MARISE ALPHONSO
LINKING DATA PRIVACY TO SECURITY by Marise Alphonso, Information Security Lead at Infoxchange
Privacy is a fundamental human right1, and security
a privacy impact assessment7 to identify the risk
is essential to the maintenance of that right. Those
of that personal information being compromised,
who work in the fields of data privacy and information
and thereafter determine safeguards that should be
security have a duty of care to protect personal
implemented to address potential privacy impacts. A
information, build trust and ensure transparency “with
key step of this assessment is consideration of how
consumers” of organisational products and services.
personal information flows through the information
By fulfilling this duty, they will facilitate innovation
lifecycle of collection, storage, use, retention and
and societal growth, and operate within the guardrails
disposal.
provided by legal and regulatory frameworks2. In early May, Privacy Awareness Week3 was
government agencies and organisations (entities)
celebrated in Australia with the theme of ‘Make
with turnover greater than $3 million, consists of
privacy a priority’. The Office of the Australian
13 Australian Privacy Principles (APPs). APP No 11,
Information Commissioner (OAIC) facilitated several
security of personal information, refers to “reasonable
events to shine a spotlight on how we can improve
steps to protect personal information an entity
personal information privacy practices within our
holds from misuse, interference and loss, as well as
homes and workplaces5 6.
unauthorised access, modification or disclosure.”
4
When personal information is provided to an organisation by a member of the public to obtain a product or service, the expectation is that it will be used for that and nothing more. Prior to offering a product or service, an organisation must perform
106
The Privacy Act (1988)8, which applies to Australian
WOMEN IN SECURITY MAGAZINE
“Reasonable steps”9 here refers to elements of an information security program including governance, policies and procedures, staff training and awareness, technical security measures, physical security, third party assurance practices and incident response.