Insider threat, cloud make OAIC's privacy checklist

The Office of the Australian Information Commissioner (OAIC) has updated its list of the IT security measures it expects organisations to have in place to protect user data, adding new guidance to address risks associated with the trusted insider and cloud computing.

The OAIC last night quietly released an update to its Guide to securing personal information [pdf], which contains a checklist of things the OAIC studies when judging whether or not an entity has met its obligations under the Privacy Act.

The guide outlines five steps the OAIC expects organisations to take when collecting and handling personal information.

The OAIC last updated the guide in August last year to address confusion around what exactly constituted the "reasonable steps" an entity must take to protect customer data to the satisfaction of the Privacy Act.

This time around, the OAIC has shifted its focus to the threat posed by trusted insiders within an organisation.

It has made clear it expects organisations to actively guard against internal threats such as unauthorised access or misuse of personal information by staff and contractors.

"Trusted insider breaches can occur when staff mishandle personal information while carrying out their normal duties," the agency has advised.

"These actions are often motivated by personal advantage, for example insiders accessing personal information for financial gain."

Organisations can minimise these risks by limiting internal access to personal information to a need-to-know basis - by only giving access to those who require it to do their job, the OAIC said.

The guide lists six criteria to address when considering whether an organisation meets the requirements:

• Is access to customer information limited to only the staff who need it to perform their work?
• Are administrative privileges only given to staff who require them to do their job?
• Is access revoked promptly when no longer required?
• Have you considered restricting access to user data when a customer is using a pseudonym?
• Have you considered physically disabling USB or other external port access to devices or disabling internal cd/dvd writers in devices?
• Have you considered remote wiping software to delete personal information stored on lost or stolen end-user devices?

Offshore cloud providers

The OAIC also included a new section covering how to approach outsourcing and third-party providers with regards to an entity's responsibilities under the Privacy Act.

Different sections of the Privacy Act apply depending on the type of arrangement an entity has with a third-party located overseas.

If the provision of personal information to an offshore cloud partner is considered a "disclosure", the entity would need to comply with the Australian Privacy Principle (APP) 8, which deals with the cross-border disclosure of personal information, and requires the entity to take reasonable steps to ensure its partner does not breach the Privacy Act in how it handles the data.

If the entity considers itself to still be "holding" the information rather than disclosing it to the partner, the organisation would need to comply with APP 11 - which states that the entity must take reasonable steps to protect the information from misuse, interference, and loss, as well as unauthorised access, modification or disclosure.

The OAIC said it considers "reasonable steps" in relation to cloud computing to include "robust management" of how the partner stores and handles the customer data - including "effective contractual clauses, verifying security claims of cloud service providers through inspections, and regular reporting and monitoring".

"If you chose to adopt cloud computing you need to assess the security controls of the provider to ensure that you continue to comply with APP 11," the OAIC guidance states.

"However, other APPs may also apply in these circumstances, including APP 8 (where personal information is disclosed to an overseas recipient), and APPs 12 and 13 (access and correction).

"You should also consider whether your cloud service provider should be required to have similar controls to those you might apply to your own systems, such as governance arrangements and controls relating to software security, access security and network security."

The OAIC's updated guide also fleshes out how it expects organisations to protect personal information during the stages of the data's lifecycle - specifically with regard to whether the information actually needs to be collected in the first place.

"Under APP 3, you should only collect personal information that is reasonably necessary (and for agencies, directly related) to carry out your functions or activities. Over collection can increase risks for the security of personal information," the guidance states.

The first step in managing the security of personal information is therefore to ask whether the collection of personal information is necessary to carry out designated activities, it advised.

"If it is, you should then consider, even if you can collect it, should it be collected? That is, do you really need to collect the personal information or can the collection be minimised?

"Personal information that is not collected or is not stored cannot be mishandled."

The OAIC is currently stuck in limbo after the Senate failed to vote on legislation before the end of 2014 sitting that would dissolve the office, which has only been funded to operate to 31 December.

Last May the Government announced the OAIC would be abolished as part of cost-cutting measures designed to return $500 million to the federal budget.

Its functions are expected to be split up and shared between four other agencies in order to save the Government $10.2 million over four years.