Privacy and the Internet AUSTRALIAN ATTITUDES TOWARDS PRIVACY IN THE ONLINE ENVIRONMENT



Similar documents
005ASubmission to the Serious Data Breach Notification Consultation

NAPCAN s strategy is to bring about the changes necessary in individual and community behaviour to stop child abuse and neglect before it starts by:

Cyber-safety for Senior Australians. Inquiry Submission

PRIVACY POLICY Personal information and sensitive information Information we request from you

Appendix A DRAFT INFORMATION MANAGEMENT PLAN

Like, post, share short report Young Australians and online privacy MAY 2013

Securities Trading Policy

Data breach notification

Privacy Amendment (Notification of Serious Data Breaches) Bill 2015 Regulation Impact Statement

The Menzies-Nous Australian Health Survey 2012

Kiwis Managing their Online Identity Information

Administrative Procedures Memorandum A1452

Department of the Premier and Cabinet Circular. PC030 Protective Security Policy Framework

Data Security for Retail Consumers Perceptions, Expectations and Potential Impacts

Protection of Privacy

Data breach notification guide: A guide to handling personal information security breaches

Information Circular

WHAT YOU NEED TO KNOW ABOUT CYBER SECURITY

Small businesses: What you need to know about cyber security

WISCONSIN IDENTITY THEFT RANKING BY STATE: Rank 15, Complaints Per 100,000 Population, 9852 Complaints (2007) Updated January 16, 2009

WRITTEN TESTIMONY BY DAVID SNELL FEDERAL BENEFITS SERVICE DIRECTOR NATIONAL ACTIVE AND RETIRED FEDERAL EMPLOYEES ASSOCIATION

Data breach notification guide: A guide to handling personal information security breaches

SENIORS ONLINE SECURITY

Survey of Canadians on Privacy-Related Issues

Overview of the Impact of the Privacy Reforms on Credit Reporting

Cyber Insurance Research Paper

Data breach! cyber and privacy risks. Brian Wright Michael Guidry Lloyd Guidry LLC

AISA Position Statement: Mandatory Data Breach Notification in Australia

Guidance on data security breach management

Mandatory data breach notification in the ehealth record system

2010 Data Breach Prevention and Response:

Special Eurobarometer 423 CYBER SECURITY SUMMARY

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom

Foreign Currency Account & Foreign Currency Term Deposit Terms and Conditions Effective 1 April 2015

Respecting your privacy

Betting odds and advertising for betting agencies during sports broadcasts Community research JULY 2013

IDENTITY THEFT: WHO S AT RISK?

Guidance on data security breach management

Premium Advertising Sweden UK France Germany

UNILEVER PRIVACY PRINCIPLES UNILEVER PRIVACY POLICY

Cyber Insurance Research Paper

Drill Discover Define. share trading policy

Benefits of LifeLock Ultimate Plus. About LifeLock. 3 Layers of Protection DETECT ALERT RESTORE FACT SHEET LIFELOCK ULTIMATE PLUS

DATA SECURITY BREACH MANAGEMENT POLICY AND PROCEDURE

A survey of public attitudes towards conveyancing services, conducted on behalf of:

Sexting the High Tech Crime Prevention Function

Electronic Health Information at Risk: A Study of IT Practitioners

Procedure for Managing a Privacy Breach

Data Breach Notifications. Submission by the Australian Communications Consumer Action Network to the Attorney General s Department

Disciplinary and Dismissals Policy

Policy No: 2-B8. Originally Released: Date for Review: 2016

BEHIND OUR DIGITAL DOORS: CYBERSECURITY & THE CONNECTED HOME. Executive Summary

2012 NCSA / McAfee Online Safety Survey

The potential legal consequences of a personal data breach

Module 4. Risk assessment for your AML/CTF program

CYBER SECURITY STRATEGY AN OVERVIEW

Opal Privacy Policy. Opal Electronic Ticketing System

Primary Sponsor. Key Sponsor. Sponsor

BAE Systems Cyber Security Survey Report

SMALL BUSINESS REPUTATION & THE CYBER RISK

PRIVACY BREACH MANAGEMENT POLICY

2. What personal information do we collect and hold?

CHC30113 Certificate III in Early Childhood Education and Care

Supplementary Policy on Data Breach Notification Legislation

MARYLAND IDENTITY THEFT RANKING BY STATE: Rank 10, 85.8 Complaints Per 100,000 Population, 4821 Complaints (2007) Updated January 29, 2009

