When protecting information we want to able to restrict access to those who are allowed to see it?

Data confidentiality is about protecting data against unintentional, unlawful, or unauthorized access, disclosure, or theft.

Confidentiality has to do with the privacy of information, including authorizations to view, share, and use it. Information with low confidentiality concerns may be considered "public" or otherwise not threatening if exposed beyond its intended audience. Information with high confidentiality concerns is considered secret and must be kept confidential to prevent identity theft, compromise of accounts and systems, legal or reputational damage, and other severe consequences.

Examples of data with high confidentiality concerns include:

• Social Security numbers, which must remain confidential to prevent identity theft.
• passwords, which must remain confidential to protect systems and accounts.

Consider the following when managing data confidentiality:

• To whom data can be disclosed
• Whether laws, regulations, or contracts require data to remain confidential
• Whether data may only be used or released under certain conditions
• Whether data is sensitive by nature and would have a negative impact if disclosed
• Whether data would be valuable to those who aren't permitted to have it (e.g., hackers)

When managing data confidentiality, follow these guidelines:

• Encrypt sensitive files.
  Encryption is a process that renders data unreadable to anyone except those who have the appropriate password or key. By encrypting sensitive files (by using file passwords, for example), you can protect them from being read or used by those who are not entitled to do either.
• Manage data access.
  Controlling confidentiality is, in large part, about controlling who has access to data. Ensuring that access is only authorized and granted to those who have a "need to know" goes a long way in limiting unnecessary exposure. Users should also authenticate their access with strong passwords and, where practical, two-factor authentication. Periodically review access lists and promptly revoke access when it is no longer necessary.
• Physically secure devices and paper documents.
  Controlling access to data includes controlling access of all kinds, both digital and physical. Protect devices and paper documents from misuse or theft by storing them in locked areas. Never leave devices or sensitive documents unattented in public locations.
• Securely dispose of data, devices, and paper records.
  When data is no longer necessary for University-related purposes, it must be disposed of appropriately.
  • Sensitive data, such as Social Security numbers, must be securely erased to ensure that it cannot be recovered and misused.
  • Devices that were used for University-related purposes or that were otherwise used to store sensitive information should be destroyed or securely erased to ensure that their previous contents cannot be recovered and misused.
  • Paper documents containing sensitive information should be shredded rather than dumped into trash or recycling bins.
• Manage data acquisition.
  When collecting sensitive data, be conscious of how much data is actually needed and carefully consider privacy and confidentiality in the acquisition process. Avoid acquiring sensitive data unless absolutely necessary; one of the best ways to reduce confidentiality risk is to reduce the amount of sensitive data being collected in the first place.
• Manage data utilization.
  Confidentiality risk can be further reduced by using sensitive data only as approved and as necessary. Misusing sensitive data violates the privacy and confidentiality of that data and of the individuals or groups the data represents.
• Manage devices.
  Computer management is a broad topic that includes many essential security practices. By protecting devices, you can also protect the data they contain. Follow basic cybersecurity hygiene by using anti-virus software, routinely patching software, whitelisting applications, using device passcodes, suspending inactive sessions, enabling firewalls, and using whole-disk encryption.

The Privacy Act 1988 (Privacy Act) contains 13 Australian Privacy Principles (APPs) that Australian and Norfolk Island Government agencies, and most private sector organisations, (collectively called ‘APP entities’) must follow when they handle personal information. Personal information is defined in the Privacy Act as information or an opinion that identifies, or could identify, an individual. Some examples are name, address, telephone number, date of birth, medical records, bank account details, and opinions.

These tips will help you comply with the Australian Privacy Principles when you handle your customers’ personal information.

1. Familiarise yourself with internal privacy policies, processes and procedures

Understand your personal information handling processes and procedures and undertake regular privacy training. Following internal processes and procedures will help you manage and mitigate privacy risks, including the risks posed by human error.

