Cloud Privacy and Security: ITC 568 Assignment 3 Report Analysis
VerifiedAdded on 2020/04/07
|31
|6988
|278
Report
AI Summary
This report, addressing ITC 568's Cloud Privacy and Security Assignment 3, provides a comprehensive analysis of personal data management, protection, and related security strategies. It begins by defining personal information according to the Privacy Act 1988 and explores management principles, including collection, accuracy, storage, and disclosure. The report then delves into the collection and management of solicited personal information, adhering to the Australian Privacy Principles (APP3), and examines the use and disclosure of personal information according to APP6. It also addresses the role of digital identities in securing online services, including authentication, authorization, and the use of blockchain technology. The report further details strategies for securing personal information, including access security, ICT security, and data breach prevention, while also covering the security of personal information. Finally, it offers recommended privacy and data protection strategies, focusing on mitigating identified security risks and implementing comprehensive protection measures, including authorized access, de-identification, and archiving of personal data. The report is structured to provide a thorough understanding of cloud privacy and security challenges and solutions.
ITC 568 Cloud Privacy and Security
Assignment 3
Student (1) Name: Samiul Matin
Student ID: 11555564
Participate Student (2) Name: Pushpinder Singh
ID: 11571188
Assignment 3
Student (1) Name: Samiul Matin
Student ID: 11555564
Participate Student (2) Name: Pushpinder Singh
ID: 11571188
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Table of Contents
1. Privacy strategy for personal data.......................................................................................................2
a. Management of personal information............................................................................................2
b. Collection and management of solicited personal information.......................................................4
c. Use and disclosure of personal information....................................................................................5
d. Use and security of digital identities................................................................................................7
e. Security of personal information.....................................................................................................8
f. Access to personal information.....................................................................................................10
g. Quality and correction of personal information............................................................................12
2. Recommended Privacy controls........................................................................................................13
a. Mitigation to privacy risks..............................................................................................................13
b. Implement of the privacy Strategy................................................................................................15
i. Planning.....................................................................................................................................15
ii. Implementation.........................................................................................................................16
iii. Operation...................................................................................................................................16
3. Personal data protection strategy.....................................................................................................17
a. Protection of personal information...............................................................................................17
b. Authorized access and disclosure of personal information...........................................................18
c. De-identification of personal data.................................................................................................19
d. Use of personal digital identities...................................................................................................21
e. Security of personal data...............................................................................................................22
f. Archiving of personal data.............................................................................................................23
4. Recommended personal data protection strategy............................................................................24
a. Mitigate the previously identified security risks............................................................................24
b. Implement the personal data protection strategy.........................................................................26
1. Privacy strategy for personal data.......................................................................................................2
a. Management of personal information............................................................................................2
b. Collection and management of solicited personal information.......................................................4
c. Use and disclosure of personal information....................................................................................5
d. Use and security of digital identities................................................................................................7
e. Security of personal information.....................................................................................................8
f. Access to personal information.....................................................................................................10
g. Quality and correction of personal information............................................................................12
2. Recommended Privacy controls........................................................................................................13
a. Mitigation to privacy risks..............................................................................................................13
b. Implement of the privacy Strategy................................................................................................15
i. Planning.....................................................................................................................................15
ii. Implementation.........................................................................................................................16
iii. Operation...................................................................................................................................16
3. Personal data protection strategy.....................................................................................................17
a. Protection of personal information...............................................................................................17
b. Authorized access and disclosure of personal information...........................................................18
c. De-identification of personal data.................................................................................................19
d. Use of personal digital identities...................................................................................................21
e. Security of personal data...............................................................................................................22
f. Archiving of personal data.............................................................................................................23
4. Recommended personal data protection strategy............................................................................24
a. Mitigate the previously identified security risks............................................................................24
b. Implement the personal data protection strategy.........................................................................26
1. Privacy strategy for personal data
Student 1
a. Management of personal information
Personal information is defined in the Privacy Act 1988 as: “...information or an opinion
(including information or an opinion forming part of a database), whether true or not, and
whether recorded in a material form or not, about an individual whose identity is
apparent, or can reasonably be ascertained, from the information or opinion.
