Privacy presentation for regional directors july 2009
Managing Privacy in
the Department of Justice
Manager Privacy, Feedback & Whistleblowers
Today you will hear about Victorian privacy
This session will better equip you to understand:
•collection, use & disclosure, management
and access to personal information
• privacy incidents in the department, how to
prevent, detect, recover and report
• how the department is gaining a leading edge
in global privacy best practices and where to
go for privacy related help.
Privacy Compliance is a risk
Executives = risk
Managers in part because
everyday business presents them
with a choice of opportunities for
gain, loss, cooperation and conflict
Victoria‟s privacy laws are designed to
limit the risks of data loss/ fraud due to breaches
of privacy and security and thereby
help create a safer environment for
investments in new technologies and
World Economic Forum Global Risks
Compliance with privacy laws guards against
• Damaging the reputation of the Government, a Minister, a
Secretary, a Senior Executive (Today/Tonight or Derryn Hinch test)
• Compromising service delivery or care or leading to a loss of
• Re-assigning staff to repair and control
• Incurring legal non compliance, financial penalties or costs
• Undermining strategic priorities of a modern criminal justice system
Information Privacy Act State government agencies, local councils,
Ministers & Statutory agencies
Health Records Act Health information in Victorian public and
private sectors, hospitals, doctors &
Federal Privacy Act 1988 Covers Federal Govt and much of the private
Charter of Human Rights and Victorian Govt depts and agencies must act
Responsibilities Act in a way that is compatible with human
Privacy – Key definitions
Personal information Recorded information about a living
identifiable or easily identifiable
Health information Information able to be linked to a living or
deceased person about a person‟s physical,
mental or psychological health.
Sensitive information Includes information about a person‟s race
or ethnicity and criminal record.
Is a photo personal information? Are details of a person‟s position and salary
recorded on their personnel file?
Relationship to other laws
Privacy laws What they say Examples
Information If there is, any inconsistency • Section 30 of the
Privacy Act between the Information Corrections Act 1991.
(section 6). Privacy Act and a provision in
another Act, the other Act’s • Section 141 of the Fair
provision prevails to the Trading Act 1999.
extent of the inconsistency.
Are you familiar with what your primary legislation states you
can do with personal information?
Collection Minimise collection, collect only with authority,
provide privacy notice
Use Use only for the purpose for which collected
Disclosure With Consent, or if disclosure is required to fulfil the
purpose of collection
Retention Information about Business decisions must be
retained. Copies need to be disposed of securely
Security Against risks eg unauthorised access, collection, use,
disclosure and disposal
Accuracy Decisions affecting an individual must be based on
accurate and complete information
Need some motivation about this time?
• Are you the US Montana?
Data Release versus Data Sharing
You must You may
if required by law… if allowed by law…
the Police Regulation Act requires the Freedom of Information Act
reporting of serious misconduct by allows disclosure upon a request
members of the police force. being made unless an exempt
You may disclose under IPP2
Under IPP2 you may disclose: to law enforcement agencies for the
purpose of prevention, detection,
• with consent. investigation, prosecution or
punishment of criminal offences or
breaches of a law.
• if information is from a publicly
where the information is reasonably
• information for statistical or research believed to be necessary to lessen or
purposes; no identifiers. prevent a serious threat to public
health / safety / welfare.
• investigation of unlawful activity.
• other reasons in IPP2.
• A privacy breach occurs when
there is unauthorized access to
or collection, use, disclosure or
disposal of personal
• A privacy breach is not
just about a mistake …
it‟s about TRUST
Take this moment in history
Privacy incidents can just pop up
Take this moment in history
Cost of a Privacy Breach Formula
• Total number of individuals affected by the breach
– Downtime ( loss of productivity)
– Staff Costs (indicated in hours)
– additional post incident costs ( briefs, letters)
– potential legal action (VCAT, Supreme Court,
• Bottom line true cost of a privacy breach can be
DOJ Privacy Incident Protocol
30 min via
Provide summary Containment
of complaint / measures at
breach to location
Privacy Incidents by Region
2 2 2
Why privacy incidents?
