Katrine Evans:

1
(No Transcript)
2

• Katrine Evans
• Current issues
• Key themes in enquiries and complaints
• Privacy at work
• Neil Sanson
• Risk
• Data breach guidelines
• Data encryption
• Combining datasets

3
Just a few of our current issues

• Code making review of the Credit Reporting
  Privacy Code
• Policy comments on the Immigration Bill
• Technology layered privacy notice project
• Information matching encryption
• International implementation of APEC Privacy
  Framework eg through trustmarks
• Privacy (Cross-Border) Amendment Bill

4
Personal affairs

• Section 56 of the Privacy Act

5
(No Transcript)
6
Protecting information on portable media

• Principle 5

7
(No Transcript)
8
Preventing employee browsing

• Principle 5 again

9
(No Transcript)
10
PRIVACY AT WORK
11
66 involved data the victim did not know was on
the system 75 of breaches were not discovered by
the victim 83 of attacks were not highly
difficult 85 of breaches were the result of
opportunistic attacks 87 were considered
avoidable through reasonable controls
http//www.verizonbusiness.com/resources/security/
databreachreport.pdf
12
the length of time between the attackers
initial entry into the corporate network and the
compromise of information is relatively short.
this was accomplished within minutes or hours in
just under half of cases investigated.
In sharp contrast, it takes much longer for
organizations to discover a compromise. Months or
even years transpired...
http//www.verizonbusiness.com/resources/security/
databreachreport.pdf
13
Companies that carry out formal risk assessment
are twice as likely to detect unauthorised access
by staff or attacks on network traffic and nearly
four times as likely to detect identity theft as
those that do not.
http//www.berr.gov.uk/files/file45714.pdf
14
Decisions should take account of the wider
context of the risk and include consideration of
the tolerability of the risks borne by parties
other than the organisation that benefits from
it. 3.5
15
http//eval.symantec.com/mktginfo/enterprise/white
_papers/b-whitepaper_internet_security_threat_repo
rt_xiii_04-2008.en-us.pdf
16
Cost to Victim existing accounts - 550.38
new accounts - 1,865.27 Cost to Business
48,941.11 Victim hours repairing existing
accounts 116 hours new accounts 157.87
hours 49 repaired in 6 months
http//www.idtheftcenter.org/artman2/uploads/1/Aft
ermath_2007_20080529v2_1.pdf
17
Privacy Breach Guidelines
What is a privacy breach ?

• Unauthorised access to or collection, use,
  or disclosure of personal information
• Most common privacy breaches happen
  when personal information of customers,
  patients, clients or employees is stolen,
  lost or mistakenly disclosed
• http//www.privacy.org.nz/privacy-breach-guideline
  s-2/

18
Data Encryption

• Required for data transfers
• - physical media mostly now done
• - on-line transfers are under review
• - Government Shared Network (GSN) expect
  encryption
• Can you call it professional if you are not
  taking steps to protect data?

19
Combining Datasets

• Privacy Act as guidance when combing datasets