Management of personal information is an important process by Government Agencies to
ensure provision of proper and considerate services to their respective citizens. Improper
management of personal information may cause compromise of critical data of
individuals.
Efficient and efficient delivery by the Administrative Services demands end to end
responsibility to ensuring secure and reliable protection of personal information.
Individuals that provide their data for service provision have entrusted the respective
Agency to protect and secure their data. Management of personal information compose of
principles and guidelines concerning the collection, accuracy, access and correction,
storage and security, use, disclosure, and transparency of the personal information
("Guidelines for the Management of Personal Information", 2013)
Collection of personal information requires that only necessary information of the
targeted information should be collected to ensure relevance for the service delivery. This
is to avoid other unnecessary information from being stored that does not concern the
provision of the administrative services.
Student 1
a. Management of personal information
Personal information is defined in the Privacy Act 1988 as: “...information or an opinion
(including information or an opinion forming part of a database), whether true or not, and
whether recorded in a material form or not, about an individual whose identity is
apparent, or can reasonably be ascertained, from the information or opinion.
Management of personal information is an important process by Government Agencies to
ensure provision of proper and considerate services to their respective citizens. Improper
management of personal information may cause compromise of critical data of
individuals.
Efficient and efficient delivery by the Administrative Services demands end to end
responsibility to ensuring secure and reliable protection of personal information.
Individuals that provide their data for service provision have entrusted the respective
Agency to protect and secure their data. Management of personal information compose of
principles and guidelines concerning the collection, accuracy, access and correction,
storage and security, use, disclosure, and transparency of the personal information
("Guidelines for the Management of Personal Information", 2013)
Collection of personal information requires that only necessary information of the
targeted information should be collected to ensure relevance for the service delivery. This
is to avoid other unnecessary information from being stored that does not concern the
provision of the administrative services.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
Accuracy, access, and correction of personal information demands that collected personal
information should be accurate without any perceivable errors. Individuals should have
access to their personal information as well make necessary correction according to the
procedure outlined by the Administrative services.
Storage and security is a part of management of personal information that ensures no
misuse or loss of personal information as well as prevention of inappropriate disclosure.
Moreover, collected personal information should only be used for the primary purpose it
was intended for. The Administrative Service Agency should table measures that prevent
personal information from being inappropriately used.
Disclosure of personal information should not be allowed to people, organizations or any
third parties that do not concern the primary purpose of the collected personal data.
A part of integrity of personal information is transparency, transparency ensures that the
stored information is availed to the public when demand arises according to accessibility
guidelines provided by the Administrative Services.
information should be accurate without any perceivable errors. Individuals should have
access to their personal information as well make necessary correction according to the
procedure outlined by the Administrative services.
Storage and security is a part of management of personal information that ensures no
misuse or loss of personal information as well as prevention of inappropriate disclosure.
Moreover, collected personal information should only be used for the primary purpose it
was intended for. The Administrative Service Agency should table measures that prevent
personal information from being inappropriately used.
Disclosure of personal information should not be allowed to people, organizations or any
third parties that do not concern the primary purpose of the collected personal data.
A part of integrity of personal information is transparency, transparency ensures that the
stored information is availed to the public when demand arises according to accessibility
guidelines provided by the Administrative Services.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
b. Collection and management of solicited personal information
The Australian Privacy Principle 3(APP3) outlines the collection of solicited personal
information a process whereby an APP entity solicits personal information if it explicitly
requests another entity to provide personal information, or it takes active steps to collect
personal information ("Chapter 3: APP 3 — Collection of solicited personal information|
Office of the Australian Information Commissioner - OAIC", 2014).
Personal information can be collected by an agency where it is reasonably necessary for,
or directly related to the agency's functions and activities. This explains that personal
information should not be collected for purposes apart from the organization's predefined
functions and activities outlined in their guideline. Any organization, may only collect
personal information from individuals and from other organizations where it is necessary
for the organization's functions and activities. Both agencies and organizations collecting
the information should do so by lawful and fair means. Moreover, personal information
should only be collected from the concerned individual whenever possible, unless it is not
reasonable or inapplicable.