Applying the legislation

Online Reputation in a Connected World

Mitigating and managing cyber risk: ten issues to consider

SENATE STANDING COMMITTEE ON LEGAL AND CONSTITUTIONAL AFFAIRS AUSTRALIAN FEDERAL POLICE. Question No. 100

Di Marzio Research IDENTITY THEFT CONCERNS AND EXPERIENCES. Survey Data Report on: prepared for. Marketing and Strategic Research Consultancy

Privacy Committee. Privacy and Open Data Guideline. Guideline. Of South Australia. Version 1

Once you have submitted the online medical assessment you will receive an online reference number. ONLINE REFERENCE NUMBER Smartform number

PENNSYLVANIA IDENTITY THEFT RANKING BY STATE: Rank 14, 72.5 Complaints Per 100,000 Population, 9016 Complaints (2007) Updated January 29, 2009

QUEENSLAND COUNTRY HEALTH FUND. privacy policy. Queensland Country Health Fund Ltd ABN better health cover shouldn t hurt

Westpac Business Debit MasterCard Application

Is There Such a Thing as Internet Privacy?

Patrick Fair Partner, ITC and Data Security Specialist Baker & McKenzie. Developments in Security Regulation

CONNECTICUT IDENTITY THEFT RANKING BY STATE: Rank 19, 68.8 Complaints Per 100,000 Population, 2409 Complaints (2007) Updated November 28, 2008

Data Security Breach Management - A Guide

Special Eurobarometer 423 CYBER SECURITY REPORT

National Cyber Security Month 2015: Daily Security Awareness Tips

Merthyr Tydfil County Borough Council. Data Protection Policy

Halton Borough Council. Privacy Notice

Common Goals of the First European TransGender Council

Guidelines approved under Section 95A of the Privacy Act December 2001

DIGITAL TECHNOLOGY POLICY St Example s School

Information Privacy Policy

WHAT YOU NEED TO KNOW ABOUT:

How To Protect Your Personal Information At A College

privacy and credit reporting policy.

DESTINATION MELBOURNE PRIVACY POLICY

CORPORATE TRAVEL MANAGEMENT PRIVACY POLICY

Visa Debit & Prepaid Card Access Terms and Conditions As at 1 August 2015

Catalyst Consulting & Events (CCE) takes seriously its commitment to preserve the privacy of the personal information that we collect.

DATA AND PAYMENT SECURITY PART 1

Appeal of Mobile Payment Solutions Executive Summary March, 2012

Personal Information Protection Act Information Sheet 11

Security tips for the use of social media websites

HUMAN RESOURCES POLICIES & PROCEDURES

Submission in Response to the Personally Controlled Electronic Health Record System: Legislation Issues Paper

Transcription:

APRIL MAY 2011 2012 ISSUE ISBN 40 978-1-922017-02-4 ISBN XXX-X-XX-XXXXXX-X Privacy and the Internet AUSTRALIAN ATTITUDES TOWARDS PRIVACY IN THE ONLINE ENVIRONMENT Key Findings 85% of online Australians believe data breach notification should be mandatory for business Australians nominated identity theft (86%) and loss of financial data (83%) as their areas of greatest privacy concern. The financial sector is most trusted on privacy (42%), followed by government and the ecommerce sectors Social media is the least trusted industry on privacy (1%). In fact, 61% of respondents nominated the social media industry as having the worst privacy practices Overall, women feel more secure than men online, and younger people (18-29 years old) feel more secure than older people (50+ years old)

Introduction Most people will say that privacy matters to them, but like so many social issues, it is a state which is hard to define, as it is an intensely personal interpretation. The continued rise of the Internet and related mobile technologies will test our understanding of privacy, as we increasingly engage commercially and socially in the online environment. The Office of the Australian Information Commissioner - acknowledging the very individual interpretation of what one regards as private - focuses on personal information defining it as: Information that identifies you or could identify you. There are some obvious examples of personal information, such as your name or address. Personal information can also include medical records, bank account details, photos, videos, and even information about what you like, your opinions and where you work - basically, any information where you are reasonably identifiable. Section 6 of the Privacy Act 1988 defines personal information as: Information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion. The loss of personally identifying information can be caused by a variety of factors, affect different types of personal information and give rise to a range of actual or potential harms. About the Authors Alastair MacGibbon is an internationally-respected authority on cybercrime, including Internet fraud, consumer victimisation and a range of Internet security and safety issues. For almost 5 years Alastair headed Trust & Safety at ebay Australia and later ebay Asia Pacific. He was a Federal Agent with the Australian Federal Police for 15 years, his final assignment as the founding Director of the Australian High Tech CrimeCentre. Nigel Phair is an influential analyst on the intersection of technology, crime and society. He has published two acclaimed books on the international impact of cybercrime, is a regular media commentator and provides executive advice on cyber security issues. In a 21 year career with the Australian Federal Police he achievedthe rank of Detective Superintendent and headed up investigations at the Australian High Tech Crime Centre for four years. About the Centre for Internet Safety The Centre for Internet Safety at the University of Canberra was created to foster a safer, more trusted Internet by providing thought leadership and policy advice on the social, legal, political and economic impacts of cybercrime and threats to cyber security. The Centre for Internet Safety is hosted within the Faculty of Law at the University of Canberra. The University of Canberra is Australia s capital university and focuses on preparing students for a successful and rewarding career. www.canberra.edu.au/cis 2

