The content on this page and other DBCDE document archive pages is provided to assist research and may contain references to activities or policies that have no current application. See the full archive disclaimer.
Why is privacy an important issue for e-security?
The Privacy Act and e-security
On 21 December 2001 the Privacy Amendment (Private Sector) Act 2000 came into effect. The Act increases the privacy protection enjoyed by Australians and extends the requirements for all businesses to respect privacy. As awareness of Internet privacy issues grows, businesses are also recognising the value of posting privacy policies on their websites. Ensuring respect for privacy in the online environment increases the level of consumer confidence and trust - a key aim for all e-security measures.
The new privacy legislation establishes minimum standards for the protection and handling of personal information in the private sector, and will be applied to both conventional and electronic environments. It seeks to establish a co-regulatory approach and provides legislative benchmarks to the private sector.
Under the new Act, a set of National Privacy Principles (NPPs) that describe minimum standards for the handling of personal information now apply to the private sector. These principles relate to the manner in which personal information may be collected and used, and to whom it may be disclosed. The NPPs require that businesses using personal information be open about their information practices and maintain the accuracy of the personal information.
Businesses must make reasonable efforts to keep personal information secure. They must not use government identifiers such as Tax File Numbers to identify individuals and where reasonably practicable, they must allow users to transact anonymously. Additionally, the NPPs give individuals a right to access information that is held about them and a right to correct it if it is inaccurate.
The Act permits individual organisations or industry sectors to develop their own privacy codes. The codes can vary from the NPPs but they cannot impose a lower standard than that required by the NPPs. Codes must be approved by the Australian Privacy Commissioner and must either be enforced through the Privacy Commissioner's Office or through a code adjudicator.
If you are planning to take your business online, you will need to develop a privacy policy and back it up with appropriate technology choices. For instance, using security technologies to protect online transactions will allow you to guarantee your customers that their personal data will not be intercepted by others in transmission.
Website privacy policies
Business privacy policies are not limited to online activities but consumers are coming to expect companies to include privacy policies on their websites. These will usually be fairly short and focus on what will be done with any information the consumer provides.
Many industry associations have developed specific privacy policies for member businesses. The Organisation for Economic Co-operation and Development (OECD) has developed a Privacy Policy Generator which can be used to generate a policy specific to your business needs.
The Privacy Act also controls the sending of direct marketing materials via email. Customers must be given the option of 'opting out' from direct marketing programs via email, even if they supply their email address in relation to an order or other transaction.
While every business website will need a slightly different privacy policy, a typical example would contain the following elements:
- A statement that the website will not disclose any personal information without first obtaining user approval, unless required to do so to satisfy a legal obligation;
- An outline of the circumstances under which personal data might be shared with others;
- Information on what log file information (such as the unique IP addresses of visitors to the site) is stored by the site; and
- Provisions regarding how email addresses submitted to the site will be used.
Cookies and Web bugs
Many business websites use 'tracking' technologies to record who has visited their sites, and to allow regular customers to see content or offers specific to their needs. Such facilities can be very useful for customers, and they are often built into website hosting deals or software packages. However, customers need to be made aware that they are being tracked.
A popular technology for tracking individual behaviour online is for websites to deploy cookies. Sites that use cookies store small amounts of data in a file on the hard drives of people who visit the site. This enables the site to recognise when it has been visited before.
Cookies can be used to provide basic password authentication, allowing users to 'log in' to a site. While this can be convenient for users, it can pose a security risk, as the information is stored in unencrypted form on the visiting PC, violating one of the basic principles of password security. For this reason, cookies should not be used for commercial transactions. Instead, a system with a higher level of security, such as SSL or PKI, should be used.
Users can also choose to disable cookies on their PC. This provides a higher level of security, but may restrict the usefulness of some sites.
Web bugs perform a similar tracking function to cookies, but in a more basic way. They use small graphic images to track who has visited a page or document. Specialised software applications such as Bugnosis can be used to disable Web bugs. If your site uses Web bugs, then this needs to be disclosed in your privacy policy.
Monitoring staff online
Another issue that links privacy and e-security is the tracking of employee computer usage and Web surfing habits. Many email gateways and firewall products allow employers to track employee Internet use, or monitor emails sent to ensure that they do not contain inappropriate content. Specialised software such as WebTrends can also be used to process and analyse Internet access log files.
Businesses using this kind of technology should disclose the fact to their employees. The Office of the Federal Privacy Commissioner has developed guidelines for government departments using such technology. Although these guidelines are not compulsory for private businesses, they are recommended by the Privacy Commissioner as being good privacy practice.
Conclusion
Adopting a business privacy policy may not only be a legal requirement, it can make good business sense. For instance, it will help reassure your potential customers that their data is safe and secure. There are many resources available to assist you in developing an effective privacy policy.
How to make it happen
Further information on privacy laws, privacy policies and means for monitoring website visitors can be found at the following websites.
Where to go online for more information
The Office of the Federal Privacy Commissioner (OFPC) OFPC Guidelines on Workplace E-mail, Web Browsing and Privacy - www.privacy.gov.au
OECD Privacy Statement Generator - http://cs3-hq.oecd.org/scripts/pwv3/pwhome.htm
Bugnosis - www.bugnosis.org
Cookie Central.com - www.cookiecentral.com
Guidelines on Workplace E-mail, Web Browsing and Privacy - www.privacy.gov.au/issues/p7_4.htmlWebTrends - www.webtrends.com
If you are searching the Web on this topic, try the following search terms: - Online privacy, privacy policy, privacy software