Privacy presentation for regional directors july 2009
1. Managing Privacy in
the Department of Justice
âPrivacy Mattersâ
Brent Carey
Manager Privacy, Feedback & Whistleblowers
2. Learning Objectives
Today you will hear about Victorian privacy
requirements
This session will better equip you to understand:
â˘collection, use & disclosure, management
and access to personal information
⢠privacy incidents in the department, how to
prevent, detect, recover and report
⢠how the department is gaining a leading edge
in global privacy best practices and where to
go for privacy related help.
âPrivacy Mattersâ
3. Privacy Compliance is a risk
management exercise
Executives = risk
Managers in part because
everyday business presents them
with a choice of opportunities for
gain, loss, cooperation and conflict
Victoriaâs privacy laws are designed to
limit the risks of data loss/ fraud due to breaches
of privacy and security and thereby
help create a safer environment for
investments in new technologies and
service delivery
âPrivacy Mattersâ
5. Compliance with privacy laws guards against
⢠Damaging the reputation of the Government, a Minister, a
Secretary, a Senior Executive (Today/Tonight or Derryn Hinch test)
⢠Compromising service delivery or care or leading to a loss of
confidence
⢠Re-assigning staff to repair and control
⢠Incurring legal non compliance, financial penalties or costs
⢠Undermining strategic priorities of a modern criminal justice system
âPrivacy Mattersâ
6. Privacy legislation
Information Privacy Act State government agencies, local councils,
Ministers & Statutory agencies
Health Records Act Health information in Victorian public and
private sectors, hospitals, doctors &
employers.
Federal Privacy Act 1988 Covers Federal Govt and much of the private
sector
Charter of Human Rights and Victorian Govt depts and agencies must act
Responsibilities Act in a way that is compatible with human
rights
âPrivacy Mattersâ
7. Privacy â Key definitions
Personal information Recorded information about a living
identifiable or easily identifiable
individual.
Health information Information able to be linked to a living or
deceased person about a personâs physical,
mental or psychological health.
Sensitive information Includes information about a personâs race
or ethnicity and criminal record.
Is a photo personal information? Are details of a personâs position and salary
recorded on their personnel file?
âPrivacy Mattersâ
8. Relationship to other laws
Privacy laws What they say Examples
Information If there is, any inconsistency ⢠Section 30 of the
Privacy Act between the Information Corrections Act 1991.
(section 6). Privacy Act and a provision in
another Act, the other Actâs ⢠Section 141 of the Fair
provision prevails to the Trading Act 1999.
extent of the inconsistency.
Are you familiar with what your primary legislation states you
can do with personal information?
âPrivacy Mattersâ
9. Privacy Basics
Collection Minimise collection, collect only with authority,
provide privacy notice
Use Use only for the purpose for which collected
Disclosure With Consent, or if disclosure is required to fulfil the
purpose of collection
Retention Information about Business decisions must be
retained. Copies need to be disposed of securely
Security Against risks eg unauthorised access, collection, use,
disclosure and disposal
Accuracy Decisions affecting an individual must be based on
accurate and complete information
âPrivacy Mattersâ
10. Need some motivation about this time?
⢠Are you the US Montana?
âPrivacy Mattersâ
11. Data Release versus Data Sharing
You must You may
if required by law⌠if allowed by lawâŚ
Example: Example:
the Police Regulation Act requires the Freedom of Information Act
reporting of serious misconduct by allows disclosure upon a request
members of the police force. being made unless an exempt
document.
âPrivacy Mattersâ
12. You may disclose under IPP2
Under IPP2 you may disclose: to law enforcement agencies for the
purpose of prevention, detection,
⢠with consent. investigation, prosecution or
punishment of criminal offences or
breaches of a law.
⢠if information is from a publicly
available source.
where the information is reasonably
⢠information for statistical or research believed to be necessary to lessen or
purposes; no identifiers. prevent a serious threat to public
health / safety / welfare.
⢠investigation of unlawful activity.
⢠other reasons in IPP2.
âPrivacy Mattersâ
13. Consequences
⢠A privacy breach occurs when
there is unauthorized access to
or collection, use, disclosure or
disposal of personal
information.
⢠A privacy breach is not
just about a mistake âŚ
itâs about TRUST
âPrivacy Mattersâ
14. Take this moment in history
Privacy incidents can just pop up
Take this moment in history
âPrivacy Mattersâ
15. Cost of a Privacy Breach Formula
⢠Total number of individuals affected by the breach
multiply by
â Downtime ( loss of productivity)
â Staff Costs (indicated in hours)
â additional post incident costs ( briefs, letters)
â potential legal action (VCAT, Supreme Court,
compensation)
