1

SymposiumInterpreting Privacy Principles:

Chaos or Consistency?17 May 2006, Sydney

Interpreting the Security Principle

Nigel Waters, Principal Researcher

2

Methodology of Investigation

• Identify issues• Identify ‘cases’ expressly involving the

security principle • Primary source - WorldLII Privacy Law

Project

3

4

Methodology of Investigation• Search for relevant material• Iterative process • Will review all published cases• Initial focus on information privacy laws • Progressively extension to other relevant

laws

5

… Unauthorised Use of p.i. … Unauthorised Disclosure of p.i. …

… Loss or corruption of p.i.

Security measures are designed to mitigate the RISK of …

… by someone with authorised accessi.e. exceeding their authority

… by an unauthorised third party e.g. by hacking or phishing

MisuseIncluding: Authorised but improper use?

6

Security Principle - Issues• Reasonableness• Generic Industry standards vs

customised standards for personal information?

• Generic ‘all mode’ vs mode/technology-specific standards

• Human (Personnel) security

7

Security Principle - Issues• Liability – organisation vs employee vs

contractors• Relationship between security and

disclosure• Carelessness

8

9

10

11

12

13

14

15