Thursday, May 02, 2013

The Privacy Commissioner Is Providing Some Useful Information For All Businesses Including Health Care Businesses.

This article appeared a couple of days ago.

Privacy Commissioner launches Guide to Information Security

Guide covers governance, ICT security, data breaches, physical security and standards
The Office of the Australian Information Commissioner’s Privacy Week has begun in earnest with the unveiling of a Guide to Information Security in Sydney today.
Privacy Commissioner Timothy Pilgrim told delegates at a breakfast briefing that the Guide includes a list of non-exhaustive steps which would be reasonable for an entity to take before new Australian Privacy Principles (APP) reforms take place in March 2014.
The reforms update the Privacy Act 1988 and include changes to how personal information is handled, such as when it can be used for direct marketing and sent overseas.
Commenting on the Guide, Pilgrim said that if an organisation mishandles the personal information of its customers it risks loss of trust and considerable harm to the company’s reputation.
“This can also lead to loss of customers and an impact on the organisation’s ability to function,” he said.
Lots more here:
The article also provided some useful links to some background from Computerworld.
At the same briefing there was also another clear message. Business is not actually ready yet and time is running out.

A privacy time bomb

Reading through the government’s newly released guide to information security, especially with the changes to the Australian Privacy act looming over the horizon, requires sorting through a mess of peculiar acronyms, extended dot points and open-ended questions.
Needless to say, it’s a complex document and it’s thorough. And perhaps this is just the kind of document needed to ensure that companies can’t wriggle their obligations when they are stung with a data breach. But could the complexity of the document prove to be its downfall? And are Australian businesses are in an urgent need of a wake-up call when it comes to data protection?
Well the changes afoot are daunting so perhaps some simplification is in order. But with less than a year to go before the reforms take effect many organisations are seemingly twiddling their thumbs; a prospect that won't fill Australian consumers with any confidence.  
A survey of Australian business and government agencies commissioned by internet security company McAfee has found that 59 per cent of employees responsible for managing the personal information of customers were unaware or unsure of the changes.
While the Attorney-General Mark Dreyfus and the Privacy Commissioner Timothy Pilgrim spent a lot of time yesterday blowing the bugle of impending change, it looks like many organisations are destined to end up on the wrong side of a data breach.
Lots more here:
There is a clear warning here for Health Information custodians and users. The rules are changing and you need to be across just what is means for you. A browse of the Office of the Information Commissioners web-site ( is a very good place to start.


Anonymous said...

Judging by the comments, or lack there of on the topic of Privacy, you can only conclude that people that read this blog are totally unaware of the importance of Patient Privacy.

I appears that healthcare professionals will only wake up when class actions commence against them, their reputation is so damaged that their practices close.

A bit late then, I feel.

Anonymous said...

That's not the only conclusion to be drawn.

Another equally plausible conclusion is that the "contributors" understand the "targeted" readers don't give a s#@t about patients privacy as they are geared up and destined to actively "violate" it themselves in mining patient data.

There may well be eventual class actions, but the crown is already immune from these hence their blatant disregard and disinterest in supporting "patient privacy".

Enrico Coiera said...

There is also another explanation, which is that the debate on what is private, and what can securely be kept private online, is in flux.

Consider this recent paper in Science which shows that some individuals and be re-identified JUST FROM THEIR DNA.

Think that through .....

Equally, there is a younger generation, brought up on social media, who demonstrably have different views on privacy to mine.

I come from a generation that expects and demands privacy, and no-one more for me than for my medical data. But I don't understand how I can guarantee that technically, and I don't see an emerging generation sharing my views.

Lets us do all we can to protect the privacy of those individuals who seek it, but let us also be under no illusion that there is any guarantee that privacy is either prima face guaranteeable technically, or that society as a whole would be willing to pay for the technical and procedural system that brings strong privacy into being.

What does it mean in the short term? I assume it means that if you are a service provider, you must provide security to any data you hold, at a level commensurate with the law, but recognise that this provides no guarantee that your data will not be harvested illegally by an intruder. Equally you should be under no illusion that anyone who harvests data in a de-identified fashion with your permission, cannot readily re-identify that data for a good chunk of your patients. Even if you do the right thing ...

It is a VERY complex space, rapidly changing in the last 18 months, and I suspect it will be fluid for quite a while, independent of whatever any government can try to do.