In the midst of an all-encompassing pandemic, the Office of the Australian Information Commissioner (OAIC) has emphasised the privacy obligations of organizations with respect to health information.¹
“Health Service Providers” reported the highest number of data breaches of any type of organisation between January–June 2020.²
Although the focus of the OAIC’s recent advice is handling health-related personal information during the COVID emergency, it remains relevant to all categories of sensitive data.
The need for Data Protection
Data is gathered and stored to provide business and services, as well as to facilitate the operation of an organisation. E-commerce and information exchange over the web has created huge opportunities, and the importance of data protection has risen accordingly.
Lack of policy around handling personal data and the absence of sophisticated tools to monitor data breaches leads to wide ranging uncertainty and risk, especially during a crisis like a pandemic. While organisations are increasingly becoming aware of their Data Protection obligations, individuals are increasingly becoming concerned about their Right to Privacy.
Which data is “Sensitive”?
Sensitive data is that which identifies an individual and hence should be gathered and used only with the consent of the individual. The organisation collecting such information is obliged to safeguard the data and prevent any misuse, which otherwise would amount to breach of the individual’s “Right to Privacy” resulting in compliance complications and reputational loss.
What is Data Protection?
Data protection encompasses the lawful usage, storage and processing of sensitive data in order to safeguard the integrity and sanctity of data privacy. Governments are increasingly enforcing regulations to protect PII (Personally Identifiable Information), PHI (protected health information), and data involved in the Payment Card Industry (PCI) which is also necessitated by the growing e-commerce and remote engagement.
Data Protection in Australia
The primary legislation governing the protection of personal information of the individual is The Privacy Act 1988. States and territories alsohave their own statutory provisions. Such legislation applies to public as well as private bodies.
The Privacy Act 1988, outlines the privacy protection framework in the form of Australian Privacy Principles. These principles are laid out to govern standards, rights and obligations to enforce data protection, while it allows flexibility and technology neutral adoption of practices.³
The Global Context
The National Institute of Standards and Technology (NIST), provides a voluntary tool in the form of a Privacy Framework to promote organisations identifying and managing privacy risks.
In the United States, the Health Insurance Portability and Accountability Act of 1996, governs health-related information of an individual across the healthcare and health insurance industries.
To ensure uniform enforcement of data protection laws, the European Union’s General Data Protection Regulation (GDPR) came into effect in 2018. Australian businesses are required to conform with GDPR if they have an establishment in the EU or provide goods and services to individuals in the EU.
A comprehensive list of privacy Laws in different countries demonstrates the mounting requirements organisations face regarding data protection.
What constitutes PII and PHI?
According to NIST:
Any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother‘s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.⁵
This list is not exhaustive, rather, it is indicative of the pieces of information that could be used to either distinguish or trace an individual.
There are 18 HIPAA identifiers that are widely used to deliver services by healthcare providers, health insurance agencies and their business associates. The Privacy Act 1988 is largely the Australian counterpart to HIPAA.
Alex Solutions for Data Security
Data protection at enterprise scale is a daunting challenge that Alex can give you a major headstart on. Alex Data Lineage reveals the entire life-cycle of data within the organisation, including how it transforms and moves from place to place. The Lineage is entirely automated, scanning your systems and generating a detailed map at a high degree of completeness. One quick scan will have you on the way to reducing regulatory compliance risks. Sensitive data is growing at exponential rates during COVID-19. One of the world’s largest companies is currently leveraging our Lineage to report their entire dataflow — including all processing — to the regulator.
To compliment end-to-end lineage, Alex can automatically scan your system to detect sensitive data, immediately identifying its location, access controls and history. Out of the box, Alex can detect sensitive data including but not limited to PII, PHI and PCI, across a wide range of both structured and unstructured data storage technologies.
The COVID pandemic has only accelerated the development of increasingly stringent and comprehensive regulatory obligations surrounding data privacy. Organisations should seize the opportunity to adopt highly automated, powerful software solutions that can rapidly transform their data protection program. If you’re looking to uplift the security of your organisation’s data, get in contact with our team to arrange an Alex demonstration addressing your specific needs today.