Under Information Privacy Principle 4 (IPP 4), agencies1 must ensure that documents containing personal information are protected from:
The level of storage and security will depend upon the nature of the personal information in the document and the risk of a security breach occurring. If a document contains extremely sensitive information, such as health or criminal records, an agency should take maximum care in protecting the information.
Security measures may be both physical (eg. locks and swipe cards for rooms and compactuses) and electronic (eg. passwords and encryption for computers and USB devices) and operational (eg. restricting access on a needs basis).
Information Standard 18 (Information Security) will be a starting point for agencies in determining what basic security measures are required, however, the specific requirements for each agency will differ depending on the type and amount of personal information held.
Agencies may wish to consider implementing internal policies and providing training on:
An agency must also ensure that if it is necessary to disclose a document to a third party, the agency takes all reasonable steps to prevent unauthorised use or disclosure by that third party.
Current as at: January 10, 2012