Network administrators have received a fresh warning to ensure the safety of personal data.
Privacy Commissioner Bruce Slane issued the reminder to Computerworld after recent hacking and virus incidents raised industry concerns about the responsibilities of IT staff concerning private data.
Slane says he is regularly quizzed about the liability of businesses such as internet service providers and the liability a company may face if hackers infiltrate its server.
“Although the actual liability will depend on the circumstances of each case, it is safe to say that companies should stick by principle 5 [of the Privacy Act].”
Principle 5 requires an agency to take reasonable steps in the circumstances to protect the information it holds against unauthorised access, misuse or loss. Slane says this will vary upon the type of organisation and the sort of information they hold.
Slane told Computerworld that he wasn’t aware of any such complaints or current investigations against firms, but it was “reasonable to expect firms take reasonable precautions”.
He recently outlined similar concerns to security firms and an Auckland conference on internet law.
Security consultant Grant Cherrington quizzed Slane after wondering what liability might fall on the system administrator if a network is attacked. Cherrington, of Wellington-based outfit Initiative Technology, accepts the hacker would largely be at fault but suggests people aren’t aware of their responsibilities under the Privacy Act.
“Many systems administrators aren’t aware that they have this obligation [to ensure systems are reasonably secure],” Cherrington says.
Cherrington says Slane echoed his concerns that few IT staff are aware of their responsibilties.
Slane told the conference that the security safeguards that it would be reasonable to expect “of an organisation such as a major bank will not be the same as those that a small trader with a limited database might need to adopt. And the standard will adjust over time. Certainly, in the area of computer security, what was reasonable in 1994 may not be sufficient in 2001.”
The commission cannot act until someone complains after a security breach but Cherrington says this still shows firms must be pro-active in ensuring adequate security.
The commissioner says the principles behind data stored on computer is the same as data stored on paper and organisations have been investigated and charged.
Late last year, Health Waikato was forced to settle with a young Fiji woman after failing to protect sensitive health information on her.