In the Privacy Act amendments that commence on 12 March 2014, Australian Privacy Principle 11 will require an entity to take reasonable steps to protect personal information from ‘interference’ (eg hacking), as well as from misuse, loss, unauthorised access, modification or disclosure.
As email communication becomes more commonplace and convenient than postal communication for businesses and their customers the question arises as to what are reasonable safeguards for the protection of personal information (whether financial, health or otherwise) contained in emails.
Many statutory notices and account statements can now be sent electronically but there is no prescription as to how this can be done securely.
If the email is sending an attachment then whether the attached document is in Word or the like or is in PDF, the attachment can be password protected with a password given separately to the receiver.
Alternately the email can send a password-protected link to a secure web portal with download access to the relevant information or document.
But what about the email itself?
The Office of the Australian Information Commissioner (OAIC)'s Guide to Information Security: ‘Reasonable steps’ to protect personal information refers to encryption.
While most businesses use a securely encrypted webpage for individuals who carry out transactions with the business’s website, such as making payments which also involve individuals providing their banking information, there is less consideration of whether they should encrypt email communications.
In case your systems are accessed, are your saved email folders encrypted?
Most email systems (including Outlook) offer encryption options.
Do you know how secure your emails are?
More about encryption from How Stuff Works: Encryption.
Print This Post
Posted 29th July 2013 by David Jacobson in Business Planning, Compliance, Financial Services, Privacy, Web/Tech