Portable storage devices and information privacy

The Information Privacy Act 2009 (Qld) (IP Act) requires agencies to ensure the personal information¹ they hold is protected against loss, unauthorised access, use, modification or disclosure and any other misuse.² Agencies other than local government³ are also subject to mandatory notification of data breach (MNDB) scheme, which requires notification in the even of an eligible data breach.⁴

Portable Storage Devices (PSDs) are small, lightweight, easily transportable devices capable of storing and transferring digital data. Common PSDs include removable devices such as USB thumb drives or flash drives, rewritable CD/DVDs, memory cards and external hard drives and mobile devices with inbuilt storage such as tablets, laptops, and smartphones.

PSDs are capable of storing extremely large amounts of data. Due to their portable nature and attractiveness, PSDs are susceptible to loss or theft. The potential damages arising from this risk increase if the PSD holds unsecured non-public data.

Risks of using PSDs

As noted, a common risk of using PSDs is that the device can be lost or stolen. Misuse, loss or unauthorised access, use, modification or disclosure of personal information can also arise through:

• a PSD infecting devices into which it is subsequently plugged with malware;
• insecure disposal of, or deletion of information from, PSDs; and/or
• unfettered access by third parties to the content of the PSD.

In addition, employees’ use of personal PSDs to access, transfer or store agency data may increase the likelihood of a privacy breach. For example:

• the agency has less control over the use of security measures such as anti-virus and malware software, operating system and application updates and password, encryption and remote wipe capabilities
• departing employees may accidently take away personal PSDs containing agency information; and
• unauthorised people are more likely to access personal PSDs at the employee's home, either inadvertently or by simply borrowing the device.

The damages arising out of a privacy breach involving a PSD increase where there is:

• no classification of information which may and may not be transferred to a PSD
• a lack of encryption or technical controls to protect data stored on the PSD
• no obligation to report loss or stolen PSDs; and/or
• a failure to promptly transfer agency records from the PSD to the agency network.

Legislation and policy obligations that impact on the use of PSDs

A number of laws and policies are relevant to the use of PSDs, including:

• Public Records Act 2023 (Qld) governing recordkeeping for all Queensland public authorities.
• Information Standard 18: Information Security.
• Queensland Government Information Security Classification Framework (QGISCF), which specifies a schema for the security classification of information and associated controls that reflect their classification level.
• Information Standard 38: Use of ICT Facilities and Devices.

Managing the risk of using PSDs

A key strategy in minimising the risks of using PSDs is to develop and implement policies and procedures so that employees understand their obligations when using PSDs to access, store or transport agency data. Where possible, agencies should also use hardware and/or software controls to restrict or control the use of PSDs.

PSD policies and procedures should establish

• What types of PSDs are permitted and under what circumstances?
• Whether personal PSDs are permitted and if so, what conditions are placed on their use.
• How the rules surrounding use of PSDs interact with remote access to the network.
• Whether a central register of PSDs will be maintained and if so, what approved devices must be registered?
• What information may be transferred to a PSD and details of any additional safeguards appropriate to the security classification or value of the information. Where PSDs will store personal information, agencies should require that it be encrypted.
• What is considered acceptable use of PSDs for transport and storage of agency data.
• How to securely erase data from PSDs.
• What to do with damaged or obsolete PSDs.
• What to do in case of lost or stolen PSDs or other suspected privacy breach.
• What processes are in place to audit or monitor compliance with PSD policies and procedures.
• Who employees can contact for advice on PSDs.