⢠Bottom line true cost of a privacy breach can be
expensive
âPrivacy Mattersâ
16. DOJ Privacy Incident Protocol
Reported within
Alleged privacy
30 min via
breach
line management
Provide summary Containment
of complaint / measures at
breach to location
Privacy Team
âPrivacy Mattersâ
17. Privacy Incidents by Region
2 2 2
2
4
Eastern
12
Gippsland
Loddon Mallee
Southern
60
18
Hume
Barwon Southwest
Grampians
North Western
20
Central
âPrivacy Mattersâ
18. Why privacy incidents?
Division No. ⢠Total of 143 since 2005
Regional & Executive Services 14
⢠The Department holds a large
Strategic Planning & Projects 0 amount of personal & sensitive
Gaming & Racing 1
information in multiple databases and
systems
Legal & Equity 0
Police, Emergency Services & Corrections 85
⢠Increased reporting of incidents
Consumer Affaires 4 ⢠Large amount of sanctioned data
Community Operations & Strategy 27 sharing between DOJ, Police, DHS
etc
Courts 8
Non-Justice related 4 ⢠Increased use of email & fax to send
and receive information
Total 143
âPrivacy Mattersâ
19. Nature of DOJ privacy incidents
Categories of breach and complaint under IPP4 Data Security make
up 85.5% of all matters. Only 15 of the total 143 relate to matters
other than IPP 4
Trends in Justice:
IPP 4 related categories:
Inappropriate Access (e-Justice) Information Sharing/ colocation
Inappropriate Access (PIMS) Theft/ Loss of items
Inappropriate Access to Other Database
Incorrectly addressed emails & faxes
Inappropriate Collection
Inappropriate Disclosure Employee Misconduct
Inappropriate Email Access Threats worldwide:
Inappropriate Phone Disclosure
Incorrect Fax Social engineering
Incorrect Information Inadequate/Outdated Technology
Lost Information Exposure through web attack
Wrong Email Address
Employee misconduct
Physical threats
âPrivacy Mattersâ
21. You ought to be concerned if..
Downsize, retrench, relocate or collocate
Outsource services such as couriers, mail-outs, debt recovery/ workcover
agents, data storage
âSnoops & Leaksâ
Staff who forward & circulate information widely
Donât know where your most sensitive information resides within your
region
Have a culture of Hoarders and âChuckersâ
Have âhomeâ workers
Have audit recommendations not implemented
âPrivacy Mattersâ
22. Flavours of a Privacy Breach: CV CCS
⢠A community work site received by fax, 15 pages of full medical history for
an offender along with his community work contract.
⢠Offender had provided extensive medical documentation to support his
claim that he required a light duty site and no authority was provided for
this information to be provided to any other person or agency. The site
supervisor clearly indicated that the information had been provided to him
by a CCO who undertakes the Community Work Coordinator role.
⢠Confirmed that document has been destroyed. Worksite supervisor has
agreed to take on the offender regardless of information received.
⢠Employee concerned will attend Privacy training.
âPrivacy Mattersâ
23. Privacy Breach: CV Prison
⢠A prison officer picked up a number of sheets of paper off the ground
within a prison compound in an area accessible to visitors.
⢠Contained a list of custodial staff members and residential and mobile
numbers.
⢠All master phone lists watermarked with confidentiality message.
⢠Staff notified that their details were subject to potential access.
âPrivacy Mattersâ
24. Privacy Breach: IMES
⢠A member of the public complained that he had received summaries of
infringements and several notices from Infringements Court /IMES. One
notice refers to due date 1999 which IMES state is a configuration error
(IPP 3).
⢠He also received notice addressed to another person concerning their fine
which he said he has forwarded to him with his letter (IPP 4).
⢠Action taken against contractor for error on their part in the breach.
⢠Mail checking procedures revised.
âPrivacy Mattersâ
25. Privacy Breach: Indigenous Issues Unit
⢠Member of the public complained that Aboriginal Liaison Officer assisting him
with fines in court has failed to protect his information from loss and unauthorised
access. (IPP 4.1).
⢠Executive Services has considered the contract which suggests DOJ is treating the
matter as a âstate contractâ as apposed to a mere funding agreement for
Information Privacy Act purposes. However it is not clear that DOJ has
adequately passed its responsibility for privacy compliance onto the Co-op.
⢠Executive Services and IIU have made arrangements to discuss the matter with
the Co-op with a view to resolving the complaint.
âPrivacy Mattersâ
26. Privacy Breach: CAV
⢠Residential Tenancies Inspector had briefcase stolen from
vehicle boot.
⢠Briefcase contained 35 rent review files and personal
information about 70 individuals.
⢠IPP 2 (disclosure) & IPP 4 (security).
⢠Individuals notified.
⢠Privacy compliance reminders issued to staff.
âPrivacy Mattersâ
27. Policy relationships
ICT &
Taking Responsibility & Code of Conduct
Physical Security Strategy
Drive
Drive
Information Security and Information Privacy Policy
Drive
Classification Other policies
Reasonable Personal Use
policies
âPrivacy Mattersâ
28. Other Policies detailed
Policies
⢠Information Security Policy
⢠Personal Information Policy
⢠Information Privacy Complaint Handling Policy
⢠Inappropriate Access to Personal Information
⢠Clear Desk and Screen Policy
⢠ICT Security Policy Overview
⢠Fax Security Policy
Procedures
⢠Privacy Induction Manual
⢠Privacy Coordinators Operational Manual
⢠How do IâŚ. Undertake a Information Security Classification Process
âPrivacy Mattersâ
29. Privacy Tools
Collection Statement Generator
Use for form and website design
Privacy Impact Assessment
Use in Projects
Information Sharing Agreements
Use where bulk and routine release of information
Privacy Clause S17(2) - Contracted Service Providers
Require all third parties to comply with privacy laws
Privacy Breach Protocol
Detect, file incident report to Exec Services
Personal Information Consent Form
Use to ensure valid consents
Annual Privacy Health Check
Do it once a Year to assess vulnerabilities prior to incidents occurring
âPrivacy Mattersâ
31. Three things you can do straight away
⢠Check staff in your region know how to spot and
report a privacy breach
⢠Assess vulnerabilities within your region prior to an
incident occurring
⢠Engage staff and third parties across your region in
building your privacy and security culture and
maintaining the department's reputation as one of
three global privacy leaders
âPrivacy Mattersâ
32. Summary
⢠Privacy Risk is worth managing
⢠Personal information is more than just electronic data
⢠Personal Information loss and leakage is a risk to the
department
⢠Move toward greater accountability, transparency within the
regions and within Govt and need to be ready with robust
privacy controls ( people, process technologies
⢠Privacy Incident protection is more than just securing the
system. People and culture are the key.
⢠Letâs end on a light note: People can be our strongest or
weakest link
âPrivacy Mattersâ