Portable/mobile devices and privacy in Local Government

04/20/23 1

Portable/mobile devices and privacy in Local

Government

Dr Anthony BendallActing Victorian Privacy

Commissioner

Overview

• OVPC Surveys and Guide

• Privacy laws

• Recent developments :– Tablets– Smart phones– Portable hard drives– BYOD– Cloud computing

• Looking ahead

Example

• “A staff member was responsible for collating information about individuals from numbers sourced for the purpose of preparing reports. The staff member would often work on these reports at home and stored the work on a personal USB key. But the USB key was lost, possibly at a supermarket car-park, with over 30 reports.”

OVPC Surveys and Guide

• OVPC, Use of Portable Storage Devices: Privacy Survey, January 2009

• OVPC, Portable Storage Devices: Privacy Survey 2011, December 2011

• OVPC, Use of Portable Storage Devices – a guide to policy development, August 2009

• All available at www.privacy.vic.gov.au

04/20/23 5

Privacy laws

• Information Privacy Act 2000 (Vic)• IPP 4: Data Security

– ...”must take reasonable steps to protect personal information... from misuse, loss, unauthorised access, modification and disclosure.”

– Personal information should be destroyed or de-identified when it is no longer needed.

• Similar laws at Cth level and in other States and Territories

2008 Survey

• 55 organisations

• “Major security risk”

• 17 recommendations

• Recommendation 1: formal policy– 2009 Guide– 27 point checklist

Surveys by others

• NZ 2010:– 42 NZ agencies– 120 devices lost in 12 months– “inadequate controls”

• Australian Privacy Commissioner 2009:– 58% of agencies suffered loss or theft– “mixed results”

2011 Survey

• 31 of previous 55 organisations• General improvement• 12 organisations – no controls• Lack of encryption• 10 organisations – no tracking• 8 – no improvement• 2 – deterioration• Local Councils – from “poor” to

“commended”

Tablets and other developments

• Explosion in period between two surveys

• 2011 – 50% provide tablets to staff

• Portable hard drives

BYOD

• Increasing

• Lack of policy and technical controls

The cloud

• New challenges• Loss of control• Offshore storage• OVPC Information Sheet: Cloud

Computing, May 2011

2011 recommendations

• 6 additional recommendations:– Strict control over external hard drives– Control of all active ports– Encrypted USB keys

• Smart phones and tablets– Integrity– Expanded policies

• Privacy Impact Assessments

– Collection & notice– data security– transborder flows

• Loss of control• Accountability

Conclusion

• Accountability

• Costs

• Compliance notices

• Potential data breach laws

More information

Privacy Victoriawww.privacy.vic.gov.au 1300 666 444