That’s not personal information!…Or is it?

Your organisation is hosting a corporate function where a photographer is present to capture memories of the event.

Your staff members hold their signature two-finger peace sign poses, with a pout to match, as their photograph is snapped. The photographs are then shared on your organisation’s social media platforms. Your organisation is unaware that your staff member’s fingerprints could be stolen from these photographs and used by attackers to impersonate your staff, break into their corporate smartphones, or your workplace.[1] Your organisation is unaware that photographs and the information contained within them are considered personal information.

In today’s world, where more and more things can be tracked, privacy is gaining greater visibility among consumers and regulators. Individuals are taking more responsibility for their own privacy and your organisation is under increased pressure to protect the personal information in its possession. The question of ‘What is personal information?’ lingers as new possibilities arise for the collection and use of personal information by your organisation.

Consider whether your whole organisation understands:

  • What personal information means under the Privacy Act 1988 (Cth) (“Privacy Act”)?
  • What personal information means in the context of your organisation and the services you provide?
  • Your consumer’s expectations with regard to the uses of their personal information?

If you are answering ‘no’ or ‘maybe’ to any of these questions, your organisation is at risk of misusing information and not meeting consumer expectations.

Rising risk and regulation

As the regulator is becoming more active in assessing the information handling practices of organisations and individuals are becoming more discerning with regards to their privacy, misaligned expectations can result in negative financial, security, brand and reputational impacts for your organisation.

The Verizon 2016 Data Breach Investigations Report places insider and privilege misuse, and miscellaneous errors made by employees in the top ten causes of organisational data breaches. Accidently sending information to the wrong person via email is a common mistake made by employees however, the key to ensuring that such breaches are dealt with effectively is ensuring that staff understand what personal information is, recognise what a data breach is and your process for reporting one. This is crucial given the recent passing of the Privacy Amendment (Notifiable Data Breaches) Bill 2016, introducing mandatory data breach notifications to Australia.

Further, widespread and excessive access to personal information presents a high risk of a breach as staff may have access to information that is not needed as part of their role and the ability to share it with others, both accidently or with malicious intent.

Setting the context

Organisations commonly misconstrue the meaning of personal information, often believing they are not in possession of it. This has been the case amongst many organisations we have worked with, particularly those which may not transact directly with individuals. We have seen that such organisations may not consider personal information which may be shared with them outside of common channels, such as online enquiry forms and social media sites, information generated by individual activity via technological means, or personal information such as dietary requirements which may infer information about a person’s health condition or religious beliefs. This has made it difficult for organisations to meet their privacy obligations of protecting personal information and ensuring it is correctly used.

The Australian Information Commissioner’s (“the Commissioner”) broad interpretation of the meaning of personal information sets the benchmark for what organisation’s need to consider as personal information. This was demonstrated in the Commissioner’s appeal to the Federal Court of its decision in the case of Ben Grubb, former Fairfax journalist, who argued that he was entitled to access metadata collected via his mobile phone under the premise of the Privacy Act. This case, and the stance taken by the Commissioner highlight how broad the interpretations of personal information can be, demonstrating that traditional literal interpretations are no longer adequate.

To meet its privacy obligations, your whole organisation must understand the definition of personal information, the obligations stemming from collecting personal information and have processes in place to deal with any breaches of these obligations.

privacy protection

Reducing the risk

To reduce the risk of non-compliance, your organisation must understand the personal information held by you and your third parties. Once you understand what information you hold and where information is located, you can begin a broader risk assessment to determine who has access to it and what countries this information may be sent to or accessed from.

Further, bridging the gap between what your organisation classifies as personal information and what consumers classify as personal information, as well as their expectations around how it should be handled, is essential to ensuring that your organisation maintains the trust of consumers and continues building a positive brand image and reputation. Here it becomes important to comply with the Privacy Act but also understand what consumers value and are concerned about sharing. For example, in the Deloitte Australian Privacy Index 2015, personal income (51%) and membership of a political party (11%) feature in the top 10 privacy concerns of consumers, however these are not protected under Australian privacy law.

To maintain the relationship with your customer base and protect your brand and reputation, your organisation should consider a consumer focused privacy strategy and protect the information consumers hold dear, in line with their expectations as well as the law.

What can you do?

There are a number of actions your organisation can take to understand what personal information means:

  • Ensure your organisation understands the legal definition of personal information
  • Define personal information in the context of your organisation
  • Integrate consumer expectations into the organisational definition of personal information
  • Understand where the personal information you hold is stored (systems, countries etc.), who has access to it and how it is protected, and inform consumers of this
  • Ensure that staff are well trained and understand their responsibilities with regard to personal information, particularly those in operational roles interacting with personal information.

[1] 17 January 2017, The Canberra Times. ‘Researchers steal fingerprints from peace sign photos.’

Want to stay up-to-date?

Stay on trend and in the know when you sign up for our latest content