The UK Information Commissioner’s Office has a released a new guide to help organisations not to disclose personal data by mistake when responding to information requests under the Data Protection Act 1998 and the Freedom of Information Act 2000.
Handy tips include:
- hiding personal data in “hidden data fields” of the document is not good practice, and is an ineffective way of removing or masking personal data for the purposes of redaction.
- when using a highlighter tool to mark text for someone else to redact, do not use a black highlighter. A different colour (eg yellow) should be used to clearly indicate which text requires redaction yet also show that the original text remains. Further, for permanent redaction, organisations should specific redaction software.
- a large amount of meta-data can be embedded within files (such as word documents, spreadsheets, and emails). If one intends to redact information such as the sender’s or recipients’ email address or part of the email subject, this information should also be removed from the meta-data or remove the meta-data entirely.
Link(ICO): ICO Guide
The Office of Australian Information Commissioner has developed a draft Guide to Developing a Data Breach Response Plan. The Commissioner notes that the cost to an organisation for a data breach can be significant and implementing a data breach response plan can assist in mitigating these costs.
The data breach response plan should cover things like:
- a strategy for assessing and containing data breaches – this includes the actions the response team should take in the event of a breach or suspected breach,
- a clear explanation of what constitutes a data breach, so that staff are able to identify one should a breach occur,
- the reporting line if staff do suspect a data breach, including who needs to be informed immediately,
- who is responsible for determining which other external stakeholders should be contacted (for example, law enforcement agencies, regulators and the media),
- recording data breaches – the organisation should consider how to record data breaches, including those that are not referred to the response team, and
- a strategy to identify and address any weaknesses in data handling that contributed to the breach.
While the Guide is not legally binding, the Commissioner has indicated that the preparation and implementation of a data breach response plan will likely to satisfy an organisation’s obligation under the Australian Privacy Act to take reasonable steps to protect the personal information that the entity hold from misuse, interference and loss, and from unauthorised access, modification or disclosure.
The closing date for comments is Friday 27 November 2015.
Link (OAIC): Guide to Developing a Data Breach Response Plan
The Office of the Australian Information Commissioner has released a new Privacy Management Framework and a check list to help organisations comply with the Australian Privacy Principles. The guidance outlines four ‘e’ steps to ensure good privacy governance:
- embed leadership and governance arrangements to create a culture of privacy that values personal information
- establish robust and effective privacy processes (e.g. training staff on their privacy obligations and developing a data breach response plan)
- evaluate the adequacy and currency of the business’s existing privacy practices (e.g. by creating feedback channels for staff and customers), and
- enhance (e.g. by commissioning an independent review to identify areas for improvement).
Among the tips on the check list are:
- always consider doing a privacy impact assessment when developing a project that involves new or changed personal information handling practices
- collect only the information you need
- make that information accessible internally on a needs-to-know basis, and
- have a data breach response plan ready to go.
The new tools followed the release by the Australian Information Commissioner of a survey into the adequacy of the on-line privacy policies of 20 Australian and international organisations within the finance, retail, government and media sectors.
Links: Privacy management framework and Ten tips to protect your customers’ personal information
The US Department of Justice has issued new guidance on how businesses should address the risk of data breaches, before, during, and after cyber intrusions. Among the recommendations are:
- before formulating a response plan, an organisation should first determine which data, assets, and services warrant the most protection, and
- the plan should be vetted by the organisation’s legal advisors to ensure that the organisation’s incident response activities remain on a firm legal footing.
Link: Department of Justice Guidance
The Privacy Commissioner has advised power companies to take “additional care” in how they look after the data collected by smart meters. They should inform consumers how the data will be used, and have “strong security standards to ensure information is transmitted safely online”.
Read the full Privacy Commissioner Case Note