APP3 states that all personal information help by any entity such as the administrative
services is generally treated as information that was collected by the entity from different
people to form the meta data.
Solicited personal information include personal information provided only by the
individual in response to a request or an order by agencies or organizations, personal
information provided by another entity in ensuring the sharing and transferring of the
personal information by both involved parties, personal information provided at an
The Australian Privacy Principle 3(APP3) outlines the collection of solicited personal
information a process whereby an APP entity solicits personal information if it explicitly
requests another entity to provide personal information, or it takes active steps to collect
personal information ("Chapter 3: APP 3 — Collection of solicited personal information|
Office of the Australian Information Commissioner - OAIC", 2014).
Personal information can be collected by an agency where it is reasonably necessary for,
or directly related to the agency's functions and activities. This explains that personal
information should not be collected for purposes apart from the organization's predefined
functions and activities outlined in their guideline. Any organization, may only collect
personal information from individuals and from other organizations where it is necessary
for the organization's functions and activities. Both agencies and organizations collecting
the information should do so by lawful and fair means. Moreover, personal information
should only be collected from the concerned individual whenever possible, unless it is not
reasonable or inapplicable.
APP3 states that all personal information help by any entity such as the administrative
services is generally treated as information that was collected by the entity from different
people to form the meta data.
Solicited personal information include personal information provided only by the
individual in response to a request or an order by agencies or organizations, personal
information provided by another entity in ensuring the sharing and transferring of the
personal information by both involved parties, personal information provided at an
official meeting, where one way or another relates to the interest of the purpose of the
collected data.
Individuals who are providing their personal information agencies or organizations
should express consent; which implies that the individual is well informed of an
understanding of the implications of their data being collected in terms of the purpose of
their collected data and the security measures put in place to safeguard their information
without being coerced. The individual can only give consent voluntarily whereby the
consent is current and specific.
c. Use and disclosure of personal information
The collection of personal information is one thing while its disclosure is another thing
altogether, according to APP6, the use and disclosure of personal information, An APP
entity can only use or disclose personal information for a purpose for which it was
collected (known as the ‘primary purpose’), or for a secondary purpose if an exception
applies ("Chapter 6: APP 6 — Use or disclosure of personal information| Office of the
Australian Information Commissioner - OAIC", 2014).
The purpose of which personal information is collected also known as 'primary purpose'
of collection is the and specific reason for which the entity intended for the collected
personal information.
The secondary purpose where an exception applies outline other functions apart from the
primary activity that was hitherto intended by the Administrative Agency. The exceptions
include:
collected data.
Individuals who are providing their personal information agencies or organizations
should express consent; which implies that the individual is well informed of an
understanding of the implications of their data being collected in terms of the purpose of
their collected data and the security measures put in place to safeguard their information
without being coerced. The individual can only give consent voluntarily whereby the
consent is current and specific.
c. Use and disclosure of personal information
The collection of personal information is one thing while its disclosure is another thing
altogether, according to APP6, the use and disclosure of personal information, An APP
entity can only use or disclose personal information for a purpose for which it was
collected (known as the ‘primary purpose’), or for a secondary purpose if an exception
applies ("Chapter 6: APP 6 — Use or disclosure of personal information| Office of the
Australian Information Commissioner - OAIC", 2014).
The purpose of which personal information is collected also known as 'primary purpose'
of collection is the and specific reason for which the entity intended for the collected
personal information.