Division No. • Total of 143 since 2005
Regional & Executive Services 14
• The Department holds a large
Strategic Planning & Projects 0 amount of personal & sensitive
Gaming & Racing 1
information in multiple databases and
Legal & Equity 0
Police, Emergency Services & Corrections 85
• Increased reporting of incidents
Consumer Affaires 4 • Large amount of sanctioned data
Community Operations & Strategy 27 sharing between DOJ, Police, DHS
Non-Justice related 4 • Increased use of email & fax to send
and receive information
Nature of DOJ privacy incidents
Categories of breach and complaint under IPP4 Data Security make
up 85.5% of all matters. Only 15 of the total 143 relate to matters
other than IPP 4
Trends in Justice:
IPP 4 related categories:
Inappropriate Access (e-Justice) Information Sharing/ colocation
Inappropriate Access (PIMS) Theft/ Loss of items
Inappropriate Access to Other Database
Incorrectly addressed emails & faxes
Inappropriate Disclosure Employee Misconduct
Inappropriate Email Access Threats worldwide:
Inappropriate Phone Disclosure
Incorrect Fax Social engineering
Incorrect Information Inadequate/Outdated Technology
Lost Information Exposure through web attack
Wrong Email Address
Is your business vulnerable?
You ought to be concerned if..
Downsize, retrench, relocate or collocate
Outsource services such as couriers, mail-outs, debt recovery/ workcover
agents, data storage
„Snoops & Leaks‟
Staff who forward & circulate information widely
Don‟t know where your most sensitive information resides within your
Have a culture of Hoarders and „Chuckers‟
Have „home‟ workers
Have audit recommendations not implemented
Flavours of a Privacy Breach: CV CCS
• A community work site received by fax, 15 pages of full medical history for
an offender along with his community work contract.
• Offender had provided extensive medical documentation to support his
claim that he required a light duty site and no authority was provided for
this information to be provided to any other person or agency. The site
supervisor clearly indicated that the information had been provided to him
by a CCO who undertakes the Community Work Coordinator role.
• Confirmed that document has been destroyed. Worksite supervisor has
agreed to take on the offender regardless of information received.
• Employee concerned will attend Privacy training.
Privacy Breach: CV Prison
• A prison officer picked up a number of sheets of paper off the ground
within a prison compound in an area accessible to visitors.
• Contained a list of custodial staff members and residential and mobile
• All master phone lists watermarked with confidentiality message.
• Staff notified that their details were subject to potential access.
Privacy Breach: IMES
• A member of the public complained that he had received summaries of
infringements and several notices from Infringements Court /IMES. One
notice refers to due date 1999 which IMES state is a configuration error
• He also received notice addressed to another person concerning their fine
which he said he has forwarded to him with his letter (IPP 4).
• Action taken against contractor for error on their part in the breach.
• Mail checking procedures revised.
Privacy Breach: Indigenous Issues Unit
• Member of the public complained that Aboriginal Liaison Officer assisting him
with fines in court has failed to protect his information from loss and unauthorised
access. (IPP 4.1).
• Executive Services has considered the contract which suggests DOJ is treating the
matter as a „state contract‟ as apposed to a mere funding agreement for
Information Privacy Act purposes. However it is not clear that DOJ has
adequately passed its responsibility for privacy compliance onto the Co-op.
• Executive Services and IIU have made arrangements to discuss the matter with
the Co-op with a view to resolving the complaint.
Privacy Breach: CAV
• Residential Tenancies Inspector had briefcase stolen from
• Briefcase contained 35 rent review files and personal
information about 70 individuals.
• IPP 2 (disclosure) & IPP 4 (security).
• Individuals notified.
• Privacy compliance reminders issued to staff.
Taking Responsibility & Code of Conduct
Physical Security Strategy
Classification Other policies
Reasonable Personal Use
Other Policies detailed
• Information Security Policy
• Personal Information Policy
• Information Privacy Complaint Handling Policy
• Inappropriate Access to Personal Information
• Clear Desk and Screen Policy
• ICT Security Policy Overview
• Fax Security Policy
• Privacy Induction Manual
• Privacy Coordinators Operational Manual
• How do I…. Undertake a Information Security Classification Process
Collection Statement Generator
Use for form and website design
Privacy Impact Assessment
Use in Projects
Information Sharing Agreements
Use where bulk and routine release of information
Privacy Clause S17(2) - Contracted Service Providers
Require all third parties to comply with privacy laws
Privacy Breach Protocol
Detect, file incident report to Exec Services
Personal Information Consent Form
Use to ensure valid consents
Annual Privacy Health Check
Do it once a Year to assess vulnerabilities prior to incidents occurring
Three things you can do straight away
• Check staff in your region know how to spot and
report a privacy breach
• Assess vulnerabilities within your region prior to an
• Engage staff and third parties across your region in
building your privacy and security culture and
maintaining the department's reputation as one of
three global privacy leaders
• Privacy Risk is worth managing
• Personal information is more than just electronic data
• Personal Information loss and leakage is a risk to the
• Move toward greater accountability, transparency within the
regions and within Govt and need to be ready with robust
privacy controls ( people, process technologies
• Privacy Incident protection is more than just securing the
system. People and culture are the key.
• Let‟s end on a light note: People can be our strongest or