Many Australian government agencies do not have appropriate controls covering the use of portable storage devices (PSDs) for the handling of personal information.According to new research by the Office of the Privacy Commissioner, this personal information is being lost at an alarming rate.
While agencies have policies regarding the transfer of personal information, more care needs to me taken to protect data on USB keys, PDAs and optical disks. More than (58 per cent) of agencies have experienced the loss or theft of an agency-issued PSD within the past 12 months.
Australian Privacy Commissioner Karen Curtis said three-quarters of government agencies have policies covering the transfer of records containing personal information, however, there is “definitely room for agencies to improve their safeguards governing the use by staff of portable storage devices”.
Conducted by Orima Research during March and April, the research involved a survey of 94 federal Government agencies.
The research indicates 75 per cent of agencies have policies covering the secure transfer of records to external parties, and 69 per cent have policies for staff temporarily working away from the office.
Some 81 per cent of agencies have policies covering uses of agency-issued PSDs, but only 55 per cent have policies covering uses of privately owned PSDs.
While nearly all agencies – 97 per cent – keep a PSD register only 56 per cent are using minimum encryption standards.
Agencies are more likely to use software controls (54%) than hardware controls (16%) to manage or restrict their use.
Curtis said the research will help the privacy office assess risks associated with PSDs “given their growing use by government” and reports of data breaches around the world.
"My office is particularly concerned given recent incidents in the UK where the loss of PSDs by government agencies has led to a serious threat to people's personal information," Curtis said.
The Office of the Privacy Commissioner has also developed a guide to help agencies better manage PSDs.
The report and recommendations come during Privacy Awareness Week 2009.