Read your privacy policy and ensure you understand how it applies to the way you handle personal information.

Make sure you provide privacy notices to customers and that you handle their personal information in the way you say you will.

2. Know who is responsible for privacy

Everyone has a role to play in ensuring privacy is respected and protected. There should be a senior member of staff with overall accountability for privacy. There should also be staff responsible for managing privacy, including a key privacy officer, who:

• understands your entity’s responsibilities under the Privacy Act

• handles access and correction requests and complaints and enquiries about your personal information handling practices.

If your workplace is small, the key privacy officer may hold this role as part of their broader responsibilities.

If you notice any issues with privacy processes and procedures, discuss it with the key privacy officer or someone senior.

When developing a project that involves new or changed personal information handling practices, always consider doing a privacy impact assessment (PIA). A PIA identifies how a project can have an impact on individuals’ privacy, and makes recommendations for managing, minimising or eliminating privacy impacts.

You should also engage your key privacy officer during the planning phase of your project.

More information can be found in the Guide to undertaking privacy impact assessments.

You must only collect personal information that you actually need. Don’t collect personal information just because it may become necessary or useful at a later date. If you need it later, you can collect it then.

You are also required to let people interact with you anonymously or through the use of a pseudonym (although some exceptions apply). Remember, you can sometimes conduct your business activities without collecting personal information.

5. Use and disclosure — think about it!

Generally, you are only allowed to use or disclose personal information for the primary purpose for which it was collected. However, there are exceptions that allow for it to be used or disclosed for another purpose. These exceptions include where:

• the individual has consented to the use or disclosure

• the individual would reasonably expect the use or disclosure and the other purpose relates (or for sensitive information, directly relates) to the primary purpose of collection

• the use or disclosure is required or authorised by law.

Always think about whether you can conduct your business activities without using or disclosing personal information. When you do, always limit the amount of personal information you use or disclose to the minimum necessary.

6. Overseas disclosure — prepare for it!

Before you disclose personal information to an overseas recipient, you must take reasonable steps to ensure that the recipient complies with the APPs (although there are some exceptions, which are outlined in APP guidelines Chapter 8). These may include entering into an enforceable contractual arrangement that requires the overseas recipient to handle the personal information in accordance with the APPs (except for APP 1).

If you disclose personal information to an overseas recipient you may remain accountable for how it is handled by that recipient (although again there are some exceptions).

More information can be found in Sending Personal Information Overseas.

Sensitive information is given a higher level of privacy protection under the Privacy Act and you have additional responsibilities when you collect, use or disclose it.

Sensitive information is a specific set of personal information that includes an individual’s racial or ethnic origin, religious beliefs or affiliations and sexual orientation or practices. It also includes information about health, genetics and biometrics. Generally, sensitive information can only be collected with someone’s consent.

Generally, you should only have access to personal information that you need for your role or function. By limiting the personal information you and your staff access to that needed, you are helping to protect the information from unauthorised access, use or disclosure.

You must take reasonable steps to protect personal information from unauthorised access, modification or disclosure and also against misuse, interference and loss. You must also take reasonable steps to destroy or de-identify personal information when it is no longer needed for any purpose permitted under the Privacy Act. This requirement does not apply if you are required or authorised by law to keep it.

Make sure you are familiar with and follow your policies on information security, including ICT security, physical security and access security. Always destroy and de-identify personal information in accordance with your destruction policies.

More information about information security can be found in the Guide to securing personal information.

10. Familiarise yourself with your data breach response plan

All entities should have a data breach response plan. Make sure you are familiar with your data breach response plan, as this will help you respond quickly and appropriately in the case of a data breach. A quick response can substantially decrease the impact on the affected individuals. It is also best practice to notify the OAIC when you have a data breach and there is risk of serious harm to the affected individuals.

If you don’t have a data breach response plan, our Data breach preparation and response guide will help you in preparing for and responding to a data breach.