal-information contains a depth of information and resources that I’m not going to repeat here, but does make some very valid and important points about the dynamic and changing nature of information in the enterprise.
When implementing a PIA it is important to consider the full information lifecycle in order to determine the best way to protect the APP information.
At its’ highest level the information cycle consists of steps that follow from inception to destruction of the information items:
The points that drew my attention in particular relate to the following process areas which would cross over into the work of information professionals in particular.
Information Architecture (or Information engineering if you prefer) has a direct role in identifying specific approaches or commitments for handling personal information in the following areas:
- The processes for identifying, assessing and managing privacy and security risk, as well as developing and monitoring controls for those risks. Information security risks can be evaluated by considering the vulnerability of information at rest, in transit and in use. Identifying sensitive data in these usage scenarios will suggest ways in which it can be protected.
- Access, Updating & Correction – Processes for providing access to and correction of personal information maintaining the quality of personal information that is used and disclosed. Where this is done electronically access and security controls must be assessed to ensure that only authorised personnel are able to carry this out.
- Machine Learning. The increasing use of Machine Learning in organisations is an interesting case of where data that is collected can be transformed into a different and more personal information.
As an example the use of datasets that combine individual health data with other analytics raise ethical questions about the dynamic nature of information that was originally collected in a regulated context being used for other purposes.
On the one hand it can provide potentially great benefits for Public Health and Health Services, but must be handled according to the wishes of the individual, with special considerations where genetic information is involved.
In many, if not all cases of machine learning it is important to anonymise sensitive data before enriching it.
- Linking Across Business Processes – Whether this happens, and when, and whether consent is sought to do so. Taking an enterprise view of information flow and the information objects handled will reveal where information is being used according to the terms of collection, where duplication occurs and where process boundaries are being crossed. Consideration of business processes in isolation would not necessarily uncover these use cases.
- Security Protections – (for example, encryption, audit and monitoring) you have in place. These controls follow on from the risk identification exercise above, and are covered in the OAIC guidelines. In particular, organisations should discuss with cloud providers how these safeguards are enabled in their offerings, and that they should comply with best practice.
- Managing contractors when personal information may be disclosed. As well as considering the contractual obligations of contractors to keep data private (and their disclosure policies), the organisation should consider the sensitivity of the data transferred to the contractor as part of the ecosystem, and ensure that security and auditing applied in house is applied to third party systems.
- Approach to destruction or de-identification of personal information – (ideally identifying from these the specific periods that have been set for archiving, destruction or de-identification of personal information relating to the key functions and activities that individuals will be concerned about).
Cloud based systems routinely keep multiple copies of the data that is stored, sometimes in geo-redundant locations. Applying security protections like encryption helps entities to reduce the risk of disclosure (by reducing the attack surface area), and cloud providers should make assurances that deleted data on their systems is fully deleted, including any backup and remotely held copies of the data.
An Information architecture approach is one of the keys to understanding the influence of distributed business processes on the privacy of the individual and the unintended consequences and side effects of utilising cloud based storage systems and encryption in the context of sensitive systems content.
And to finish with a quote from the OAIC:
“Privacy is not secrecy. It is about giving individuals control over how their personal information is handled; creating customer confidence and trust. As such, good privacy practices and great innovation directly support each other.”