Abstract image of a woman sitting on books and studying on a laptop

Privacy presentation for regional directors july 2009

B
brentcarey

This document provides an overview of privacy requirements and best practices for the Department of Justice in Victoria. It discusses the collection, use, disclosure and security of personal information, as well as how to prevent, detect, and respond to privacy incidents. Key points covered include complying with various privacy laws, understanding what constitutes personal information, the consequences of privacy breaches, how to assess vulnerabilities, and steps employees can take to strengthen privacy practices.

TechnologyNews & Politics
1 of 32
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
Managing Privacy in the Department of Justice “Privacy Matters” Brent Carey Manager Privacy, Feedback & Whistleblowers
Learning Objectives Today you will hear about Victorian privacy requirements This session will better equip you to understand: ‱collection, use & disclosure, management and access to personal information ‱ privacy incidents in the department, how to prevent, detect, recover and report ‱ how the department is gaining a leading edge in global privacy best practices and where to go for privacy related help. “Privacy Matters”
Privacy Compliance is a risk management exercise Executives = risk Managers in part because everyday business presents them with a choice of opportunities for gain, loss, cooperation and conflict Victoria‟s privacy laws are designed to limit the risks of data loss/ fraud due to breaches of privacy and security and thereby help create a safer environment for investments in new technologies and service delivery “Privacy Matters”
World Economic Forum Global Risks 2009 “Privacy Matters”
Compliance with privacy laws guards against ‱ Damaging the reputation of the Government, a Minister, a Secretary, a Senior Executive (Today/Tonight or Derryn Hinch test) ‱ Compromising service delivery or care or leading to a loss of confidence ‱ Re-assigning staff to repair and control ‱ Incurring legal non compliance, financial penalties or costs ‱ Undermining strategic priorities of a modern criminal justice system “Privacy Matters”
Privacy legislation Information Privacy Act State government agencies, local councils, Ministers & Statutory agencies Health Records Act Health information in Victorian public and private sectors, hospitals, doctors & employers. Federal Privacy Act 1988 Covers Federal Govt and much of the private sector Charter of Human Rights and Victorian Govt depts and agencies must act Responsibilities Act in a way that is compatible with human rights “Privacy Matters”
Privacy – Key definitions Personal information Recorded information about a living identifiable or easily identifiable individual. Health information Information able to be linked to a living or deceased person about a person‟s physical, mental or psychological health. Sensitive information Includes information about a person‟s race or ethnicity and criminal record. Is a photo personal information? Are details of a person‟s position and salary recorded on their personnel file? “Privacy Matters”
Relationship to other laws Privacy laws What they say Examples Information If there is, any inconsistency ‱ Section 30 of the Privacy Act between the Information Corrections Act 1991. (section 6). Privacy Act and a provision in another Act, the other Act’s ‱ Section 141 of the Fair provision prevails to the Trading Act 1999. extent of the inconsistency. Are you familiar with what your primary legislation states you can do with personal information? “Privacy Matters”
Privacy Basics Collection Minimise collection, collect only with authority, provide privacy notice Use Use only for the purpose for which collected Disclosure With Consent, or if disclosure is required to fulfil the purpose of collection Retention Information about Business decisions must be retained. Copies need to be disposed of securely Security Against risks eg unauthorised access, collection, use, disclosure and disposal Accuracy Decisions affecting an individual must be based on accurate and complete information “Privacy Matters”
Need some motivation about this time? ‱ Are you the US Montana? “Privacy Matters”
Data Release versus Data Sharing You must You may if required by law
 if allowed by law
 Example: Example: the Police Regulation Act requires the Freedom of Information Act reporting of serious misconduct by allows disclosure upon a request members of the police force. being made unless an exempt document. “Privacy Matters”
You may disclose under IPP2 Under IPP2 you may disclose: to law enforcement agencies for the purpose of prevention, detection, ‱ with consent. investigation, prosecution or punishment of criminal offences or breaches of a law. ‱ if information is from a publicly available source. where the information is reasonably ‱ information for statistical or research believed to be necessary to lessen or purposes; no identifiers. prevent a serious threat to public health / safety / welfare. ‱ investigation of unlawful activity. ‱ other reasons in IPP2. “Privacy Matters”
Consequences ‱ A privacy breach occurs when there is unauthorized access to or collection, use, disclosure or disposal of personal information. ‱ A privacy breach is not just about a mistake 
 it‟s about TRUST “Privacy Matters”
Take this moment in history Privacy incidents can just pop up Take this moment in history “Privacy Matters”
Cost of a Privacy Breach Formula ‱ Total number of individuals affected by the breach multiply by – Downtime ( loss of productivity) – Staff Costs (indicated in hours) – additional post incident costs ( briefs, letters) – potential legal action (VCAT, Supreme Court, compensation) ‱ Bottom line true cost of a privacy breach can be expensive “Privacy Matters”
DOJ Privacy Incident Protocol Reported within Alleged privacy 30 min via breach line management Provide summary Containment of complaint / measures at breach to location Privacy Team “Privacy Matters”
Privacy Incidents by Region 2 2 2 2 4 Eastern 12 Gippsland Loddon Mallee Southern 60 18 Hume Barwon Southwest Grampians North Western 20 Central “Privacy Matters”
Why privacy incidents? Division No. ‱ Total of 143 since 2005 Regional & Executive Services 14 ‱ The Department holds a large Strategic Planning & Projects 0 amount of personal & sensitive Gaming & Racing 1 information in multiple databases and systems Legal & Equity 0 Police, Emergency Services & Corrections 85 ‱ Increased reporting of incidents Consumer Affaires 4 ‱ Large amount of sanctioned data Community Operations & Strategy 27 sharing between DOJ, Police, DHS etc Courts 8 Non-Justice related 4 ‱ Increased use of email & fax to send and receive information Total 143 “Privacy Matters”
