Do you know where your data is?

Do you know where your data is?

May 11, 2009:Australia's Privacy Commissioner is concerned that Government agencies are not doing enough to protect data on USB sticks and PDAs.

Research commissioned by the Office of the Privacy Commissioner has shown that, while most Australian Government agencies have policies regarding the transfer of personal information, not all have appropriate controls covering the use of portable storage devices (PSDs) for the handling of personal information.

“I am pleased that three-quarters of Australian Government agencies have policies covering the transfer of records containing personal information. However, there is definitely room for agencies to improve their safeguards governing the use by staff of portable storage devices containing personal information, such asUSBs, PDAs, CDs, and DVDs,” said Karen Curtis, the Australian Privacy Commissioner.

Conducted by Orima Research on behalf of the Office of the Privacy Commissioner during March and April, the research involved a survey of 94 federal Government agencies.

Ms Curtis said that the research would help her Office to assess privacy risks associated with PSDs given their growing use by Government and reports of data breaches around the world.

“My Office is particularly concerned given recent incidents in the UK where the loss of PSDs by government agencies has led to a serious threat to people’s personal information,” Ms Curtis said. The Office of the Privacy Commissioner has also developed an information sheet to help agencies better managePSDs, which was also released by Senator Faulkner at the forum.

Key findings from the research include:? 75% of agencies have policies covering the secure transfer of records to external parties, and 69% have policies for staff temporarily working away from the office;? 81% have policies covering uses of agency-issued PSDs;? 55% have policies covering uses of privately owned PSDs;? Most agencies have controls to manage agency-issued PSDs, such as keeping a PSD register (97%), requiring signed user agreements from staff (63%), using minimum encryption standards (56%) and staff training (63%);? 58% have experienced the loss of theft of an agency-issued PSDs within the past 12 months.? 76% allow the use of private PSDs in the workplace, with agencies more likely to use software controls (54%) than hardware controls (16%) to manage and/or restrict their use.

The Research report is available online at www.privacyawarenessweek.org/paw/psd_report.pdf.

Comment on this story.