The responsibility of protecting privacy ultimately falls upon both individuals and regulators.
Individuals are often bad at protecting themselves and our government, while active in the area, can be perceived as slow.
That said, legislation exists now and new legislation and resultant regulation is on the way – in order for organisations to comply they will need to spend.
In the eyes of Australia’s Privacy Act (The Privacy Act 1988) the definition is: how personal information is collected, used, disclosed, stored and destroyed, as well as the circumstances in which individuals should be able to access and correct personal information about them.
Interestingly, the Act does not currently deal with other aspects of privacy, such as the right to enjoyment of home or family life, or a right to freedom from surveillance.
Do individual members of the public demand privacy? Does the public want the same level of privacy online as they do offline? The answer is ‘sometimes’.
No ‘reasonable person’ or ‘ordinary person’ would desire their credit cards details stolen and used to defraud them.
However, many seemingly reasonable people put personal details on generally accessible social networking sites like Facebook and MySpace that could expose them to ID fraudsters.
Partially this is because people just don’t think that putting family genealogy (mother’s maiden name), exposes them and their families to spying by ID fraudsters and for that matter anyone else (stalkers, paedophiles, employers, parents).
When you consider that these days Facebook lists subscribers’ profiles on public search engines like Google and Yahoo, we the public should be concerned.
After all there are very good reasons why the public should want personal information kept private.
There is no silver bullet to solve privacy issues and as in the real world the answer is two-fold; individuals need to protect themselves (organisation’s that employ individual often need to take this responsibility) and the state needs to protect individuals with privacy legislation that is enforced.
Neither one of these has an easy fix in a world where technology is driving so many new forms of communication:
1) For individuals and organisations to effectively protect their own data they need a comprehensive data security strategy.
For organisations this should start with policy and include physical and IT security infrastructure and functions to control: physical (gates, guards, keys, cameras, …) and logical (Firewalls, Intrusion Prevention, AAA, Data Loss Prevention, Encryption, …) access to data and protect against middle attacks, phishing scams, keyloggers, screen-scrapers, and session hijacking., trojans, other malware, and the list goes on.
This is non trivial and expensive. It’s easier for an individual and could be as simple as installing and keeping a complete PC security software suite (anti-everything) up to date.
2) The state needs to enact legislation to protect privacy, they need to pass and enforce laws regulating its generation, use and eventual disposal.
There is significant activity on this from various governmental entities.
Progress is slow but there is progress. The Australian Attorney-General (AG), The Office of the Privacy Commissioner and Australian Law Reform Commission are all playing a part.
The 2006 inquiry is complete and its recommendations were handed to the AG on May 30th. Unfortunately they will not be made public until it is tabled in Parliament sometime between mid July and August.
That noted two key proposals, published in interim ALRC papers are bound to be included even perhaps enhanced, they are:’The ALRC proposes that the Privacy Commissioner should have the power to audit personal information held by private sector organisations, to assess compliance with privacy laws’ and ‘The ALRC proposes that individuals be notified where there has been unauthorised access to personal information that could lead to a real risk of harm to any affected individual.’
On 31 August 2007 the Privacy Commissioner, Karen Curtis, released a list of 'essentials' for privacy law reform in Australia, drawn from submissions they made to the ALRC inquiry.
Included is‘The Office supports the introduction of compulsory notification of data security breaches in certain circumstances. Such an obligation should be proportional to the severity of the breach.
By notifying people in a timely manner, organisations give people an opportunity to take any necessary steps to protect their personal information’.
As a stepping stone toward compulsory notification the Office of the Privacy Commissioner released a draft Voluntary Information Security Breach Notification Guide In April this year.
All this means is that tougher privacy laws are coming. When? Well, sometime in July or maybe August the public will hear the results of the ALRC inquiry.
Based on previous chronology (1976 to 1988) we can expect new legislation around 2020. Let us hope that it doesn’t take that long. The intent that is being floated by politicians is that there will be amendments this year.
Significant enhancements to Australian privacy legislation are required to protect the privacy of Australians. All indications are that the enhancements are coming, with them will come greater regulation in order to comply with these new regulations Australian organisations will need to spend more.
The stick that is regulation forces organisations to take security more seriously.
David Kaplan is the Head Security Architect at earthwave, Australian IT Managed Security Services provider.