Nature of DOJ privacy incidents Categories of breach and complaint under IPP4 Data Security make up 85.5% of all matters. Only 15 of the total 143 relate to matters other than IPP 4 Trends in Justice: IPP 4 related categories: Inappropriate Access (e-Justice) Information Sharing/ colocation Inappropriate Access (PIMS) Theft/ Loss of items Inappropriate Access to Other Database Incorrectly addressed emails & faxes Inappropriate Collection Inappropriate Disclosure Employee Misconduct Inappropriate Email Access Threats worldwide: Inappropriate Phone Disclosure Incorrect Fax Social engineering Incorrect Information Inadequate/Outdated Technology Lost Information Exposure through web attack Wrong Email Address Employee misconduct Physical threats “Privacy Matters”
Is your business vulnerable? “Privacy Matters”
You ought to be concerned if.. Downsize, retrench, relocate or collocate Outsource services such as couriers, mail-outs, debt recovery/ workcover agents, data storage „Snoops & Leaks‟ Staff who forward & circulate information widely Don‟t know where your most sensitive information resides within your region Have a culture of Hoarders and „Chuckers‟ Have „home‟ workers Have audit recommendations not implemented “Privacy Matters”
Flavours of a Privacy Breach: CV CCS ‱ A community work site received by fax, 15 pages of full medical history for an offender along with his community work contract. ‱ Offender had provided extensive medical documentation to support his claim that he required a light duty site and no authority was provided for this information to be provided to any other person or agency. The site supervisor clearly indicated that the information had been provided to him by a CCO who undertakes the Community Work Coordinator role. ‱ Confirmed that document has been destroyed. Worksite supervisor has agreed to take on the offender regardless of information received. ‱ Employee concerned will attend Privacy training. “Privacy Matters”
Privacy Breach: CV Prison ‱ A prison officer picked up a number of sheets of paper off the ground within a prison compound in an area accessible to visitors. ‱ Contained a list of custodial staff members and residential and mobile numbers. ‱ All master phone lists watermarked with confidentiality message. ‱ Staff notified that their details were subject to potential access. “Privacy Matters”
Privacy Breach: IMES ‱ A member of the public complained that he had received summaries of infringements and several notices from Infringements Court /IMES. One notice refers to due date 1999 which IMES state is a configuration error (IPP 3). ‱ He also received notice addressed to another person concerning their fine which he said he has forwarded to him with his letter (IPP 4). ‱ Action taken against contractor for error on their part in the breach. ‱ Mail checking procedures revised. “Privacy Matters”
Privacy Breach: Indigenous Issues Unit ‱ Member of the public complained that Aboriginal Liaison Officer assisting him with fines in court has failed to protect his information from loss and unauthorised access. (IPP 4.1). ‱ Executive Services has considered the contract which suggests DOJ is treating the matter as a „state contract‟ as apposed to a mere funding agreement for Information Privacy Act purposes. However it is not clear that DOJ has adequately passed its responsibility for privacy compliance onto the Co-op. ‱ Executive Services and IIU have made arrangements to discuss the matter with the Co-op with a view to resolving the complaint. “Privacy Matters”
Privacy Breach: CAV ‱ Residential Tenancies Inspector had briefcase stolen from vehicle boot. ‱ Briefcase contained 35 rent review files and personal information about 70 individuals. ‱ IPP 2 (disclosure) & IPP 4 (security). ‱ Individuals notified. ‱ Privacy compliance reminders issued to staff. “Privacy Matters”
Policy relationships ICT & Taking Responsibility & Code of Conduct Physical Security Strategy Drive Drive Information Security and Information Privacy Policy Drive Classification Other policies Reasonable Personal Use policies “Privacy Matters”
Other Policies detailed Policies ‱ Information Security Policy ‱ Personal Information Policy ‱ Information Privacy Complaint Handling Policy ‱ Inappropriate Access to Personal Information ‱ Clear Desk and Screen Policy ‱ ICT Security Policy Overview ‱ Fax Security Policy Procedures ‱ Privacy Induction Manual ‱ Privacy Coordinators Operational Manual ‱ How do I
. Undertake a Information Security Classification Process “Privacy Matters”
Privacy Tools Collection Statement Generator Use for form and website design Privacy Impact Assessment Use in Projects Information Sharing Agreements Use where bulk and routine release of information Privacy Clause S17(2) - Contracted Service Providers Require all third parties to comply with privacy laws Privacy Breach Protocol Detect, file incident report to Exec Services Personal Information Consent Form Use to ensure valid consents Annual Privacy Health Check Do it once a Year to assess vulnerabilities prior to incidents occurring “Privacy Matters”
Other Privacy Measures ‱ Volunteer Privacy Coordinators (BU‟s) & Contact Officers (Prisons & CCS) “Eyes and Ears” ‱ Privacy Training ‱ Privacy e-Learning Module ‱ Privacy FAQ & Factsheet Series ‱ Privacy HelpDesk ‱ Privacy Awareness Materials ‱ Taking Responsibility Fax Sticker Campaign ‱ “Whoops Sorry!” Email Campaign “Privacy Matters”
Three things you can do straight away ‱ Check staff in your region know how to spot and report a privacy breach ‱ Assess vulnerabilities within your region prior to an incident occurring ‱ Engage staff and third parties across your region in building your privacy and security culture and maintaining the department's reputation as one of three global privacy leaders “Privacy Matters”
Summary ‱ Privacy Risk is worth managing ‱ Personal information is more than just electronic data ‱ Personal Information loss and leakage is a risk to the department ‱ Move toward greater accountability, transparency within the regions and within Govt and need to be ready with robust privacy controls ( people, process technologies ‱ Privacy Incident protection is more than just securing the system. People and culture are the key. ‱ Let‟s end on a light note: People can be our strongest or weakest link “Privacy Matters”

