Posts
When using the Internet to communicate and calibrate we become aware that at certain times we must be aware of protecting our privacy and the privacy of those we are calibrating with.
There are strict rules governing the privacy of information collected by organisations yet for smaller operators the guidelines in Australia are not so set in concrete .
The private sector provisions of the Privacy Act apply to organisations (including not-for-profits) with an annual turnover of more than $3 million. The provisions also apply to all health service providers regardless of turnover and some small businesses with an annual turnover of $3 million or less.( Privacy Commission,2009)
For small business with a turnover of $3 million or less are
- a health service provider?
- trading in personal information?
- related to a larger business?
- a contractor to Commonwealth agencies?
- a reporting entity for the purpose of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (AML/CTF Act)?
- an operator of a residential tenancy database? ( Privacy Commission,2009)
While you may not come under this category you do have an option to opt in to the national privacy principle by completing an application to the Privacy Commission
The Technical Realities of E-mail Use and Privacy
Information by the Australian Privacy Commission advise that
Most e-mail is insecure. It should be regarded as insecure unless it has been encoded or encrypted. E-mail is often compared to a postcard in that anyone who receives it can read it. E-mail may also be read if it is stored on servers during transmission.
E-mails are hard to destroy. Many people think that if they delete their e-mail it is gone forever. This is not so as most electronic documents are backed up and recoverable.
Logging. Most software used to operate networks, including web servers, mail servers and gateways, logs transactions and communications. These logs will normally include the e-mail addresses of senders and recipients of e-mail and the time of transmission. The content of e-mails themselves would not normally be logged but may be stored on mail servers. Similarly, web server logs record information on the sites that people visit. The keeping of these logs is usually necessary for the routine maintenance and management of networks and systems. System administrators are also capable of reading the contents of e-mails sent and received by the corporate network. (Australian Privacy Commission, 2000)
This is only a basic view published by the commissioner in there is the other issue of forward function of an email system. Any user can easily forward an email to another party with out your knowledge or consent and then they can forward to another party until it can become almost viral like and uncontrolled. The other issue is this case of the Privacy Commission about exposing other peoples Emails in the CC rather then BCC.
Subject Heading:
Improper disclosure of personal information and failure to keep personal information secure
Law:
National Privacy Principles 2.1 and 4.1 in Schedule 3 of the Privacy Act 1988 (Cth)
Facts:
An individual notified the Privacy Commissioner that the direct marketer sent out a promotional email which displayed the email addresses of all recipients. The Commissioner considered that where an email address amounted to 'personal information' in that the identity of the individual is apparent or can reasonably be ascertained, the privacy of a number of individuals may have been interfered with. While this Office did not receive any individual complaints, the Commissioner decided to conduct an investigation into the incident under section 40(2) of the Privacy Act.
Issues:
NPP 2.1 provides that personal information collected for a primary purpose must not be used or disclosed for a secondary purpose unless one of a number of exceptions in NPP 2.1(a)-(h) applies.
NPP 4.1 provides that an organisation must take reasonable steps to protect the personal information it holds from misuse and loss and from unauthorised access, modification or disclosure.
Outcome:
The direct marketer responded promptly to the Commissioner's investigation and the incident. The direct marketer explained that individuals provide it with their email address specifically to receive information about upcoming promotions. The direct marketer provided its promotional email list to a third party organisation to issue the promotional email. As a result of human error, the third party organisation distributed to everyone who was on the email list an email showing those individuals' email addresses, rather than using the blind carbon copy or 'BCC' email function. The third party organisation did not follow its usual data quality control procedures in this circumstance.
The third party organisation counselled the individual responsible for the error and staff undertook refresher training in its quality control procedures. These procedures were also updated to prevent a similar incident in the future.
The direct marketer acted quickly to contact all individuals who were on the promotional email list to apologise and explain what happened. The direct marketer also committed to report to appropriate authorities any misuse of the email addresses including issuing spam emails.
Based on the information gathered during the investigation the Commissioner decided to cease her investigation into the incident. In relation to NPP 4.1, the Commissioner noted that the parties had steps in place to ensure the security of the personal information and the incident appeared to have occurred as a result of a one-off error. In relation to the disclosure under NPP 2, the Commissioner also considered that the steps the parties were taking to remedy the situation were adequate in the circumstances.
The Commissioner noted that while her investigation had been closed, any complaints from individuals that she may receive about the incident will be dealt with on their merits.(Own Motion Investigation v Direct Marketer,2008)
While in this case the company was able to satisfy the commission as to how this incident occurred and what steps have been taken to prevent this happening again it does highlight the need for care of handling private information.
Its is one topic that should considers on a serious basis as it easy to think that the tools offered to us with new technology makes communication and calibration easy but also easy to over look what some basic procedure when it come to the privacy of other.
Further Reading
Australian Privacy Commission web site
Reference
Own Motion Investigation v Direct Marketer [2008] PrivCmrA 23
No comments:
Post a Comment