Why businesses should prioritise identifying Personally Identifiable Information (PII).

10.01.2023

Amongst other things, 2022 will be remembered as a year where millions of Australians grew increasingly aware of the impact that the storage and under-protection of Personally Identifiable Information (PII) can have.

The first half of 2022 saw a 33% jump in large-scale data breaches according to the Office of the Australian Information Commissioner (OAIC)[1]. These were breaches that involved the data of more than 5000 Australians.

The latter part of 2022 saw two of the worst data breaches in Australian history, with hackers stealing (and in some cases, releasing) the PII of millions of Australians. The Medibank crisis alone exposed personally identifiable health records of nearly 40% of the Australian population[2], with the Optus hack expected to cost the business $140 million[3].

Identifying Personally Identifiable Information  

While the concept of information being personal or not is often felt to be a reasonably straightforward assessment, identifying PII can be tricky.

The Privacy Act defines ‘personal information’ as:

‘Information or an opinion about an identified individual, or an individual who is reasonably identifiable:

1. whether the information or opinion is true or not; and
2. whether the information or opinion is recorded in a material form or not.’

And where uncertainty exists, OAIC encourages entities to “err on the side of caution by treating the information as personal information, and handle it in accordance with the Australian Privacy Principles (APPs).”

The reality is, often some businesses don’t even realise that they are holding onto PII, because it often lurks in places and categories that may not register with those guarding it. Here are just some* of the ways that PII can be tricky to find:

1. Information does not have to be explicitly recognised as personal information to constitute personal information under the Privacy Act – the types of PII vary widely.
2. PII can be considered any information (including opinion) that can reasonably identify that individual, and is not only about an individual’s private or family life/details.
3. Even if a piece of information is incorrect, it can still be considered personal information
4. Opinion and commentary can also be PII. For example, an opinion on an individual’s racial or ethnic origin, a referee’s comments about a job applicant’s career or attitude, inferences on an individual’s preference based on online purchases.
5. Consider the linkage of information. While non-sensitive PII may seem relatively innocuous on its own, one piece of information linking to another may enable a picture of an individual to become clear.
6. While ABN details are publicly available, if the person is a sole trader or the business is carried out by one person, it may be considered PII. This also can extend to other business information such as utility usage, loans granted etc
7. It is not necessary for a name to be present to identify an individual. Information such as a detailed description or photograph may be considered PII if it can be linked back to the specific person it relates to.
8. PII on one individual could also include PII of another in what is known as ‘joint personal information’. For example, listing the biological father of an individual means the personal information of two individuals exists, or even a doctor’s opinion on a patient’s prognosis may be considered personal information of both the doctor and the patient.
9. The classification of PII is often determined by who holds access to that information. For example, access to a car registration may not enable identification of an individual by one person or group, but may be considered PII if accessed by another.
10. Information about something other than an individual can still be considered personal e.g., notes on car repayments, although seemingly about the property, may be considered PII.

Is your business unknowingly storing PII?  

It’s clear the definition of PII is cloudy.

To make things even more complicated, PII can be stored in a variety of formats – scanned forms or notes, digital documents (PDFs, forms, presentations), photos and videos, chat bots and more. These are the tools that almost every person in a business utilises on a daily basis.

And with an estimated 80-90% of all data existing in an unstructured, and more-difficult to navigate format[4], it’s imperative for every business to have a solution that caters to this unstructured world.

To help achieve this, some organisations have implemented Data Loss Prevention (DLP), although this often does not account for pre-existing or acquired data, and some data will sneak through as it does with any perimeter barrier. This is just one of the reasons that Gartner’s Market Guide for Data Loss Prevention[5] claims that a DLP is not enough to ensure your business is protected.

Enlist Frisk to protect your PII 

It’s no wonder that many business owners and leaders are kept awake at night wondering what a hacker could be privy to.