More Related Content

PPT
Privacy introduction
brentcarey
 
PDF
Put your left leg in, put your left leg out: the exclusions and exemptions of...
Werksmans Attorneys
 
PDF
Practical steps to take in preparation for the Protection of Personal Informa...
Werksmans Attorneys
 
PDF
Documents, documents and more documents - is it time to spring clean? - Ahmor...
Werksmans Attorneys
 
PPT
Privacy learning forum broadmeadows
brentcarey
 
PPT
Privacy and personal information
Uc Man
 
PDF
Saying "I Don't": the requirement of data subject consent for purposes of dat...
Werksmans Attorneys
 
PPT
Ark presentation
brentcarey
 
Privacy introduction
brentcarey
 
Put your left leg in, put your left leg out: the exclusions and exemptions of...
Werksmans Attorneys
 
Practical steps to take in preparation for the Protection of Personal Informa...
Werksmans Attorneys
 
Documents, documents and more documents - is it time to spring clean? - Ahmor...
Werksmans Attorneys
 
Privacy learning forum broadmeadows
brentcarey
 
Privacy and personal information
Uc Man
 
Saying "I Don't": the requirement of data subject consent for purposes of dat...
Werksmans Attorneys
 
Ark presentation
brentcarey
 

What's hot (20)

PPT
Data privacy & social media
Prof. Jacques Folon (Ph.D)
 
PPTX
Information Privacy
imehreenx
 
PPT
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Lisa Abe-Oldenburg, B.Comm., JD.
 
