Today it was reported in Australia that "sensitive medical records and personal health information" was dumped at a recycling center in Canberra. This was an example of a privacy incident given within the annual report from the ACT Community and Health Services Complaints Commissioner.
The type of incident with the recycling center is not uncommon. This highlights the huge problems within organizations with regard to information security and privacy programs: Lack of policies, lack of procedures and lack of awareness.
If personnel were told the risks and proper procedures to follow for disposing of personally identifiable information (PII) there would be many fewer silly types of incidents such as these.
The report itself has some interesting statistics about all aspects of healthcare, beyond information security and privacy; use the applicable portions as examples within your information security and privacy awareness and training efforts. Although the report was specific to the healthcare industry, some of the lessons learned are applicable to all types of organizations.
Some statistics I particularly found interesting include:
- There was a "13 per cent spike in complaints about the health sector in 2005-06."
- "The commissioner’s office received 580 inquiries that resulted in 276 complaints in the past financial year – up 13 per cent on 2004-05."
The public is becoming more vocal about their concerns and are increasingly more likely to file formal complaints to the regulatory oversight agencies.
The report emphasizes the importance of awareness.
You can never tell personnel or your consumers enough times, or in too many different ways, about information security and privacy.
Much of the report covers compliance and privacy concepts that are new to information security professionals, such as providing access to individuals’ PII upon their request, allowing them to request corrections to their PII, and so on.
Technorati Tags
information security
IT compliance
policies and procedures
privacy incident
awareness and training
privacy