BEST PRACTICE GUIDELINES
Controls over the Security of Personal Information
OVERVIEW OF CONTENTS

Roger Clarke

Principal, Xamax Consultancy Pty Ltd, Canberra

Visiting Fellow, Department of Computer Science, Australian National University

Version of 13 September 1993

© Xamax Consultancy Pty Ltd, 1993

This paper was prepared as part of a consultancy assignment for an Australian government agency. The agency has agreed to it being made publicly available on Xamax Consultancy's community service pages.

This document is at http://www.anu.edu.au/people/Roger.Clarke/DV/PDSecy.html


EXECUTIVE INTRODUCTION & SUMMARY

Introduction

Information security has always been an important concern of government agencies. Security risks have generally been assessed, and protections devised, implemented, monitored and audited, with the needs of the particular agency in mind. There are, however, other 'stakeholders' which have an interest in the security of the information held by each particular agency. For example, the information may have implications for national security or relations with other countries; companies may be concerned that commercial-in-confidence information they provide to an agency not become available to other organisations; and where other agencies are the sources of information, they may also expect limitations to be placed on its dissemination.

During the last three decades, an additional factor has become important. Individuals about whom agencies hold information are also stakeholders, and have an interest in all aspects of that information and its handling. The Annex contains background information on the information privacy issue. In 1988, the Commonwealth Parliament enacted within the Privacy Act a framework within which an appropriate balance between personal privacy and other interests is to be achieved. The Best Practice Guidelines contained within this document are intended to assist agencies to comply with one particular aspect of privacy requirements: the security of personal information.

Agency Obligations in Relation to Privacy and Security

Various statutes contain provisions relating to privacy and security of personal information, and a number of other laws provide incidental protections. For a discussion of these, see the Annex to this document. This section focusses on the major statute, the Privacy Act 1988.

Most nations in Australia's reference group enacted privacy or data protection legislation during the fifteen years after 1970. The Commonwealth Privacy Act 1988 imposed a wide range of quite specific obligations on agencies of the Commonwealth Government, in a manner generally consistent with the OECD Guidelines. Its key provisions are:

Subsequent to the passage of that Act, a considerable amount of additional law has been created, and the Privacy Commissioner's responsibilities significantly extended. Areas in which this has occurred have included spent convictions, credit reporting, data matching, and the medicare and pharmaceutical benefits programs. In addition, provisions of other statutes are relevant to privacy regulation, including the Public Service Act, the Crimes Act, the Archives Act, and the Acts governing each particular agency's operations.

Definitions and Scope

This section defines key terms used in these Best Practice Guidelines, and explains the subject-matter to which it applies.

Neither privacy nor information privacy are defined in Australian law. In order to establish controls, it is convenient to have a working definition, and the following is used in this document:

Information Privacy is the interest that individuals have in knowing about, and controlling, or at least constraining, the handling of personal information about themselves, including its collection, storage, dissemination and use.

Security is defined, for the purposes of this document, as:

  1. protections against unauthorised use of, access to or disclosure of personal information, including measures designed to prevent, to detect and to enable investigation of unauthorised use, access and disclosure; and
  2. assurance of the appropriateness of information-handling procedures in achieving those aims.

This interpretation reflects IPP 4 of the Privacy Act 1988, which requires that records be protected by "security safeguards" against loss, against unauthorised access, use, modification or disclosure, and against other misuse.

The term 'use' is interpreted as referring to the employment of the information, for any purpose, by an officer or agent of an agency. The term 'access' is used as a general term, encompassing internal access, external access, and disclosure. 'Internal access' means the communication of information to an officer or agent of the agency. Where information is communicated to some other person or organisation at the initiative of the other party, then it is 'external access', whereas if it is initiated by the agency, then it is 'disclosure'.

In some contexts, the term 'security' is interpreted more broadly, to also encompass protections against unauthorised creation, amendment and deletion of personal information, including measures designed to prevent, to detect and to enable the investigation of each of those abuses. Such protections are closely related to this document, but are not included within its scope.

It is noted that IPP 3 requires that information which is solicited be relevant to the purpose of collection, accurate, up to date and complete, that IPPs 8 and 9 extend these requirements to the point of use, and that IPP 7 enables a data subject to enforce maintenance of the records to sustain these standards. For the purposes of this document, however, these data integrity and quality issues are excluded from the meaning of security.

The related term 'confidentiality' is capable of varying interpretations. In this document it means "full trust; belief in the trustworthiness or reliability of a person" (Macquarie p.397), and refers to limitations on the communicability of information, based on the nature of the relationship between the person to whom the information relates and the organisation holding it.

The Privacy Act applies to all records containing information about an identifiable person. The scope of these Best Practice Guidelines is, however, confidential client information. Although the principles are also relevant to data held about agency officers, these Guidelines do not specifically address employee-related data.

Philosophy Underlying These Best Practice Guidelines

Information privacy is concerned with limitations on collection, use and dissemination of personal information, and 'end-to-end' quality in its handling. The Australian Parliament has recognised the concern of Australians that their information privacy be protected. It is therefore a requirement of agencies of the Commonwealth Government that they conceive, design and conduct their programs in privacy-sensitive ways.

Privacy is not an absolute value, however. It conflicts with a variety of other important interests, particularly freedom of information, public safety, fiscal propriety and administrative efficiency. Privacy protection is therefore an exercise in avoiding conflicts where this is practicable, and where it is not, in achieving a balance against other values. This requires the careful structuring of systems to establish the appropriate conditions for privacy-sensitive administration, and privacy-awareness in the handling of specific instances.

These Best Practice Guidelines have been prepared with the intention of:

  1. assisting agencies to better appreciate the requirements in relation to one key aspect of privacy: the security of personal information held by agencies; and
  2. ensuring agencies' policies, procedures and practices comply with privacy law.

Summary

The Guidelines comprise three components:


ACTION POINTS FOR EXECUTIVES


Contents

THE FRAMEWORK FOR PROTECTING INFORMATION SECURITY
Introduction
Strategic Level

Operational Level

THE METHOD FOR IMPLEMENTING THE FRAMEWORK

Introduction
Step 1: Establish the Foundation
Step 2: Plan the Security Measures
Step 3: Implement the Security Measures
Step 4: Sustain the Security Measures
Conclusion

APPENDICES

  1. Organisational Infrastructure Checklist
    1. 1.1 The 'Need to Know' Principle
    2. 1.2 Logical Identity Control Checklist
    3. 1.3 Password Control Checklist
  2. Programme Design Process Controls Checklist
    1. 2.1 Audit Trail of Personal Information Accesses
  3. Technical Infrastructure Controls Checklist
  4. Programme-Specific Procedural Controls Checklist
  5. Programme-Specific Technological Measures Checklist
  6. Risk Factors Checklist

BIBLIOGRAPHY
ANNEX: A BACKGROUND BRIEFING ON PRIVACY


Navigation

Go to Roger's Home Page.

Go to the contents-page for this segment.

Send an email to Roger

Created: 10 May 1998

Last Amended: 10 May 1998


These community service pages are a joint offering of the Australian National University (which provides the infrastructure), and Roger Clarke (who provides the content).
The Australian National University
Visiting Fellow, Faculty of
Engineering and Information Technology,
Information Sciences Building Room 211
Xamax Consultancy Pty Ltd, ACN: 002 360 456
78 Sidaway St
Chapman ACT 2611 AUSTRALIA
Tel: +61 6 288 6916 Fax: +61 6 288 1472