PPT
Privacy morwell june 09
brentcarey
 
PDF
Privacy and Data Security
WilmerHale
 
PPTX
Privacy in India: Legal issues
Sagar Rahurkar
 
PPSX
POPI Act compliance presentation
OvationsGroup
 
PPT
Data Privacy in India and data theft
Amber Gupta
 
PPTX
The Protection of Personal Information Act: A Presentation
Endcode_org
 
PDF
3rd party considerations gdpr
Joe Orlando
 
PPTX
3rd party considerations Under GDPR and Privacy Laws
Joe Orlando
 
PDF
ILP Durham webinar: GDPR in the Lighting Industry
Institution of Lighting Professionals
 
PPTX
Presentation on Information Privacy
Perry Slack
 
PPTX
The Protection of Personal Information Act 4 of 2013
Myron Duncan Burton Betshanger
 
PDF
POPI
POPI ACT Protection of Personal Info
 
PPT
Privacy and Data Security: Risk Management and Avoidance
Amy Purcell
 
PPT
“Privacy Today” Slide Presentation
tomasztopa
 
PPTX
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
Harrison Clark Rickerbys
 
PPTX
Unit 6 Privacy and Data Protection 8 hr
Tushar Rajput
 
PPT
Law firm information security overview focus on encryption by dave cunningh...
David Cunningham
 
Data privacy & social media
Prof. Jacques Folon (Ph.D)
 
Information Privacy
imehreenx
 
Privacy Security Data Breach - Regulatory Compliance for Financial Institutio...
Lisa Abe-Oldenburg, B.Comm., JD.
 
Privacy morwell june 09
brentcarey
 
Privacy and Data Security
WilmerHale
 
Privacy in India: Legal issues
Sagar Rahurkar
 
POPI Act compliance presentation
OvationsGroup
 
Data Privacy in India and data theft
Amber Gupta
 
The Protection of Personal Information Act: A Presentation
Endcode_org
 
3rd party considerations gdpr
Joe Orlando
 
3rd party considerations Under GDPR and Privacy Laws
Joe Orlando
 
ILP Durham webinar: GDPR in the Lighting Industry
Institution of Lighting Professionals
 
Presentation on Information Privacy
Perry Slack
 
The Protection of Personal Information Act 4 of 2013
Myron Duncan Burton Betshanger
 
POPI
POPI ACT Protection of Personal Info
 
Privacy and Data Security: Risk Management and Avoidance
Amy Purcell
 
“Privacy Today” Slide Presentation
tomasztopa
 
GDPR Breakfast Briefing - For Business Owners, HR Directors, Marketing Direct...
Harrison Clark Rickerbys
 
Unit 6 Privacy and Data Protection 8 hr
Tushar Rajput
 
Law firm information security overview focus on encryption by dave cunningh...
David Cunningham
 
Ad

Similar to Privacy presentation for regional directors july 2009 (20)

PPT
Privacy icms (handouts)
brentcarey
 
PPT
Training for managers and supervisors presentation
brentcarey
 
PPT
4514611.ppt
ssusera4419c
 
PPT
U.S. Federal Privacy Protection: An Overview (Concepts and History of the Fed...
bdana68
 
PPT
Privacy, human rights and Location Based Services
blogzilla
 
PPT
Data breach protection from a DB2 perspective
Craig Mullins
 
PPTX
Privacy friend or foe
Miriam Dayhew
 
PDF
Finding balance in the age of open data
Caribbean Open Data Conference & Code Sprint
 
PPTX
Privacy Communities: How To Build Them And Drive Awareness
Resilient Systems
 
PDF
California Privacy Law: Resources & Protections
ipspat
 
PDF
By 23 February 2018 we will have new mandatory data breach reporting obligati...
LJ Gilland Real Estate Pty Ltd
 
