[LINK] Fwd: [ PRIVACY Forum ] Google reduces "Google Suggest" non-anonymized data retention to 24 hours or less

Stephen Wilson swilson at lockstep.com.au
Wed Sep 10 10:45:48 AEST 2008 

[Cross-posting a privacy point from the Link list]

Marghanita da Cruz 10/09/2008 wrote:
> This does raise some questions about designing privacy and security into 
> systems. Can any linkers advise whether personal information can be captured in 
> Caches?

The Collection Principle is blind with regards to the manner in which 
personal information is gathered.  If an organisation comes to hold 
personally identifiable information by hook or by crook -- whether it is 
volunteered by a user filling out a form, or generated by the 
organisation's internal evaluative processes, or written into an audit 
log as a by-product of a transaction system -- then the organisation is 
liable for that information under the Privacy Act.  So yes, if 
personally identifiable information is cached, then that cache is 
subject to privacy regulations (including the Security Principle which 
sets requirements that are probably rarely even thought about practice 
for caches and the like).

Audit logs are a particular concern of mine.  Ordinarily, who would 
think of the Privacy Act in the context of audit logs?  But consider 
that the routine transaction histories of online grocery customers might 
include their purchases of St Johns Wort, a herbal remedy for 
depression.  That is, an online grocery store server will come to hold 
information about their customers' mental health (or their beliefs about 
their mental health -- same same).  So not only might an audit log 
unexpectedly come under the Privacy Act's security, collection, use & 
disclosure requirements, but it should also be understood to be holding 
*Sensitive* information, which is subject even more stringent standards.

Cheers,

Steve.


Stephen Wilson
Managing Director
Lockstep

Phone +61 (0)414 488 851

www.lockstep.com.au
-------------------
Lockstep Consulting provides independent specialist advice and analysis
on authentication, PKI and smartcards.  Lockstep Technologies develops
unique new smart ID solutions that safeguard identity and privacy.

More information about the Link mailing list