ABC cabinet files highlights low-tech privacy risks
The release at the end of January by the Australian Broadcast Corporation (ABC) of certain documents which were acquired by a member of the public purchasing ex-Government furniture at a second hand shop in Canberra reveals that while cyber security is currently a high priority issue, a determined and consistent focus on low-tech risks cannot be ignored.
The filing cabinets provided to the ABC contained a range of documents that were highly classified and of embarrassment to the Government. This raises a range of questions around how the documents all came to be collated in the one place and how furniture that was relegated for third party sale could be removed from Government control without some form of review to see if the cabinets did contain any papers or other information.
The discovery of the cabinet files indicates what might be regarded by some as a one-off but this is not the case. In 2015, the Office of the Australian Information Commission (OAIC) obtained an enforceable undertaking from former mobile phone provider TeleChoice, where it had stored old documents in a dis-used shipping container in rural Victoria making fortnightly visits to determine that the container was secure.
On one visit it was found that the container had been vandalised and documents removed. The extent of the document loss was unable to be ascertained and one of the elements of the enforceable undertaking was that TeleChoice were required to pay for credit monitoring for any former clients who wished to use that service to assist in preventing fraud and identity theft as a consequence of loss of their documents. There are also circumstances both far away and close to home where "low tech" breaches have occurred In 2011, UK Cabinet Minister Oliver Letwin was found to be in breach of the UK Data Protection Act by disposing of letters sent to him by his constituents by placing them in rubbish bins, in his local park on his walk home.
Similarly, in 2011, RailCorp in New South Wales was investigated by the then NSW Privacy Commissioner over the sale of certain lost property. In that case, approximately 50 USB memory sticks which had been left on trains were sold as part of an annual lost property sale but they had not been 'cleaned' and were found to contain material as diverse as CVs and copies of tax returns.
Accordingly, while the current focus on cyber security and cyber risks from malicious actors is an important element of privacy compliance, another element which is not to be ignored is old-fashioned physical security and access controls and ensuring that at the end of the information lifecycle information is de-identified or destroyed.
This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.