PPTX
Icjia c abernathy_dgraskibgoggins_130124
ICJIA Webmaster
 
PPTX
Privacy and Civil Liberties
Upekha Vandebona
 
PPTX
Foia DP Presentation
EquiGov Institute
 
PDF
Privacy & Data Breach: 2012 Recap, 2013 Predictions
Resilient Systems
 
PDF
Mandatory data breach notification for Australia
Patrick Dwyer
 
PDF
1307 Privacy Act
Zowie Murray
 
PPSX
Protecting and Balancing Access and Privacy Rights, November 7, 2017
Andrea Corlett
 
PPT
Frankston
brentcarey
 
PPTX
VPN-Presentation-Lessons-on-Recent-Data-Breaches-2022.pptx
abhimannyubanerjee
 
Privacy icms (handouts)
brentcarey
 
Training for managers and supervisors presentation
brentcarey
 
4514611.ppt
ssusera4419c
 
U.S. Federal Privacy Protection: An Overview (Concepts and History of the Fed...
bdana68
 
Privacy, human rights and Location Based Services
blogzilla
 
Data breach protection from a DB2 perspective
Craig Mullins
 
Privacy friend or foe
Miriam Dayhew
 
Finding balance in the age of open data
Caribbean Open Data Conference & Code Sprint
 
Privacy Communities: How To Build Them And Drive Awareness
Resilient Systems
 
California Privacy Law: Resources & Protections
ipspat
 
By 23 February 2018 we will have new mandatory data breach reporting obligati...
LJ Gilland Real Estate Pty Ltd
 
Icjia c abernathy_dgraskibgoggins_130124
ICJIA Webmaster
 
Privacy and Civil Liberties
Upekha Vandebona
 
Foia DP Presentation
EquiGov Institute
 
Privacy & Data Breach: 2012 Recap, 2013 Predictions
Resilient Systems
 
Mandatory data breach notification for Australia
Patrick Dwyer
 
1307 Privacy Act
Zowie Murray
 
Protecting and Balancing Access and Privacy Rights, November 7, 2017
Andrea Corlett
 
Frankston
brentcarey
 
VPN-Presentation-Lessons-on-Recent-Data-Breaches-2022.pptx
abhimannyubanerjee
 
Ad

Recently uploaded (20)

PDF
UiPath Agentic Automation session 1: RPA to Agents
suhanisingh58689
 
PPTX
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
PDF
Enhancing plagiarism detection using data pre-processing and machine learning...
IAESIJAI
 
PDF
OpenACC and Open Hackathons Monthly Highlights July 2025
OpenACC
 
PDF
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
PPTX
GROUP4NURSINGINFORMATICSREPORT-2 PRESENTATION
ClarisejaneSartillo1
 
PDF
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
PDF
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
PDF
How IoT Sensor Integration in 2025 is Transforming Industries Worldwide
Rejig Digital
 
PPTX
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
PDF
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
PDF
Flame analysis and combustion estimation using large language and vision assi...
IAESIJAI
 
PDF
Produktkatalog fĂŒr HOBO Datenlogger, Wetterstationen, Sensoren, Software und ...
Metrics GmbH
 
PDF
Statistics on Ai - sourced from AIPRM.pdf
AmelynLeeMeira
 
PDF
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
PDF
Accessing-Finance-in-Jordan-MENA 2024 2025.pdf
Mustafa Kuğu
 
PPTX
Configure Apache Mutual Authentication
Antonino Piraino
 
PPTX
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
PDF
Credit Without Borders: AI and Financial Inclusion in Bangladesh
Ehsan Tanim
 
DOCX
search engine optimization ppt fir known well about this
StandardCodeLearning
 
UiPath Agentic Automation session 1: RPA to Agents
suhanisingh58689
 
Final SEM Unit 1 for mit wpu at pune .pptx
anishtilekar08
 
Enhancing plagiarism detection using data pre-processing and machine learning...
IAESIJAI
 
OpenACC and Open Hackathons Monthly Highlights July 2025
OpenACC
 
CloudStack 4.21: First Look Webinar slides
ShapeBlue
 
GROUP4NURSINGINFORMATICSREPORT-2 PRESENTATION
ClarisejaneSartillo1
 
STKI Israel Market Study 2025 version august
Dr. Jimmy Schwarzkopf
 
NewMind AI Weekly Chronicles – August ’25 Week III
NewMind AI
 
How IoT Sensor Integration in 2025 is Transforming Industries Worldwide
Rejig Digital
 
