Australia: Protection of Personally Identifiable Information (PII): A growing concern

[3 minutes read]

PII is 'information or an opinion about an identified individual, or an individual who is reasonably identifiable'.

It includes names, home and email addresses, passport and driver's licence numbers, employment status, criminal record, age, ethnicity, race and more. Identifying all of these diverse forms of data is a complex task.

Under Australian Legislation data, including (PII) is protected under the Privacy Act 1988 as well as under the Australia Government Notifiable Data Breaches Scheme which was introduced in 2018. The latter requires Australian Government agencies and organisations to notify individuals affected by data breaches likely to result in serious harm.

The Problem

Traditionally legal teams may have only thought about protecting personal data when providing documents to a regulatory body, court or another party, in response to, for example, Notices to Produce or Disclosure Orders, consideration being given to whether personal information should be redacted.

However, there is now a more serious threat to PII in the form of Data Breaches. Over the 2021-22 financial year, the Australian Cyber Security Centre (ACSC) reported it received over 76,000 cybercrime reports, an increase of nearly 13 per cent from the previous financial year. This equates to one report every 7 minutes. There was an increase in the number and sophistication of cyber threats, making crimes like extortion, espionage, and fraud easier to replicate at a greater scale.

In recent years, a number of notable data breaches have included:

• 3 billion Yahoo users security questions, passwords and financial info
• 700m LinkedIn users email address, phone numbers and profiles
• 350m Facebook users account names and phone numbers
• 330m Twitter user's passwords

In Australia, data breaches in 2022 included Optus affecting 9.8 million customers, and Medibank, the private health insurer, who confirmed all of its 3.9 million customers were affected.

The Solution

Automated Identification

Relativity Redact is built into our Relativity review offering. It allows users to redact or highlight files in three simple steps:

1. Identify the information you wish to identify and redact or highlight.

2. Set the rules as to what will be automatically redacted or highlighted.

Relativity Redact has a number of pre-set options that can be combined with rules of your choice to identify common patterns such as Credit Card Numbers, Driver Licence Numbers, Tax File Numbers and Birth Dates.

3. QA the results.

Relativity Redact provides a summary of the automated redactions/highlights that are applied. QA can be done on a redaction by redaction or highlight by highlight basis, or by way of mass operations as required.

Documents not Suitable for Automated Redaction / Highlighting

Where documents are not suitable for automated redaction, for example documents where the quality of text is poor and can't be read by the software - handwritten notes or low -quality scanned documents - Law In Order's Document Review team can review these documents and redact or highlight any relevant text manually.

PII that is not Suitable for Pattern Recognition

Automated redaction/ highlighting is possible with a list of known names or a repeatable regular pattern, such as a Tax File Number. However, if you wish to identify and redact all names or text not easily identifiable by pattern recognition, an automated workflow may be insufficient. In this case, our Document Review team can undertake the review of these documents and redact or highlight any relevant text manually.

Summary

Using a combination of technology and human reviewers, Law In Order can provide a quick and cost efficient workflow to assist with you meeting your data protection and reporting obligations.