The end of 2022 saw increased penalties for serious and/or repeated privacy breaches. The Privacy Legislation Amendment increased the maximum penalties to whichever is greater of[6]:

• $50 million;
• Three times the value of any benefit obtained through the misuse of information; or
• 30 per cent of a company’s adjusted turnover in the relevant period.

This penalty also doesn’t take into consideration costs to the business such as reputation damage, lost customers, decline in business value etc.

With stakes this high, Australian business should feel compelled to prioritise the identification and protection of personal information.

To reduce the risk of a privacy breach, organisations can manually scan every data entry and asset for PII, or deploy indexing technology to do the work for you.

That’s where Frisk can help. The software can be deployed to undertake a detailed audit of stored data to identify the location and categorisation of PII, and utilises advanced technology to:

• Audit data across structured, semi-structured and unstructured formats, whole-of-enterprise.
• Identify data such as passport and driver’s licence numbers via pattern and fuzzy matching.
• Detect and refine detection of data that is not explicitly categorised as PII via a sophisticated context and vocabulary model that utilises Natural Language Programming (NLP) and Machine Learning.
• Deploy in cloud, on-premise or in combination, with the ability to leverage embedded (legacy) technologies and in-house capabilities.
• Seamlessly integrate with existing systems and an intuitive UX/UI.
• Allow for installation and configuration without the need to customise, code or conduct arduous data migration strategies.

The average cost of a data breach in Australia in 2022 was $2.23 million USD per breach, set to rise with the new penalties in place. And for 83% of companies, it’s not if a data breach will happen, but when. Usually more than once[7].

Can your business afford not to prioritise PII in 2023?  

Email us at hello@frisk.com.au to chat about how Frisk can help protect your business.

*This information is not legal advice and should not be used to determine or classify personal information.

References: 

[1] Office of the Information Commissioner. (2022) OAIC data breach report shows key privacy risks. Available at https://www.oaic.gov.au/updates/news-and-media/oaic-data-breach-report-shows-key-privacy-risks#:~:text=There%20were%2024%20data%20breaches,caused%20by%20cyber%20security%20incidents. (Accessed: 10 Jan 2023)

[2] de Krester, A. (2022) Medibank rules out ransom as breach hits 9.7million. Available at:  https://www.afr.com/companies/financial-services/medibank-won-t-pay-ransom-as-breach-hits-9-7-million-20221107-p5bw2d#:~:text=Nearly%20four%20weeks%20after%20first,if%20their%20information%20is%20misused. (Accessed: 9 Jan 2023)

[3] Samios, Z. (2022) Optus hack to cost at least $140 million. Available at:  https://www.smh.com.au/business/companies/optus-puts-aside-140m-to-replace-customers-hacked-identity-documents-20221110-p5bx4g.html  (Accessed: 10 Jan 2023)

[4] Gartner. (2021) Market Guide For Data Loss Prevention. Available at: https://www.gartner.com/en/documents/4002997 (Accessed: 10 Jan 2023)

[5] Rizkallah, J. (2017) The Big (Unstructured) Data Problem. Available at: https://www.forbes.com/sites/forbestechcouncil/2017/06/05/the-big-unstructured-data-problem/?sh=52aa86e1493a (Accessed: 10 Jan 2023)

[6] The Hon Mark Dreyfus KC MP. (2022) Parliament approves Government’s privacy penalty bill. Available at:  https://ministers.ag.gov.au/media-centre/parliament-approves-governments-privacy-penalty-bill-28-11-2022#:~:text=The%20Privacy%20Legislation%20Amendment%20(Enforcement,the%20misuse%20of%20information%3B%20or (Accessed: 9 Jan 2023)

[7] IBM Security. (2022) Cost of a Data Breach Report 2022. Available at:  https://www.ibm.com/au-en/reports/data-breach#:~:text=Data%20breach%20average%20cost%20increased,USD%204.35%20million%20in%202022. (Accessed: 10 Jan 2023)