With the use of Portable Storage Devices (PSDs) proliferating in all public sector organisations, issues surrounding data security and the storage and handling of personal information are becoming more significant.
There have been a number of high profile cases, in Australia and in the UK, where sensitive information has been lost with the loss of mobile devices, including PSDs.
In July 2009, it was reported that a USB drive was lost by an employee of South Australia Health that may have contained confidential government costings for a proposed new $1.7 billion city hospital.
In 2008, it was reported the UK Crown Prosecution Service lost files on 2,000 serious criminal suspects, including DNA profiles when a disc was misplaced. It followed the loss of 25 million records relating to child benefit claims, several thousand applications for the Armed Forces, Northern Irish driving test applications, and 5,000 National Health Service health files. Media reported an admission by the UK Ministry of Defence in 2008 that 121 USB sticks, including five containing secret information, have been lost or stolen since 2004.
The Office of Victorian Privacy Commissioner has just released a guide to assist public sector organisations develop policies and procedures on PSD use.
Use of Portable Storage Devices: A Guide to Policy Development was developed following a survey of the Victorian Public Sector’s use of PSDs that showed the public sector handled PSDs poorly and “their use of them potentially posed a serious data security risk.”
But the Privacy Commissioner notes that having policies and procedures in place is not sufficient. To comply with the Information Privacy Principles (IPPs) (for example, to protect personal information from misuse, loss, unauthorised access, modification or misuse) it emphasises Victorian agencies must ensure that users are aware of the policies and procedures and how to comply with them.
In the January 2009 survey, 60% of Victorian public sector organisations reported wide PSD usage, but only 13% had hardware controls, and only 24% had software controls in place. Less than half (45%) had documented policies to control PSDs, and only 5% had policies that prescribed how content was to be deleted from PSDs. Only 18% provided users with encryption solutions to protect content on their PSDs.
Following a similar survey undertaken on behalf of the Federal Government Office of the Privacy Commissioner in 2009, a Public Sector Information Sheet was issued, providing suggested steps for Australian and ACT Government agencies to consider in order to safeguard personal information stored or handled on PSDs.
The April 2009 survey of Federal agencies found more than half indicated they had experienced the loss or theft of an agency-issued PSD in the previous 12 months, and a number were aware of the loss of private PSD that had been used to store personal information held by the agency. The survey found that a high proportion of agencies had policies in place around the transfer of personal information and the use of agency-issued PSDs, less than two-thirds indicated they provided staff with training on the use of PSDs and relevant security requirements (63%).
The issue of data security and protection of personal information is likely to be an issue of hot public debate with the implementation of a national healthcare identity scheme. Based on Medicare cards, the new system will link patent medical records across healthcare providers using a Unique Healthcare Identifier (UHI) being developed by Medicare on behalf of the National e-Health Transition Authority (NEHTA).