The responsibility of protecting privacy ultimately falls upon both individuals and regulators.
Individuals are often bad at protecting themselves and our government, while active in the area, can be perceived as slow.
That said, legislation exists now and new legislation and resultant regulation is on the way – in order for organisations to comply they will need to spend.
In the eyes of Australia’s Privacy Act (The Privacy Act 1988) the definition is: how personal information is collected, used, disclosed, stored and destroyed, as well as the circumstances in which individuals should be able to access and correct personal information about them.
Interestingly, the Act does not currently deal with other aspects of privacy, such as the right to enjoyment of home or family life, or a right to freedom from surveillance.
Do individual members of the public demand privacy? Does the public want the same level of privacy online as they do offline? The answer is ‘sometimes’.
No ‘reasonable person’ or ‘ordinary person’ would desire their credit cards details stolen and used to defraud them.
However, many seemingly reasonable people put personal details on generally accessible social networking sites like Facebook and MySpace that could expose them to ID fraudsters.
Partially this is because people just don’t think that putting family genealogy (mother’s maiden name), exposes them and their families to spying by ID fraudsters and for that matter anyone else (stalkers, paedophiles, employers, parents).
When you consider that these days Facebook lists subscribers’ profiles on public search engines like Google and Yahoo, we the public should be concerned.
After all there are very good reasons why the public should want personal information kept private.
There is no silver bullet to solve privacy issues and as in the real world the answer is two-fold; individuals need to protect themselves (organisation’s that employ individual often need to take this responsibility) and the state needs to protect individuals with privacy legislation that is enforced.
Neither one of these has an easy fix in a world where technology is driving so many new forms of communication:
1) For individuals and organisations to effectively protect their own data they need a comprehensive data security strategy.
For organisations this should start with policy and include physical and IT security infrastructure and functions to control: physical (gates, guards, keys, cameras, …) and logical (Firewalls, Intrusion Prevention, AAA, Data Loss Prevention, Encryption, …) access to data and protect against middle attacks, phishing scams, keyloggers, screen-scrapers, and session hijacking., trojans, other malware, and the list goes on.
This is non trivial and expensive. It’s easier for an individual and could be as simple as installing and keeping a complete PC security software suite (anti-everything) up to date.