About the survey The Centre for Internet Safety at the University of Canberra partnered with ebay.com.au to survey ebay users about their attitudes towards privacy and how it affects their actions online. The survey was conducted by The Paradigm Shift Research Consultancy in March 2012 and is comprised of a representative sample of 700 Australians who visited ebay in the past 12 months, broken down as follows: 29% 22% 24% 24% 18-29 years old 30-39 years old 40-49 years old 50+ years old 51% 49% Male Female Whilst it does not include all Australians online, nor those Australians who are not online, it provides an illustrative overview of consumer attitudes on privacy in the digital age. The views conveyed in this report are that of the Centre for Internet Safety. What the survey told us People say perception on privacy is a determinant in their online activities, particularly their decision to buy and sell goods and services online. They are most concerned about the privacy of their financial information, with loss of financial data and identity theft being the two highest concerns. They want the government to mandate informing consumers when privacy is breached. They believe the banking industry has the best privacy practices for their personally identifying information, followed by government and ecommerce sectors with the social media industry a very distant last. How breaches of privacy can impact Australians It is increasingly common to hear news reports of information security breaches from well known and trusted consumer brands. Notable examples include Sony with the loss of over 77 million personal records and Heartland Payment Systems with the loss of over 130 million credit and debit card numbers. But it is not just these large compromises that should be concern: a privacy breach occurs when an individual's personal information is accessed, collected, used or disclosed in contravention of applicable privacy legislation or and organisation s privacy policy. And that can be on a small scale, online and offline. A loss of personally identifying information arising from a privacy breach can expose individuals to risks such as embarrassment, loss of employment or business opportunities, personal safety and identity theft. These risks can have significant consequences for Australian consumers with the impact lasting many years. Under existing Australian law, government agencies and organisations are not required to notify individuals when their personal information has been compromised. Too few organisations are prepared to respond to a privacy breach when it happens. Too many naively believe a privacy breach will not happen to them. 3

Perceptions of privacy impact online behaviour People generally assume all communications and transactions between them and another online user will remain private. User perception of privacy is an important consideration as to whether or not they will buy or sell goods and services online. 94% of Australian ebay users rated ebay s privacy practices as an important-very important contributor to their decision to use ebay as a service. 97% of respondents rated privacy as an important to very important contributor to their decision to buy and sell online (60% very important) overall. This goes beyond privacy policies to an overall perception of how data will be used and secured by online companies. How important are ebay s privacy practices in your decision to use ebay as a service? 6% 94% Important to Very Important Not important to less important What Australians are concerned about These numbers are consistent with other surveys and logical: people care most about personal data that can lead to criminals using their name and associated details which may cost them money. They - quite rationally - see social media as being by its very nature largely inconsistent with the concept of privacy. The results showing that respondents are not as concerned about social media may indicate a less developed understanding of the role information found on social media sites can be used by criminals. Consumers need to realise the information they provide about themselves, including places of work, education and recreation could be used by criminals to build a picture of that person, which may be added to other personally identifying information, or be used to game other systems to build a more thorough picture of a person s identity which can be financially transacted upon. Appendix 1 of this report contains the top tips from the Office of the Australian Information Commissioner for protecting personal information. The development of internal organisational Privacy principles, such as those requiring personal information to be stored securely and restricting the circumstances in which personal information can be disclosed, will assist in reducing identity theft by preventing the widespread dissemination of personal information as well as giving consumers enhanced trust and confidence in an online brand. The Office of the Australian Information Commissioner has produced Data breach notification: a guide to handling personal information security breaches (2011) which provides tips to organisations about internal processes and procedures for improving privacy practices. People rated identity theft (86%) and loss of financial data (83%) as their areas of greatest privacy concern. They were least concerned about social media (42%). Area of privacy concern Identity Theft Loss of Financial Data Random Exposure of Personal Details Inappropriate Sharing for Marketing Purposes New technologies Mobile Devices New technologies Social Media 0 25 50 75 100 Very Important 4 3 2 Not Important 4

