Tag Archives: Compliance resources

UK ICO: A how-to on scrubbing personal data

The UK Information Commissioner’s Office has a released a new guide to help organisations not to disclose personal data by mistake when responding to information requests under the Data Protection Act 1998 and the Freedom of Information Act 2000.

Handy tips include:

  • hiding personal data in “hidden data fields” of the document is not good practice, and is an ineffective way of removing or masking personal data for the purposes of redaction.
  • when using a highlighter tool to mark text for someone else to redact, do not use a black highlighter.  A different colour (eg yellow) should be used to clearly indicate which text requires redaction yet also show that the original text remains.  Further, for permanent redaction, organisations should specific redaction software.
  • a large amount of meta-data can be embedded within files (such as word documents, spreadsheets, and emails).  If one intends to redact information such as the sender’s or recipients’ email address or part of the email subject, this information should also be removed from the meta-data or remove the meta-data entirely.

Link(ICO): ICO Guide

Office of the Australian Information Commissioner updates guidance

The Office of the Australian Information Commissioner has released a new Privacy Management Framework and a check list to help organisations comply with the Australian Privacy Principles. The guidance outlines four ‘e’ steps to ensure good privacy governance:

  • embed leadership and governance arrangements to create a culture of privacy that values personal information
  • establish robust and effective privacy processes (e.g. training staff on their privacy obligations and developing a data breach response plan)
  • evaluate the adequacy and currency of the business’s existing privacy practices (e.g. by creating feedback channels for staff and customers), and
  • enhance (e.g. by commissioning an independent review to identify areas for improvement).

Among the tips on the check list are:

  • always consider doing a privacy impact assessment when developing a project that involves new or changed personal information handling practices
  • collect only the information you need
  • make that information accessible internally on a needs-to-know basis, and
  • have a data breach response plan ready to go.

The new tools followed the release by the Australian Information Commissioner of a survey into the adequacy of the on-line privacy policies of 20 Australian and international organisations within the finance, retail, government and media sectors.

The policies were evaluated against the requirements of Australian Privacy Principle One (APP1), which requires entities to have a privacy policy that is clearly expressed and up-to-date. The Commissioner found that 55% of those surveyed did not meet one or more of the content requirements under APP1.

Links: Privacy management framework and Ten tips to protect your customers’ personal information