The rapid technological advances over the past two decades have significantly changed the privacy and data security landscape. When the Privacy Act 1988 (Cth) was enacted, its drafters and Parliament could hardly have contemplated the ways in which organisations (including government agencies) would be collecting, using and disclosing the personal information of individuals in 2016.
The developments in technology has been the catalyst for the seismic shift in the privacy landscape. Technology is central to how organisations collect, use and disclose personal information and how we as individuals interact with each other and with organisations.
Privacy and data security for both organisations and individuals has taken on a pivotal importance in the technological revolution.
Every time we check our phone, browse a website, view a webpage, Google something, select items we might buy online, make a credit card purchase online, interact with a Facebook post or use our travel card to 'touch on' on public transport, one or more organisations in Australia and/or overseas is recording our activity and collecting, using, analysing and potentially disclosing our personal information in ways we might not contemplate.
What these activities mean is that we are placing enormous trust in those organisations wherever or whoever they are to keep these large amounts of our valuable, personal information safe and secure and to use and disclose it for permitted purposes or only now and into the future.
Put your hand up if...
Hands up who has opened an online user account or made a payment without checking the privacy policy or collection statement of the organisations collecting our information? When was the last time you checked your social media accounts' privacy settings? Who has opened a phishing email thinking its genuine? It is likely that we will all answer yes to at least one of these questions.
Trust and privacy
In its recently released Australian Privacy Index 2016 entitled 'Trust without borders' Deloitte reports on the results of its analysis of a consumer survey about the state of privacy of some of Australia's leading consumer brands. One of the key themes to emerge was that consumers value trust more than convenience. As private individuals therefore we want to feel we can trust organisations to handle our personal information securely and in a fair and transparent manner. As part of that contractual equation we have our own role to play in protecting our privacy and in choosing to deal with organisations who demonstrate that we can trust them. This is reflected in the theme that the OAIC (Office of the Australian Information Commissioner) has chosen for Privacy Awareness Week 2016 – Privacy in your hands.
Our role in organisational privacy security
However we also have a role to play as individuals who work within organisations themselves - we are a critical factor in maintaining that trust. Organisations are made up of and act through people. The Privacy Act provides that the acts done and practices engaged in by individuals employed by or in the service of an organisation in carrying out their duties, will be treated as having been done or engaged in by the organisation.
While technology is both a key defence and a key vulnerability in any organisation's cyber security program, human behaviour is too. This is evidenced by the fact that rather than technology, the main cause in the overwhelming majority of data breaches is human activity (or error). In fact, the most common cause of data breaches in 2013 (including cyber breaches) was human error. According to the IBM Security Services 2014 Cyber Security Intelligence Index, 95% of all security incidents in 2013 involved human error.
Humans are therefore as important, if not in many cases, more important, to personal and organisational information security as any technological safeguard.
The most prevalent form of human error, according to the IBM Security Services 2014 Cyber Security Intelligence Index, was 'double clicking' an infected attachment or unsafe URL. Other common causes of human error included system misconfiguration, the use of default usernames and passwords, 'easy to guess' passwords and lost devices that contain sensitive data.
Although organisations may have sophisticated data security, it is only as effective as the people who are overseeing and administering the privacy systems, processes and procedures that underpin it. The best systems in the world can't stop an employee from clicking on a malicious link, falling victim to a phishing scam or losing their company device or USB of documents. In a data breach scenario, human decision making is a critical factor in an effective response.
An APP1 approach
The introduction of Australian Privacy Principle (APP) 1 into the Privacy Act in 2014 has required organisations to take reasonable steps to implement practices, procedures and systems relating to their functions or activities that will ensure that they effectively deal with inquiries or complaints and comply with the APPs, including APP11 (data security).
APP1 requires a privacy by design. How does this translate when it is applied to people in a data security context or in supporting the maintenance of consumer trust? Organisations cannot just look at privacy as a tick box exercise (eg yes we train our staff once a year on privacy), but as an embedded culture. They need to make people central to APP compliance in every stage of the information life cycle and as part of their risk management plan.
Increased employee education and awareness would allow employees to detect such suspicious activity and escalate it within the company. If employees know what a phishing scam looks like, they might realise that they are not providing their information into a bona fide recipient. Or they may know that it is unwise to transport highly sensitive documents home by a USB stick. Employee education is central to minimising the human errors that could otherwise have grave consequences for an organisation and government agency and the personal information they handle.
APP11
APP 11.1 requires organisations to reasonable steps to protect the information from misuse, interference and loss and from unauthorised access, modification or disclosure. This of course includes having appropriate the technology policies, systems and processes to adequately protect personal information. But quantifying the systems and processes that adequately control and manage human behaviour to ensure information is protected by and from them is another matter. Data security breaches caused by human error show that organisations need to invest not only in their technological safeguards but also in their design and rollout of training and support programs for employees and contractors. They need accessible workplace policies and procedures on permitted data collection, use and disclosure, when data can be accessed and sent out of the organisation, use of mobile devices, procedures for escalating and responding to data breaches, procedures for reporting errors and escalating privacy issues.
A final word
Although technology and processes are clearly important in ensuring privacy compliance and protection, organisations cannot afford to neglect the human element that underpins them. Organisations with sound security practices remain susceptible to human error. Although the risks can never be avoided altogether, technology and processes must be complemented by employee education and support which in turn creates a enabling and responsive culture of privacy. It always needs to be part of the conversation.