Often, when UNE Privacy Officer Caitlin Rowe talks about her role, people declare that privacy is dead in today’s digital world. But it doesn’t take long for them to be convinced of its continued importance.
A recent privacy webinar gave the example of an Australian woman escaping a violent relationship, who appeared in the background of a photograph posted on Facebook. Facial recognition algorithms identified the woman and her location, enabling her ex-partner to locate her and her family, leading to violence and the family’s relocation. The impacts of even such limited personal details being revealed can be very real.
“This is a worse-case scenario of the consequences of a privacy breach, but for some people it can be a matter of life or death,” Caitlin says. “We must remember that a breach only has to negatively impact one person to make it a problem. It can affect their personal relationships, their business or employment prospects, even their financial position, and have long-lasting flow-on effects to their health and wellbeing. Privacy can’t be taken lightly.”
As UNE prepares to celebrate Privacy Week, for the first time as one of NSW’s Privacy Week Champions, Caitlin is encouraging all of us to consider the information we are entrusted with, every single day. And to remember the individuals who might be harmed if that information falls into the wrong hands.
“Contact tracing during the COVID-19 pandemic has highlighted some of the shortcomings of Australia’s privacy laws,” Caitlin says. “It has also highlighted, for many individuals, how valuable their data is to them. More and more people are asking questions about how their personal information is being used and stored, and becoming more protective of that data. We all know how it feels to receive an unsolicited phone call from a marketing company or a SPAM email.
“We cannot live day-to-day without engaging online and our digital identity has become an extension of ourselves. But the trans-boundary trade in data is big business. Personal information has been monetised and can be bought and sold.”
At UNE, we take very seriously the collection and management of the sensitive personal information of thousands of staff members, students and members of the wider community. Countless records and emails containing valuable details are exchanged every hour.
At the frontline of our privacy defence system is the IT Security Team and Caitlin, who receives complaints and works with security to investigate suspected data breaches. She also conducts privacy impact assessments of new systems and applications, and regular education and training.
Last year, Caitlin investigated approximately 60 privacy incidents and 48 individual complaints, which represented a dramatic increase on previous years. “The move online due to COVID meant students were dealing with different things and had different concerns, but the increase was also an indication that people knew where to go to for help,” Caitlin says. “One of our aims for this year is to increase the number of breaches reported, because then we will know that our awareness campaigns and compliance activities are working.”
In any organisation, there’s a constant risk that information will be lost, or disclosed to or misused by an unauthorised party, either accidentally or intentionally. While malicious or criminal acts like network hacking and identity theft immediately spring to mind, Caitlin warns that personal error accounts for the vast majority of data breaches.
“Our IT Security Team is working every day to handle the malicious external attacks, to make our technological environment robust; it’s the personal mistakes that worry me most,” she says. “Like sending an email containing personal information to the wrong person or inadvertently to multiple people, or incorrectly attaching information. We also have to guard against leaving files open on unsecured computers or laptops, or even saving personal information to a USB that could be lost or stolen.
“Such breaches can cause humiliation, damage to a person’s reputation and/or personal relationships, workplace or social bullying, marginalisation or intimidation. For our institution, there can also be considerable financial, legal and resource implications if we fail to meet our compliance obligations, reputational damage and loss of community trust.”
According to the Office of the Australian Information Commissioner, the education sector reported the third highest number of notifiable data breaches in the six months to December 2000 (OAIC July- December 2020), 38% of which resulted from human error. Email-based phishing was the most common means of gaining access to personal information.
So what can you do to protect privacy and what should you avoid?
- Stop before you send an email and check the address, attachments and recipients;
- Don’t leave personal information unsecured on electronic devices or in hard copy;
- Don’t save UNE records containing personal information to portable devices or your desktop;
- Do request assistance from the UNE Privacy Officer if you have any questions about the management of personal information;
- Do complete all available cyber security and privacy training and seek advice if there is any aspect of the management of personal information that you are unsure about;
- Do follow all directions from Technology and Digital Services regarding the management of unexpected emails, including immediately reporting suspicious emails or any suspicions or concern that your account has been compromised to the IT Service Desk at servicedesk@une.edu.au; and
- Be vigilant and sceptical of any unusual circumstances or behaviours and report all suspected data breaches to your supervisor or privacy@une.edu.au.
Next week you can also participate in Privacy Week by enjoying a game of privacy bingo, viewing tips and resources from the NSW Information and Privacy Commission and Office of the Australian Information Commissioner;and check out the information about Privacy on the Privacy Moodle page.