Assess risk and determine encryption needs, urges Privacy Commissioner

The UK government’s ruling came off the back of a series of major data breaches, including the HM Revenue and Customs breach which involved the loss of two disks containing the details of 25 million British citizens.

To prevent a similar case in Australia, Curtis is encouraging agencies and organisations to conduct risk assessments to determine whether or not encryption is necessary under a legal requirement covered by the Privacy Act.

Curtis said the Privacy Act requires Australian Government agencies and other organisations to adopt ‘reasonable security safeguards’ for the personal information they hold. This could include encrypting information on laptops if it is sensitive or relates to a large number of people.

“The risk assessment should also consider whether and in what circumstances personal information is permitted to be removed from the office, be it in electronic form or not,” Curtis said.

As a general rule, the encryption of personal information on laptops, and other storage devices like USBs, is good privacy practice, she said.

According to the ‘Guidelines to the National Privacy Principles’, reasonable network security involves "adopting measures to protect computer systems for storing, processing and transmitting personal information from unauthorised access, modification and disclosure."

'Reasonable' safeguards include protecting email and voice communication, from interception and preventing unauthorised intrusion into computer networks.

However, encryption expert Howard Waterson regional manager, at Centennial Software APAC is calling for more stringent federal laws that enforce encryption as a way of protecting Australians from sensitive data leakage.

“Start at the federal government, it’s better than starting at the State,” he said. “The former Attorney-General, Philip Ruddock, put out a statement regarding his mandate to protect the information of every Australian citizen and all the information retained by government departments. We find it amazing that it still hasn’t happened in a pervasive manner.”

Waterson disclosed that there are ongoing breaches in Australia but the public doesn’t hear about them which is all the more reason for the Federal Government to take more of an initiative in implementing such laws.

"[Australia] needs a regulation, that [states] computers and portable media devices are encrypted in a proper manner,” Waterson said.

“The number of incidents in the UK [reached] the point where there was huge reaction from the public which [at last] enforced the [ban]. Does it have to get to that situation here?”

Tips for compliance under the Privacy Act guidlines include risk assessment, a security policy and staff training.

data leakagedata securityencryptionencryption securitylaptop securityprivacy commissionersecurity