Tasks C

Overview

Now that Pacific Internet Solutions are operating in Australia it is necessary that their policies and procedures comply with Australian requirements.  You have been tasked with reviewing and revising their Privacy Policy and Procedures to ensure that they comply with regulatory requirements.  As with most organisations Pacific Internet Solutions currently do not adequately protect the privacy of identity information they collect and store on their customers and staff.  At the present time Pacific Internet Solutions have a written privacy policy but that is all.

The Pacific Internet Solutions Privacy Policy is as follows:

"In all areas of our business we seek to protect the privacy of our customer's data.  We will not:

• divulge any private data on our customers unless explicitly required to by law

• all private data will be treated in-confidence and stored in secure storage facilities when not in use

• all private data on our customers will be archived to secure facilities after three years of inactivity i.e. three years after the last trip booked through Pacific Internet Solutions

• credit card details will not be stored, only a card transaction identified(last four digits of the credit card) will be kept against a transaction.”

Review the above privacy policy and identify any shortcomings and prepare a Privacy Policy and Procedures Manual that adheres to the 13 privacy principles.  The new manual must address any deficiencies that you have identified in the privacy policy outline above.

         The Privacy Policy and Procedures Manual should include:

• Statements of Pacific Internet Solutions new policy in regard to protection of private data.  A statement on each of the privacy principles in Australian privacy legislation is required.  These policy statements must address both customer data and employee data since the information collected and the frequency of refresh (or deletion) will differ between the two data sets.

• A procedures statement as to how Pacific Internet Solutions will achieve adherence to the privacy principles.  This translates the policy statements into activities required to achieve the policy.

Note that while there will typically be a policy statement for each privacy principle, a procedures statement may cover more than one principle.  For instance an end-of-month processes might archive a subset of identity data (deleting sensitive data no longer needed) and purge archive data that has not been refreshed.

In preparing your document you should:

• refer to the privacy principles in the Federal law regarding protection of privacy data

• refer to technology such as website security mechanisms for protecting Pacific Internet Solutions client details while they are using on-line services

• make use of mechanisms such as secure file transfer technology (HTTPS, SSL etc.)

• use an information architecture approach whereby identities records consist of sensitive and non-sensitive pieces of data that can be treated differently in order to adhere to privacy legislation

• describe how privacy protection procedures will apply to back-ups and storage of files containing sensitive data

• use secure database management technology so that access to sensitive attributes in the data will be controlled with timely and accurate authentication of database administrators 

• include direction on physical network layout that ensures, for instance, a workstation capable of accessing sensitive personal information is not placed in an open office environment in which the screen could be viewed by non-authorised persons.

You have been provided with the privacy policies of NEC, MACQUARIE TELECOM, and NEXTDC LIMITED for reference.  You may also use any other publicly available privacy policy of any organization as a reference