• Save
Privacy presentation for regional directors july 2009
Upcoming SlideShare
Loading in...5

Privacy presentation for regional directors july 2009






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds


Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Privacy presentation for regional directors july 2009 Privacy presentation for regional directors july 2009 Presentation Transcript

  • Managing Privacy in the Department of Justice “Privacy Matters” Brent Carey Manager Privacy, Feedback & Whistleblowers
  • Learning Objectives Today you will hear about Victorian privacy requirements This session will better equip you to understand: •collection, use & disclosure, management and access to personal information • privacy incidents in the department, how to prevent, detect, recover and report • how the department is gaining a leading edge in global privacy best practices and where to go for privacy related help. “Privacy Matters”
  • Privacy Compliance is a risk management exercise Executives = risk Managers in part because everyday business presents them with a choice of opportunities for gain, loss, cooperation and conflict Victoria‟s privacy laws are designed to limit the risks of data loss/ fraud due to breaches of privacy and security and thereby help create a safer environment for investments in new technologies and service delivery “Privacy Matters”
  • World Economic Forum Global Risks 2009 “Privacy Matters”
  • Compliance with privacy laws guards against • Damaging the reputation of the Government, a Minister, a Secretary, a Senior Executive (Today/Tonight or Derryn Hinch test) • Compromising service delivery or care or leading to a loss of confidence • Re-assigning staff to repair and control • Incurring legal non compliance, financial penalties or costs • Undermining strategic priorities of a modern criminal justice system “Privacy Matters”
  • Privacy legislation Information Privacy Act State government agencies, local councils, Ministers & Statutory agencies Health Records Act Health information in Victorian public and private sectors, hospitals, doctors & employers. Federal Privacy Act 1988 Covers Federal Govt and much of the private sector Charter of Human Rights and Victorian Govt depts and agencies must act Responsibilities Act in a way that is compatible with human rights “Privacy Matters”
  • Privacy – Key definitions Personal information Recorded information about a living identifiable or easily identifiable individual. Health information Information able to be linked to a living or deceased person about a person‟s physical, mental or psychological health. Sensitive information Includes information about a person‟s race or ethnicity and criminal record. Is a photo personal information? Are details of a person‟s position and salary recorded on their personnel file? “Privacy Matters”
  • Relationship to other laws Privacy laws What they say Examples Information If there is, any inconsistency • Section 30 of the Privacy Act between the Information Corrections Act 1991. (section 6). Privacy Act and a provision in another Act, the other Act’s • Section 141 of the Fair provision prevails to the Trading Act 1999. extent of the inconsistency. Are you familiar with what your primary legislation states you can do with personal information? “Privacy Matters”
  • Privacy Basics Collection Minimise collection, collect only with authority, provide privacy notice Use Use only for the purpose for which collected Disclosure With Consent, or if disclosure is required to fulfil the purpose of collection Retention Information about Business decisions must be retained. Copies need to be disposed of securely Security Against risks eg unauthorised access, collection, use, disclosure and disposal Accuracy Decisions affecting an individual must be based on accurate and complete information “Privacy Matters”
  • Need some motivation about this time? • Are you the US Montana? “Privacy Matters”
  • Data Release versus Data Sharing You must You may if required by law… if allowed by law… Example: Example: the Police Regulation Act requires the Freedom of Information Act reporting of serious misconduct by allows disclosure upon a request members of the police force. being made unless an exempt document. “Privacy Matters”
  • You may disclose under IPP2 Under IPP2 you may disclose: to law enforcement agencies for the purpose of prevention, detection, • with consent. investigation, prosecution or punishment of criminal offences or breaches of a law. • if information is from a publicly available source. where the information is reasonably • information for statistical or research believed to be necessary to lessen or purposes; no identifiers. prevent a serious threat to public health / safety / welfare. • investigation of unlawful activity. • other reasons in IPP2. “Privacy Matters”
  • Consequences • A privacy breach occurs when there is unauthorized access to or collection, use, disclosure or disposal of personal information. • A privacy breach is not just about a mistake … it‟s about TRUST “Privacy Matters”
  • Take this moment in history Privacy incidents can just pop up Take this moment in history “Privacy Matters”
  • Cost of a Privacy Breach Formula • Total number of individuals affected by the breach multiply by – Downtime ( loss of productivity) – Staff Costs (indicated in hours) – additional post incident costs ( briefs, letters) – potential legal action (VCAT, Supreme Court, compensation) • Bottom line true cost of a privacy breach can be expensive “Privacy Matters”
  • DOJ Privacy Incident Protocol Reported within Alleged privacy 30 min via breach line management Provide summary Containment of complaint / measures at breach to location Privacy Team “Privacy Matters”
  • Privacy Incidents by Region 2 2 2 2 4 Eastern 12 Gippsland Loddon Mallee Southern 60 18 Hume Barwon Southwest Grampians North Western 20 Central “Privacy Matters”
  • Why privacy incidents? Division No. • Total of 143 since 2005 Regional & Executive Services 14 • The Department holds a large Strategic Planning & Projects 0 amount of personal & sensitive Gaming & Racing 1 information in multiple databases and systems Legal & Equity 0 Police, Emergency Services & Corrections 85 • Increased reporting of incidents Consumer Affaires 4 • Large amount of sanctioned data Community Operations & Strategy 27 sharing between DOJ, Police, DHS etc Courts 8 Non-Justice related 4 • Increased use of email & fax to send and receive information Total 143 “Privacy Matters”
