Another day, another possible data breach. The victim? A tier one bank, with one of the best security programmes that money can buy. But this breach is different: This breach didn’t have sophisticated hackers or fast-talking social engineers. This breach occurred, seemingly, by every day employees with good intent, handing over medical information to other internal staff which most likely should not have had access to it.
The breach may have occurred because Australian Privacy Principle Six states: “An APP entity can only use or disclose personal information for a purpose for which it was collected”. The European General Data Protection Regulation contains a similar clause: “Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them.”
It’s an easy law to breach: Your organisation collects personal information and physical addresses to deliver products, but your business intelligence team wants to use the information to determine the demographics of its customers for more targeted advertising. Is this within the law? Without explicit consent, probably not. What if the information was anonymised before handing it over? It’s still a grey area.
Privacy is a much bigger challenge than security. Security is about preventing unauthorised access, but privacy is about preventing unauthorised use by authorised parties. It is giving a key to your cleaner (authorised person), but not wanting them to be snooping through your filing cabinet (unauthorised use).
Our customers often ask us what they need to do to be compliant with the Australian Privacy Act. They are often surprised when we point out they already have all the security controls in place, but don’t have any of the recommended privacy management processes. Here are our top tips for getting your privacy management processes right:
- Make one senior person responsible for the concept of Privacy (Your Privacy Officer). This person must have sufficient knowledge of the business to know where personal information is collected, and how it is used;
- Even if your data collection processes are already in place, “design” your privacy processes to meet Australian law. That usually means understanding why you need to collect the data, what you’ve told your customer’s you’re collecting their information for, and assign an owner to control access to that data. That person should seek advice from the Privacy Officer each time they want to use the data in a different way, or are asked for the data by another part of the business;
- Train all staff who have access to personally identifiable information about their obligation to protect privacy – even from other internal users.
- Document everything. Every decision that is made that impacts privacy and who makes it.
A much more comprehensive guide to complying with the Privacy Act has been published by the Office of the Australian Information Commissioner.
It is likely that any major privacy breaches are going to be considered more seriously by the public, than security breaches. That’s because when you’re hacked, you’re a victim, but when you misuse data, you’re the perpetrator.
Privacy is just as important an aspect of business risk as cybersecurity. Businesses and their staff need to remember that they don’t own a database of customer data. They are custodians of customers’ personal information, which their customers have entrusted to them. The information is lent for a specific purpose, and customers are often rightly upset when it is used for other purpose without their consent or knowledge.
In light of the recent potential misuse of customer’s medical data by this top tier bank, it’s time for every risk committee to stop and ask,
“What’s in place to stop my staff from accidentally misusing our customer’s data?”.