Getting started

Before we make plans to protect our information, we should know what "secure information" or in other words "information security" means. Now that we know how important information is to an enterprise, the good quality of the information is imperative. Erroneous information is sometimes even worse than no information at all.

Imagine a supermarket launches a campaign during which customers shopping on their birthday will receive a present. Unfortunately, a large group of other customers cannot benefit from the offer because their client data has been lost some way or another. For the supermarket this is obviously very negative publicity, and it will have to put in many efforts before it can welcome the lost customers again.

Good-quality information is correct information, which is also well-protected and secure.

 

Information security can be checked with seven characteristics, also called security attributes, which will be listed next. Confidentiality: only persons with an authorisation can access the information; integrity: the information cannot be altered intentionally or unintentionally; availability: the information is accessible and usable at any request of an authorised individual; accountability: this means there is always a trace of the author and of how the information was edited; non-repudiation: proof that an operation or event actually took place, so that it cannot be denied now or at a later time; authenticity: thanks to this characteristic, it is certain that individuals really are who they claim to be; and finally reliability: the characteristic of achieving the expected result. If information has these seven characteristics, it is said to be secure, good-quality information.

If the information contains personal data, the Privacy Act comes into play, with a description of additional characteristics of secure and protected information. Personal data must be processed fairly and lawfully, and for specified purposes; they have to be adequate, relevant, not excessive and accurate; it has to be kept up to date and must not be kept any longer than necessary.

Other than that, every company or organisation has to take a number of measures to protect the data it processes. For instance, they have to notify their processing operations to the Privacy Commission, respect data subject rights, make sure that the data are always correct and delete it whenever necessary, ensure that processing operations only take place for the intended purpose, restrict access to personal data to the individuals that have been given permission (authorisation), protect the data as long as they exist, and when other individuals are entrusted with the processing operation, they have to take over the organisation's duties and responsibilities by means of a contract.

In a nutshell, thanks to the Privacy Act, we have the right to protection of our personal data, and this protection can only be ensured if certain security measures are taken.