Privacy icms (handouts)


Published on

Published in: Technology, News & Politics
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Privacy icms (handouts)

  1. 1. Data Privacy and ICMS “Privacy Matters”
  2. 2. Learning Objectives Today you will hear about Victorian privacy requirements This session will better equip you to understand: •Privacy legislation & the definition of personal information; • data security procedures for responsibly handling production data; and • where to go for privacy and records management related help. “Privacy Matters”
  3. 3. What is information privacy?  Some control over who knows what about us.  About balancing: • the public interest in the free flow of information (to enable necessary government operations and services) with • the public interest in respecting privacy and protecting personal information of individuals. “Privacy Matters”
  4. 4. Privacy legislation Information Privacy Act State government agencies, (Vic) 2000 local councils, Ministers & Statutory agencies. Health Records Act (Vic) Health information in 2001 Victorian public and private sectors, hospitals, doctors & employers. “Privacy Matters”
  5. 5. Privacy – Key definitions Personal information Recorded information about a living identifiable or easily identifiable individual. Health information Information able to be linked to a living or deceased person about a person’s physical, mental or psychological health. Sensitive information Includes information about a person’s race or ethnicity and criminal record. Is a photo personal information? Are details of a person’s position and salary recorded on their personnel file? “Privacy Matters”
  6. 6. How does privacy relate to information security? Information Security is a component of privacy : • A secure approach facilitates access to, accuracy of and confidentiality of personal & health information so that the right people have the right information Information Security is one of the 10 Information Privacy Principles (IPPs) IPP4 –: • An organisation must take reasonable steps to: • (4.1) protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure. • (4.2) destroy or permanently de-identify personal information if it is no longer needed for any purpose. “Privacy Matters”
  7. 7. Meaning of ‘reasonable steps’ The meaning of ‘reasonable steps’ is context dependent: •if the risk of a privacy breach is of sufficient concern; and •the means of providing better protection are known and feasible; but the organisation does not act on this awareness; then reasonable steps have not been taken. “Privacy Matters”
  8. 8. What might constitute reasonable steps in systems? • Typical reasonable steps for systems: – effective access control based on a manageable number of roles; – meaningful audit trails to the level of detail deemed necessary e.g. Single person look-up events, change of location events, remote access events & large access events – all users to be suitably trained to ensure that authorised parties are fully aware of their privacy responsibilities; – data encryption as appropriate; – well managed and monitored data connections (e.g. with other DoJ, contractors or VicPol); – informed, involved contract management of service providers (s17 IPA re outsourcing) – Reporting incidents of privacy breaches. “Privacy Matters”
  9. 9. Reasonable steps for ICMS systems You must You must not • Follow ICMS procedure • Leave production data • Anonymise or de-identify data early & wherever in an unsecured possible environment • Secure production data by • Email production data lock and key • Dispose of hard and soft • Keep copies of copy information securely production data longer • Expect to be able to justify your use of data than necessary “Privacy Matters”
  10. 10. De-identification messages • De-identifying data is considered a leading practice, and is also legislated in regulations such as the Information Privacy Act. • There are several options for de-identifying data, both operational and automated. These include – Data deletion – Data Mixing – Data replacement – Data Substitution – Encryption – Interjecting Unrelated Text – Modifying Numerical Data – Using an Isolated Testing Environment • Whatever de-identification method you use, you need to make sure the de-identification results are appropriate for the context of the application being tested, and must make sense to the person reviewing the test results. “Privacy Matters”
  11. 11. Remaining key privacy considerations • Collection (IPPs 8, 1, and 10) Collect only what you need. Do it lawfully, fairly, directly and not unreasonably intrusively. Tell people you are doing it and why. Be extra careful with sensitive information. • Use and Disclosure (IPPs 2 and 9) Use and disclose personal information for the reason you collected it. Other public interest reasons e.g. law enforcement, personal safety permit use and disclosure. Properly obtained consent allows any use or disclosure. If a person’s personal information travels interstate or overseas it must be protected by Victoria’s standards. “Privacy Matters”
  12. 12. Remaining Key privacy considerations Access & Correction (IPP6 & FOI Act)  People have a right to access & correct personal information.  Assume people will see what you write.  If involved in discovering documents respond promptly. Management (IPPs 3, 4, 5 & 7)  Keep personal information accurate & secure.  Follow Departmental policies. “Privacy Matters”
  13. 13. Where to go for help?  Privacy, Freedom of Information & Records Management materials are on J-NET>Our Business>Knowledge Management  Each of the Dept’s business units has a Privacy Coordinator • Court Services - Susan Brent 9603 9456 • ICMS – Jim Paterson 9093 8430 Brent Carey, Senior Privacy Adviser can be contacted on 8684 0071 or by e-mail  EDRMS (records) helpdesk 8684 0555; the FOI unit 8684 0063  Privacy Victoria 8619 8719 “Privacy Matters”