Introduction

From PriviWiki

Jump to: navigation, search

Objective
To provide a set of guidelines for use by experienced IT auditors and security professionals, as a practical interpretation of the requirements of the New Zealand Privacy Act's principles to store on IT systems and communicate between IT systems, electronic, identifiable Personal Data 'by such security safeguards as is reasonable in the circumstances'.

Consequently, the purposes of these guidelines is to provide a benchmark of what safeguards are 'reasonable in the circumstances', when identifiable personal data in electronic format is at rest or in transit.

[Also see note on scope at the bottom of this page]

Rationale / Purpose

Organisations may focus primarily on the cost – benefit relationship when deciding on the level of controls to implement over electronic Personal Data. The costs and benefits considered may often be those that relate to the organisation and are unlikely to include all costs and benefits to the individual to whom the data relates. These guidelines focus on personal impacts to obtain the appropriate minimum level of protection required (what is reasonably expected), in line with the Privacy Act 1993 (the Act) requirements to protect information “by such security safeguards as it is reasonable in the circumstances to take” and where penalties under the Act are determined by whether a person is impacted.

Consistency
Reasonableness for one company may not be the same as reasonableness for another company. For example, the disclosure of data about an individual may not have significant costs on a proportional basis for a large bank, but the same costs may be significant for a local record store with a mailing list.  In either case a person could expect their Personal Data of similar Sensitivity to be similarly protected, irrespective of differences in the consequences of disclosure to the company.

Assistance
Small/medium organisations may not have the capability to determine what appropriate standards are and how these should be implemented. Larger organisations may not have the capacity. These guidelines are intended to provide a starting point and minimum level to assist with these issues.


What is Personal Data?
Any information relating to a living person, for example name, image, email addresses, opinions, assessments or records, which is currently identifiable to that person or could become identifiable to that person when combined with other information held by the acquirer of the information.


Scope of Guidelines
To prepare a set of concrete guidance for organisations and auditors on some of the key information security measures for the protection of electronic personal data against theft, misuse, corruption, masquerade, etc. The guidance will be subject to the following constraints:

  • Guidelines are to be simple and pragmatic, not to provide all possible details.
  • Guidelines are limited to the electronic storage and transmission of electronic personal data.
  • Guidelines are to include acceptable and unacceptable measures for securing such data.
  • Guidelines will include small, medium and large private and public sector organisations.
  • Guidelines will assume typical values and uses of Personal Data types.

Excluded from scope:

  • Processes to set up privacy controls.
  • General good practice security measures. For example it is assumed that appropriate firewall protection is in place. 


It must be stressed that these guidelines currently address only a small subset of IT related security measures for protecting personal data, predominantly access controls that are applicable when electronic data is in transit or at rest. In future the guide may be extended to cover other aspects.


Retrieved from "http://www.isaca-wellington.org/privacy/wiki/index.php?title=Introduction"
Personal tools