Benefits of Physical activity for teenagers.pptx
Nokwanda Thabethe
 
Architecture types and enterprise applications.pdf
ChristopherTHyatt
 
Flame analysis and combustion estimation using large language and vision assi...
IAESIJAI
 
Produktkatalog fĂŒr HOBO Datenlogger, Wetterstationen, Sensoren, Software und ...
Metrics GmbH
 
Statistics on Ai - sourced from AIPRM.pdf
AmelynLeeMeira
 
sustainability-14-14877-v2.pddhzftheheeeee
VenkateshGovindaraja9
 
Accessing-Finance-in-Jordan-MENA 2024 2025.pdf
Mustafa Kuğu
 
Configure Apache Mutual Authentication
Antonino Piraino
 
MicrosoftCybserSecurityReferenceArchitecture-April-2025.pptx
SilvioHayashi
 
Credit Without Borders: AI and Financial Inclusion in Bangladesh
Ehsan Tanim
 
search engine optimization ppt fir known well about this
StandardCodeLearning
 

Privacy presentation for regional directors july 2009

  • 1. Managing Privacy in the Department of Justice “Privacy Matters” Brent Carey Manager Privacy, Feedback & Whistleblowers
  • 2. Learning Objectives Today you will hear about Victorian privacy requirements This session will better equip you to understand: ‱collection, use & disclosure, management and access to personal information ‱ privacy incidents in the department, how to prevent, detect, recover and report ‱ how the department is gaining a leading edge in global privacy best practices and where to go for privacy related help. “Privacy Matters”
  • 3. Privacy Compliance is a risk management exercise Executives = risk Managers in part because everyday business presents them with a choice of opportunities for gain, loss, cooperation and conflict Victoria‟s privacy laws are designed to limit the risks of data loss/ fraud due to breaches of privacy and security and thereby help create a safer environment for investments in new technologies and service delivery “Privacy Matters”
  • 4. World Economic Forum Global Risks 2009 “Privacy Matters”
  • 5. Compliance with privacy laws guards against ‱ Damaging the reputation of the Government, a Minister, a Secretary, a Senior Executive (Today/Tonight or Derryn Hinch test) ‱ Compromising service delivery or care or leading to a loss of confidence ‱ Re-assigning staff to repair and control ‱ Incurring legal non compliance, financial penalties or costs ‱ Undermining strategic priorities of a modern criminal justice system “Privacy Matters”
  • 6. Privacy legislation Information Privacy Act State government agencies, local councils, Ministers & Statutory agencies Health Records Act Health information in Victorian public and private sectors, hospitals, doctors & employers. Federal Privacy Act 1988 Covers Federal Govt and much of the private sector Charter of Human Rights and Victorian Govt depts and agencies must act Responsibilities Act in a way that is compatible with human rights “Privacy Matters”
  • 7. Privacy – Key definitions Personal information Recorded information about a living identifiable or easily identifiable individual. Health information Information able to be linked to a living or deceased person about a person‟s physical, mental or psychological health. Sensitive information Includes information about a person‟s race or ethnicity and criminal record. Is a photo personal information? Are details of a person‟s position and salary recorded on their personnel file? “Privacy Matters”
  • 8. Relationship to other laws Privacy laws What they say Examples Information If there is, any inconsistency ‱ Section 30 of the Privacy Act between the Information Corrections Act 1991. (section 6). Privacy Act and a provision in another Act, the other Act’s ‱ Section 141 of the Fair provision prevails to the Trading Act 1999. extent of the inconsistency. Are you familiar with what your primary legislation states you can do with personal information? “Privacy Matters”
  • 9. Privacy Basics Collection Minimise collection, collect only with authority, provide privacy notice Use Use only for the purpose for which collected Disclosure With Consent, or if disclosure is required to fulfil the purpose of collection Retention Information about Business decisions must be retained. Copies need to be disposed of securely Security Against risks eg unauthorised access, collection, use, disclosure and disposal Accuracy Decisions affecting an individual must be based on accurate and complete information “Privacy Matters”
  • 10. Need some motivation about this time? ‱ Are you the US Montana? “Privacy Matters”
  • 11. Data Release versus Data Sharing You must You may if required by law
