Shhhh! The dirty secret of Personal and Sensitive Information

?

Lifting the cover of Data Privacy: Identifying and Safeguarding Personal and Sensitive Information – I guarantee this will be a focus at a future Q & A on the Hill.

Introduction:

In my previous Journal Post, we took a look at?“Cyber Security Complimentary Technologies -A derriere saving overview”.??This week I wanted to refocus from there, and take a look at the dirty side of Personal Indefinable Information (PII) and the threat it poses to all Federal Government Agencies.?

Let’s give some context and take a peek into the importance, risks, and strategies for identifying staff, contractor and public PII in a scenario where neither the Department nor the contracted outsource provider possesses a clear view of the PII dispersion, locations, or data types. Apart from the obvious Cyber infiltration at Optus, this is what could be said to have really extended the harm beyond its current active clients.???I cannot stress how imperative it is to address these challenges and develop/implement effective strategies to safeguard sensitive PII data.

The Importance of Identifying PII:

Protecting PII is paramount to maintain the trust of employees, citizens, and stakeholders. Proper identification of PII allows for a comprehensive understanding of the scope of sensitive data at hand. By recognising the presence and nature of PII, we can implement appropriate safeguards, comply with legal and regulatory requirements, and mitigate potential privacy breaches.

Some Departments are responsible, In-House, for this outcome and some have handed this responsibility to a key outsource provider, but is it specified in contract (yep, good thought - have someone check) and is it being acted on.

Risks of Unidentified PII:

The risks around unidentified PII are substantial and far-reaching. They can be catastrophic to the individual victim and the Department. Failure to identify and protect sensitive information can lead to severe consequences, including unauthorised access to an individual’s personal assets and identifications, data breaches, reputational damage, loss of trust, legal penalties, and non-compliance with privacy regulations such as the Privacy Act 1988?https://www.legislation.gov.au/Details/C2014C00076

To say that it is essential to address these risks proactively is an understatement. Actions should be in place now to maintain the integrity of the department's operations and safeguard the privacy of individuals.??

Strategies for Identifying PII:

1.?????Conduct a Comprehensive Data Inventory

2.?????Implement Data Classification Frameworks:?

3.?????Map Data Flow through Key IT tools and Systems & Leverage Data Discovery Tools:?

4.?????Undertake Privacy Impact Assessments (PIAs) for all Data Projects?

5.?????Assess the Risk, Benefit and Ultimate utility for all data processing activities?

I’m going to focus in on this segment with a little more detail, as I think you may find it of value.??Here we go –

Implementing Data Classification Frameworks:

A solid data classification framework is essential for identifying PII within data sets, simplifying data management, and informing appropriate security measures for each classification level. Let's explore a bit more:

Categorising Information Based on Sensitivity and PII Content:?

A data classification framework involves categorising information based on its sensitivity?and the presence of PII. This process allows for a granular understanding of the data landscape, enabling you to prioritise efforts, budgets and allocate appropriate resources and technologies to protect sensitive information.

Sensitive data may include PII such as names, addresses, TFN, Drivers Licence,??Passport numbers, financial details, health records, resumes, AGSFA Application details or any other information that can directly or indirectly identify individuals. By categorising data based on sensitivity, a department can focus their attention on high-risk data sets and prioritise protective measures to mitigate the threat/risk.

Identification of PII Within Data Sets:??

This identification activity will fail dismally if you don’t have a well-defined?Data Classification Framework. The framework will provide for the identification of PII within data sets (Remember, if you don’t know where it is, you won’t know what it is). By establishing clear guidelines and criteria for identifying and labelling PII, you can systematically scan and analyse data to identify sensitive information accurately.

Automated tools and technologies can be deployed to aid in the identification process. These tools can analyse structured and unstructured data, applying algorithms and patterns to recognise PII within files, databases, emails, and other data repositories. Once identified, PII can be appropriately tagged, making it easier to track, monitor, and secure.??(There you are!!)

Simplifying Data Management:?

The data classification framework which I previously mentioned, will simplify data management by providing a structured approach to organising and handling data. So additionally, by categorising information based on sensitivity, you can define appropriate data handling procedures, retention periods, and access controls.?

This framework allows for streamlined data governance, ensuring that data is managed in accordance with regulatory requirements and privacy best practices. It also assists in identifying data redundancy, eliminating unnecessary data storage, and improving overall data efficiency. Combine this with a deduplication capability and the savings also start stacking up.

Informing Appropriate Security Measures:?

A data classification framework informs the implementation of appropriate security measures for each classification level. Different categories of data require different levels of protection, and the framework helps determine the security controls and protocols needed for each data type.

For example, highly sensitive data may require encryption at rest and in transit, strict access controls, regular security audits, and continuous monitoring. On the other hand, less sensitive data may still require measures such as access restrictions and data masking to prevent unauthorised access.??(Question for thought – how many of my readers are encrypting in the Cloud – I heard a conversation the other day that brought that question to mind – perhaps a check is advised.)

In review:

Implementing a data classification framework is vital if – you are seeking to identify and safeguard PII within distributed data sets. This framework enables the systematic categorisation of data based on sensitivity, facilitating the identification of PII and simplifying data management processes. It guides a Department in implementing appropriate security review and treatment measures based on the final risk or classification level of data, ensuring that resources are allocated effectively.

So by establishing a robust data classification framework, a Government Department can enhance its data privacy practices, mitigate risks associated with unidentified PII, and foster a culture of responsible data handling and protection.

Hopefully you can see why I have focused in on implementing a Data Classification Process. Happy to field questions if you have them.

Continuing on -

Foster a Privacy-Centric Culture: Consider Privacy By Design:?

I also cannot highlight enough how important this action is - Promote a culture of privacy awareness and compliance within the department. This involves providing regular training and awareness programs for staff, contractors, and outsourced service providers. Reinforce the importance of safeguarding PII and ensure that privacy responsibilities are clearly defined and adhered to across all levels of the organisation.

The OAIC largely describes Privacy by Design as processes for embedding privacy into the design requirements of technologies and business practices.??The International Association of Privacy Professionals (IAPP) asserts that Privacy by Design enforces reasonable security for consumer data, limited collection and retention of data along with reasonable procedures to ensure data accuracy.??IBM (Cost of a Data Breach Report, 2022) takes the view that companies with holistic privacy programs are over twice as likely to avoid data breaches as companies who have low accountability.??

And to wrap it up:

In an environment where the dispersion, locations, and types of PII data are uncertain, all Government Departments and their contracted outsource providers must take proactive measures to identify and protect sensitive and PII information.?

How???By recognising the significance of identifying PII, understanding the associated risks, and implementing effective strategies - we can all work to bolster??data privacy practices, enhance stakeholder trust, and uphold and meet required obligations under privacy legislation.

I’m going make a very strong statement now.??As a Veritas Canberra based client manager it is my duty to advocate for robust privacy measures in the greater Government space and guide clients and partners toward best practices in PII identification and protection. By following the strategies outlined in this Journal Entry today, we can help establish a solid foundation for safeguarding PII and pave the way for a secure and privacy-centric future.

It sounds a little trite, if it weren’t all so very serious.??Let’s see if we can avoid that Q & A session on the Hill.

#dataprivacy #cio #cso #veritas #privacyprotection #federalgovernment

?