Safeguarding Trust: Privacy and Physical Security

Privacy Week 2022 is 9 - 14 May 2022 and is themed?Privacy: The Foundation of Trust.?FIRST Security’s Commercial Manager Vaugh Henry writes that good physical security is a key – yet often forgotten – privacy safeguard.

?The?Office of the Privacy Commissioner ?marks Privacy Week each year to promote privacy awareness, inform people of their rights under the Privacy Act, and help educate agencies about their responsibilities. Privacy Week is held in conjunction with Privacy Awareness Week, an initiative by the Asia Pacific Privacy Authorities (APPA) network.?

From a security perspective, privacy is about the protection of personal information. In other words, it’s about ‘information security’. And given that privacy is specifically about personal information, it demands additional levels of security, and the controls need to be considered separately to the typical information security controls.

It tends to be the case that when we think ‘information security’ we think about computers and cybersecurity and protecting our information online. What we tend to think less about is the fact that information needs protecting not just in cyberspace, but also in the physical spaces in which we work.

According to the New Zealand Government?Protective Security Requirements ?(PSR) website:

“Information is an asset and information security is the protection you apply to keep your information assets secured from harm. Think of information in the broadest sense, not just in terms of information technology. Information exists in many forms (for example, electronic, printed, or spoken) and may reside inside or outside your organisation, including with your providers and clients, and in the cloud.”

While your organisation might have adequate information technology security measures in place, such as secure logins, multi-factor authentication, and cyber security controls, how well are you safeguarding personal information from a physical security breach, such as the theft of printed documents or an IT breach due to unauthorised access to premises?

Good information security requires an all-round approach, including good physical security controls (clean desk policies, visitor and contractor access management, perimeter controls, intruder detection, and surveillance) as well as good personnel security controls (security awareness among staff, a strong ‘challenge culture’, and adequate staff vetting and offboarding procedures, etc).

Security controls work best when they are part of a coordinated and ‘layered’ approach to security – from the perimeter of an organisation’s premises to the front door (and every other door and window), from public areas to restricted areas, and from desktop computers and personal devices to each and every system and application used by your staff. As part of a layered approach, security guarding and patrols can play a key role in safeguarding information.

Security and concierge staff at reception, for example, play an important role in ensuring that the access of visitors and their movement through the premises is well managed. They provide ‘eyes on’ surveillance at the main entry point to the premises, and they can identify any individuals or behaviours of concern.

At the end of each day, security personnel can conduct physical premises checks to confirm that all visitors have left the premises, that windows and doors are locked, and that clean desk policies are being adhered to. And overnight, security patrols can randomly check in on the premises.

In high security settings, the highest level of assurance is delivered by 24 hours a day, seven days a week on-site guards who can respond immediately to any alarms.

While it may be that cyberattacks are the most high profile and widely reported causes of privacy breaches, cybersecurity measures alone will not adequately protect information. They are just one ‘layer’, and they should be supported by a range of other security controls, such as electronic measures and security personnel.

If you would like to know more about how you can mitigate the privacy risks to your organisation,?get in touch ?with FIRST Security.