Education, awareness needed on data security

PUBLISHED : Tuesday, 06 May, 2008, 12:00am
UPDATED : Tuesday, 06 May, 2008, 12:00am

The privacy commissioner for personal data recently reminded the public and private sectors of their responsibilities when handling personal data for implementing stringent procedures, security safeguards and encryption of electronic data.

He was prompted to do so by the loss of the personal details of patients of a child health assessment centre, stored on a removable electronic storage device which had apparently been stolen. His reminder is reinforced by the disclosure yesterday of seven more cases of lost data on about 6,000 patients at five public hospitals.

It may be timely, given that our personal details are stored electronically throughout the government and private sector. Such incidents may be only the tip of an iceberg. They show how easily our privacy can be put at risk by lax compliance with the letter of the privacy laws.

For example, they are mostly blamed on the theft of IT equipment - effectively security lapses by data users. As well, the personal details of about 1,000 hospital patients were not protected by a password.

This is a reminder that corporate statements of privacy policy are only as good as the weakest link in the chain - human failing. Therefore, there is no reason to suppose that such lapses are not to be found elsewhere in the public and private sectors. Hence the commissioner's warning to both.

Modern technology has added flexibility and portability to data storage that have enhanced productivity. But it also increases the burden of responsibility on the data user to protect against loss, unauthorised or accidental access, and ensure there is no harm to individuals. Government and corporations should be mindful of the need for ongoing education in and awareness of data security principles if they are to uphold respect for privacy.

Contravention of data protection principles only becomes a criminal offence after failure to comply with an enforcement notice issued by the commissioner. By then, as the latest leaks show, it can be too late to protect people's privacy and prevent the harm leaks can cause.