  • Nature of DOJ privacy incidents Categories of breach and complaint under IPP4 Data Security make up 85.5% of all matters. Only 15 of the total 143 relate to matters other than IPP 4 Trends in Justice: IPP 4 related categories: Inappropriate Access (e-Justice) Information Sharing/ colocation Inappropriate Access (PIMS) Theft/ Loss of items Inappropriate Access to Other Database Incorrectly addressed emails & faxes Inappropriate Collection Inappropriate Disclosure Employee Misconduct Inappropriate Email Access Threats worldwide: Inappropriate Phone Disclosure Incorrect Fax Social engineering Incorrect Information Inadequate/Outdated Technology Lost Information Exposure through web attack Wrong Email Address Employee misconduct Physical threats “Privacy Matters”
  • Is your business vulnerable? “Privacy Matters”
  • You ought to be concerned if.. Downsize, retrench, relocate or collocate Outsource services such as couriers, mail-outs, debt recovery/ workcover agents, data storage „Snoops & Leaks‟ Staff who forward & circulate information widely Don‟t know where your most sensitive information resides within your region Have a culture of Hoarders and „Chuckers‟ Have „home‟ workers Have audit recommendations not implemented “Privacy Matters”
  • Flavours of a Privacy Breach: CV CCS • A community work site received by fax, 15 pages of full medical history for an offender along with his community work contract. • Offender had provided extensive medical documentation to support his claim that he required a light duty site and no authority was provided for this information to be provided to any other person or agency. The site supervisor clearly indicated that the information had been provided to him by a CCO who undertakes the Community Work Coordinator role. • Confirmed that document has been destroyed. Worksite supervisor has agreed to take on the offender regardless of information received. • Employee concerned will attend Privacy training. “Privacy Matters”
  • Privacy Breach: CV Prison • A prison officer picked up a number of sheets of paper off the ground within a prison compound in an area accessible to visitors. • Contained a list of custodial staff members and residential and mobile numbers. • All master phone lists watermarked with confidentiality message. • Staff notified that their details were subject to potential access. “Privacy Matters”
  • Privacy Breach: IMES • A member of the public complained that he had received summaries of infringements and several notices from Infringements Court /IMES. One notice refers to due date 1999 which IMES state is a configuration error (IPP 3). • He also received notice addressed to another person concerning their fine which he said he has forwarded to him with his letter (IPP 4). • Action taken against contractor for error on their part in the breach. • Mail checking procedures revised. “Privacy Matters”
  • Privacy Breach: Indigenous Issues Unit • Member of the public complained that Aboriginal Liaison Officer assisting him with fines in court has failed to protect his information from loss and unauthorised access. (IPP 4.1). • Executive Services has considered the contract which suggests DOJ is treating the matter as a „state contract‟ as apposed to a mere funding agreement for Information Privacy Act purposes. However it is not clear that DOJ has adequately passed its responsibility for privacy compliance onto the Co-op. • Executive Services and IIU have made arrangements to discuss the matter with the Co-op with a view to resolving the complaint. “Privacy Matters”
  • Privacy Breach: CAV • Residential Tenancies Inspector had briefcase stolen from vehicle boot. • Briefcase contained 35 rent review files and personal information about 70 individuals. • IPP 2 (disclosure) & IPP 4 (security). • Individuals notified. • Privacy compliance reminders issued to staff. “Privacy Matters”
  • Policy relationships ICT & Taking Responsibility & Code of Conduct Physical Security Strategy Drive Drive Information Security and Information Privacy Policy Drive Classification Other policies Reasonable Personal Use policies “Privacy Matters”
  • Other Policies detailed Policies • Information Security Policy • Personal Information Policy • Information Privacy Complaint Handling Policy • Inappropriate Access to Personal Information • Clear Desk and Screen Policy • ICT Security Policy Overview • Fax Security Policy Procedures • Privacy Induction Manual • Privacy Coordinators Operational Manual • How do I…. Undertake a Information Security Classification Process “Privacy Matters”
  • Privacy Tools Collection Statement Generator Use for form and website design Privacy Impact Assessment Use in Projects Information Sharing Agreements Use where bulk and routine release of information Privacy Clause S17(2) - Contracted Service Providers Require all third parties to comply with privacy laws Privacy Breach Protocol Detect, file incident report to Exec Services Personal Information Consent Form Use to ensure valid consents Annual Privacy Health Check Do it once a Year to assess vulnerabilities prior to incidents occurring “Privacy Matters”
  • Other Privacy Measures • Volunteer Privacy Coordinators (BU‟s) & Contact Officers (Prisons & CCS) “Eyes and Ears” • Privacy Training • Privacy e-Learning Module • Privacy FAQ & Factsheet Series • Privacy HelpDesk • Privacy Awareness Materials • Taking Responsibility Fax Sticker Campaign • “Whoops Sorry!” Email Campaign “Privacy Matters”
  • Three things you can do straight away • Check staff in your region know how to spot and report a privacy breach • Assess vulnerabilities within your region prior to an incident occurring • Engage staff and third parties across your region in building your privacy and security culture and maintaining the department's reputation as one of three global privacy leaders “Privacy Matters”
  • Summary • Privacy Risk is worth managing • Personal information is more than just electronic data • Personal Information loss and leakage is a risk to the department • Move toward greater accountability, transparency within the regions and within Govt and need to be ready with robust privacy controls ( people, process technologies • Privacy Incident protection is more than just securing the system. People and culture are the key. • Let‟s end on a light note: People can be our strongest or weakest link “Privacy Matters”