Australians want mandatory data breach notification A privacy breach is the result of unauthorised access to, or collection, use or disclosure of, personal information. Proper breach management, including notification where warranted, will assist government and private sector organisations in retaining the trust of the individuals whose information is improperly released and help them to protect themselves. 85% of survey respondents want mandatory data breach for private businesses (80% 18-29yrs / 89% 50+yrs). Do you think notification for a breach of personal information should be mandatory for private businesses? actionable, the second is the notice (itself) which needs to be consistent how the organisation normally communicates with its customers, and that data breach notification should not be a one size fits all approach, taking into the account the impact data breach notification could have on small businesses. The Centre for Internet Safety has consistently argued that it is time for the Commonwealth Government to begin active discussions in relation to a mandatory data breach regime, and that during those discussions any nuances of the regime can be ironed out. In the mean time, organisations interacting with customers need to develop their own data breach notification guidelines (Apprendix 2) so that they may act in a manner expected by Australians and evidenced by the 85% response in the affirmative to our question. Who s leading the way... 11% 4% 85% Yes No I don't know Organisations need to understand their obligations under the privacy laws and applicable regulations in the jurisdictions where they operate. They also need to have a good understanding of their organisation's information handling practices, coupled with a privacy policy which reflects their personal information handling practices and compliance with laws and regulations. The ALRC recommended in May 2008 that the Privacy Act be amended to require an agency or organisation to notify the Privacy Commissioner and affected individuals when a data breach has occurred that may give rise to serious harm to any affected individual. ebay has publicly advocated notification in the event of a breach of privacy with the following caveats. The first part is, it has to be When asked which sector had the best privacy practices, 42% of respondents identified banks and credit unions, making them the standout as the most trusted for protecting a customer s privacy. This was followed by government agencies and ecommerce companies. A dismal 1% of respondents identified the social media industry as privacy leaders....and who isn t Conversely, when asked to select the industries whose practices least supported privacy, 61% of respondents nominated social media. Only 5% of respondents suggested ecommerce companies were least privacyfriendly. [See chart below] Although not statistically significant, it was interesting to note that 18-29 year olds were slightly less trusting of social media s privacy (66%) than 50+ year olds (63%). And only 2% of 18-29 year olds nominated government as having the worst privacy standards versus 12% of 50+ year olds. Which of the following industries has the poorest privacy practices (please choose one)? Social media industry None of the above Government sector Banking industry Technology industry E-Commerce industry Other 0 10 20 30 40 50 60 70 80 90 100 5

Gender and age di"erences Consistently throughout the survey it is apparent that women feel more secure than men, and younger people (18-29 years old) feel more secure than older people (50+ years old). Very - somewhat secure Neither secure nor insecure Somewhat - very insecure Female Male 0 20 40 60 80 100 Very - somewhat secure Neither secure nor insecure Somewhat - very insecure 18-29 Years Old 50+ years old 0 20 40 60 80 100 Conclusion Privacy remains a critical element for individuals doing business or engaging online. While it is understandable there are distinctions between industry sectors and their privacy practices, more needs to be done, particularly in the area of social networking. Individuals and consumers also have strong expectations in relation to areas of data breach notification and it is time for the Australian Government to act. 6

Appendix 1 Tips from the O#ce of the Australian Information Commissioner for protecting personal information Protect your personal information by: Asking a few questions next time someone asks you for personal information like your name, date of birth and where you live. What do they want it for? What will they do with it? Who else will see it and how will it be stored? Will they destroy it when they no longer need it? It's your information, don't just hand it over without asking "why?" Checking your online privacy settings so you are aware of how your information is used. It's important to understand what someone else intends to do with your information, to choose who sees your posts when social networking and to exercise your right to opt out of receiving marketing material if you choose to Thinking about how much personal information you reveal. You make it easier for identity thieves when you make lots of information about yourself public, and pictures and comments you make today on social networking sites may embarrass you in the future Reading privacy policies to know how an organisation protects your information Follow these tips to protect your privacy when using social networking sites: Check the privacy settings Consider how information you share might be used. What might a future employer or partner think if they read it? Online information can be collected, aggregated and shared easily. When harmless information you post about yourself is added to the mix, a full profile about you emerges. Who might see it? Sharing information with just a few people doesn't stop it reaching a wider audience; consider who might pass things on Check that it's ok with them before you post and tag pictures of someone else, and ask they do the same for you Use closed 'friend' groups to control the access different people in your life have to your posts Don't accept friend requests from people you don't know Avoid location based check-ins if you don't want everyone to know that noone's home Further information can be found at http://www.privacyawarenessweek.org/oaic/ do.html 7

Appendix 2 Data breach response process produced by the O#ce of the Australian Information Commissioner 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information