 if allowed by law
 Example: Example: the Police Regulation Act requires the Freedom of Information Act reporting of serious misconduct by allows disclosure upon a request members of the police force. being made unless an exempt document. “Privacy Matters”
  • 12. You may disclose under IPP2 Under IPP2 you may disclose: to law enforcement agencies for the purpose of prevention, detection, ‱ with consent. investigation, prosecution or punishment of criminal offences or breaches of a law. ‱ if information is from a publicly available source. where the information is reasonably ‱ information for statistical or research believed to be necessary to lessen or purposes; no identifiers. prevent a serious threat to public health / safety / welfare. ‱ investigation of unlawful activity. ‱ other reasons in IPP2. “Privacy Matters”
  • 13. Consequences ‱ A privacy breach occurs when there is unauthorized access to or collection, use, disclosure or disposal of personal information. ‱ A privacy breach is not just about a mistake 
 it‟s about TRUST “Privacy Matters”
  • 14. Take this moment in history Privacy incidents can just pop up Take this moment in history “Privacy Matters”
  • 15. Cost of a Privacy Breach Formula ‱ Total number of individuals affected by the breach multiply by – Downtime ( loss of productivity) – Staff Costs (indicated in hours) – additional post incident costs ( briefs, letters) – potential legal action (VCAT, Supreme Court, compensation) ‱ Bottom line true cost of a privacy breach can be expensive “Privacy Matters”
  • 16. DOJ Privacy Incident Protocol Reported within Alleged privacy 30 min via breach line management Provide summary Containment of complaint / measures at breach to location Privacy Team “Privacy Matters”
  • 17. Privacy Incidents by Region 2 2 2 2 4 Eastern 12 Gippsland Loddon Mallee Southern 60 18 Hume Barwon Southwest Grampians North Western 20 Central “Privacy Matters”
  • 18. Why privacy incidents? Division No. ‱ Total of 143 since 2005 Regional & Executive Services 14 ‱ The Department holds a large Strategic Planning & Projects 0 amount of personal & sensitive Gaming & Racing 1 information in multiple databases and systems Legal & Equity 0 Police, Emergency Services & Corrections 85 ‱ Increased reporting of incidents Consumer Affaires 4 ‱ Large amount of sanctioned data Community Operations & Strategy 27 sharing between DOJ, Police, DHS etc Courts 8 Non-Justice related 4 ‱ Increased use of email & fax to send and receive information Total 143 “Privacy Matters”
  • 19. Nature of DOJ privacy incidents Categories of breach and complaint under IPP4 Data Security make up 85.5% of all matters. Only 15 of the total 143 relate to matters other than IPP 4 Trends in Justice: IPP 4 related categories: Inappropriate Access (e-Justice) Information Sharing/ colocation Inappropriate Access (PIMS) Theft/ Loss of items Inappropriate Access to Other Database Incorrectly addressed emails & faxes Inappropriate Collection Inappropriate Disclosure Employee Misconduct Inappropriate Email Access Threats worldwide: Inappropriate Phone Disclosure Incorrect Fax Social engineering Incorrect Information Inadequate/Outdated Technology Lost Information Exposure through web attack Wrong Email Address Employee misconduct Physical threats “Privacy Matters”
  • 20. Is your business vulnerable? “Privacy Matters”
  • 21. You ought to be concerned if.. Downsize, retrench, relocate or collocate Outsource services such as couriers, mail-outs, debt recovery/ workcover agents, data storage „Snoops & Leaks‟ Staff who forward & circulate information widely Don‟t know where your most sensitive information resides within your region Have a culture of Hoarders and „Chuckers‟ Have „home‟ workers Have audit recommendations not implemented “Privacy Matters”
  • 22. Flavours of a Privacy Breach: CV CCS ‱ A community work site received by fax, 15 pages of full medical history for an offender along with his community work contract. ‱ Offender had provided extensive medical documentation to support his claim that he required a light duty site and no authority was provided for this information to be provided to any other person or agency. The site supervisor clearly indicated that the information had been provided to him by a CCO who undertakes the Community Work Coordinator role. ‱ Confirmed that document has been destroyed. Worksite supervisor has agreed to take on the offender regardless of information received. ‱ Employee concerned will attend Privacy training. “Privacy Matters”
  • 23. Privacy Breach: CV Prison ‱ A prison officer picked up a number of sheets of paper off the ground within a prison compound in an area accessible to visitors. ‱ Contained a list of custodial staff members and residential and mobile numbers. ‱ All master phone lists watermarked with confidentiality message. ‱ Staff notified that their details were subject to potential access. “Privacy Matters”
  • 24. Privacy Breach: IMES ‱ A member of the public complained that he had received summaries of infringements and several notices from Infringements Court /IMES. One notice refers to due date 1999 which IMES state is a configuration error (IPP 3). ‱ He also received notice addressed to another person concerning their fine which he said he has forwarded to him with his letter (IPP 4). ‱ Action taken against contractor for error on their part in the breach. ‱ Mail checking procedures revised. “Privacy Matters”
  • 25. Privacy Breach: Indigenous Issues Unit ‱ Member of the public complained that Aboriginal Liaison Officer assisting him with fines in court has failed to protect his information from loss and unauthorised access. (IPP 4.1). ‱ Executive Services has considered the contract which suggests DOJ is treating the matter as a „state contract‟ as apposed to a mere funding agreement for Information Privacy Act purposes. However it is not clear that DOJ has adequately passed its responsibility for privacy compliance onto the Co-op. ‱ Executive Services and IIU have made arrangements to discuss the matter with the Co-op with a view to resolving the complaint. “Privacy Matters”
  • 26. Privacy Breach: CAV ‱ Residential Tenancies Inspector had briefcase stolen from vehicle boot. ‱ Briefcase contained 35 rent review files and personal information about 70 individuals. ‱ IPP 2 (disclosure) & IPP 4 (security). ‱ Individuals notified. ‱ Privacy compliance reminders issued to staff. “Privacy Matters”
  • 27. Policy relationships ICT & Taking Responsibility & Code of Conduct Physical Security Strategy Drive Drive Information Security and Information Privacy Policy Drive Classification Other policies Reasonable Personal Use policies “Privacy Matters”
  • 28. Other Policies detailed Policies ‱ Information Security Policy ‱ Personal Information Policy ‱ Information Privacy Complaint Handling Policy ‱ Inappropriate Access to Personal Information ‱ Clear Desk and Screen Policy ‱ ICT Security Policy Overview ‱ Fax Security Policy Procedures ‱ Privacy Induction Manual ‱ Privacy Coordinators Operational Manual ‱ How do I
. Undertake a Information Security Classification Process “Privacy Matters”
  • 29. Privacy Tools Collection Statement Generator Use for form and website design Privacy Impact Assessment Use in Projects Information Sharing Agreements Use where bulk and routine release of information Privacy Clause S17(2) - Contracted Service Providers Require all third parties to comply with privacy laws Privacy Breach Protocol Detect, file incident report to Exec Services Personal Information Consent Form Use to ensure valid consents Annual Privacy Health Check Do it once a Year to assess vulnerabilities prior to incidents occurring “Privacy Matters”
  • 30. Other Privacy Measures ‱ Volunteer Privacy Coordinators (BU‟s) & Contact Officers (Prisons & CCS) “Eyes and Ears” ‱ Privacy Training ‱ Privacy e-Learning Module ‱ Privacy FAQ & Factsheet Series ‱ Privacy HelpDesk ‱ Privacy Awareness Materials ‱ Taking Responsibility Fax Sticker Campaign ‱ “Whoops Sorry!” Email Campaign “Privacy Matters”
  • 31. Three things you can do straight away ‱ Check staff in your region know how to spot and report a privacy breach ‱ Assess vulnerabilities within your region prior to an incident occurring ‱ Engage staff and third parties across your region in building your privacy and security culture and maintaining the department's reputation as one of three global privacy leaders “Privacy Matters”
  • 32. Summary ‱ Privacy Risk is worth managing ‱ Personal information is more than just electronic data ‱ Personal Information loss and leakage is a risk to the department ‱ Move toward greater accountability, transparency within the regions and within Govt and need to be ready with robust privacy controls ( people, process technologies ‱ Privacy Incident protection is more than just securing the system. People and culture are the key. ‱ Let‟s end on a light note: People can be our strongest or weakest link “Privacy Matters”