The secondary purpose where an exception applies outline other functions apart from the
primary activity that was hitherto intended by the Administrative Agency. The exceptions
include:
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
i. The APP entity is an organization a permitted health circumstance exists in
relation to the secondary use or disclosure of the personal information which
requires the individual personal health records for provision of efficient health
services.
ii. The secondary use or disclosure of personal information is required or authorized
by or under an Australian law or a court/tribunal order specified by the Australian
Constitution of the privacy act.
iii. The APP entity is an Agency that discloses biometric information or biometric
templates to an enforcement body, and the disclosure is done according to the
provided guidelines made by the Information Commissioner for the purpose of
the APP.
iv. The individual whose personal information is collected from has consented to a
specified secondary use or disclosure of personal information.
v. The individual would reasonably have expected that the Administrative Services
would use or disclose their personal information for that secondary purpose and
that the specified purpose relates to the primary purpose of data collection.
However, the use and disclosure of personal information by an organization does not
apply to the collection of personal information for direct marketing or government related
identifiers.
relation to the secondary use or disclosure of the personal information which
requires the individual personal health records for provision of efficient health
services.
ii. The secondary use or disclosure of personal information is required or authorized
by or under an Australian law or a court/tribunal order specified by the Australian
Constitution of the privacy act.
iii. The APP entity is an Agency that discloses biometric information or biometric
templates to an enforcement body, and the disclosure is done according to the
provided guidelines made by the Information Commissioner for the purpose of
the APP.
iv. The individual whose personal information is collected from has consented to a
specified secondary use or disclosure of personal information.
v. The individual would reasonably have expected that the Administrative Services
would use or disclose their personal information for that secondary purpose and
that the specified purpose relates to the primary purpose of data collection.
However, the use and disclosure of personal information by an organization does not
apply to the collection of personal information for direct marketing or government related
identifiers.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Student 2
d. Use and security of digital identities
With the rise of digitalization of everything technological possible, with innovations such
as 'cloud first ' and 'shared services', internet users leave a digital trail behind us online.
The provision of personal information before access and use of online services is a huge
contributor to the collection of our personal data of which when collected can statistically
tell us of our identification (Himmelsbach, 2015).
A digital identity is a set of attributes related to an entity used by computer systems to
represent a person, organization, application, or advice. These set of attributes may
include username and password, date of birth, social security number, online history and
reactions that is linked to one or more identifiers such as an email address or a URL.
Modern technologies have deployed the use of digital identities for authentication and
authorization where authorized personnel access the system through a Single Sign On
link to a secure URL which is managed by a specified session.
Digital Identity combines different mechanisms to secure the accessibility of private
information, through authentication, it determines whether users accessing applications
and information are who they say they are. By authorization, it ensures that information is
only accessible to those that are allowed, authorized or have the permission privilege to
access it. It also uses digital signature to generate information that can be used to improve
the integrity and accountability of accessed data. Finally, digital identity uses encryption
to transform raw data to encrypted data to secure it as it moves over multiple networks.
d. Use and security of digital identities
With the rise of digitalization of everything technological possible, with innovations such
as 'cloud first ' and 'shared services', internet users leave a digital trail behind us online.
The provision of personal information before access and use of online services is a huge
contributor to the collection of our personal data of which when collected can statistically
tell us of our identification (Himmelsbach, 2015).
A digital identity is a set of attributes related to an entity used by computer systems to
represent a person, organization, application, or advice. These set of attributes may
include username and password, date of birth, social security number, online history and
reactions that is linked to one or more identifiers such as an email address or a URL.
Modern technologies have deployed the use of digital identities for authentication and
authorization where authorized personnel access the system through a Single Sign On
link to a secure URL which is managed by a specified session.
Digital Identity combines different mechanisms to secure the accessibility of private
information, through authentication, it determines whether users accessing applications
and information are who they say they are. By authorization, it ensures that information is
only accessible to those that are allowed, authorized or have the permission privilege to
access it. It also uses digital signature to generate information that can be used to improve
the integrity and accountability of accessed data. Finally, digital identity uses encryption
to transform raw data to encrypted data to secure it as it moves over multiple networks.
The Single Sign On(SSO) is a security mechanism that used to ensure that authentication
keys are only valid for one-time sign in. This prevents any possibility of leaked keys to
be used by unauthorized personnel to access various systems.
Digital Identities have been collaborated with blockchain technology which is a
methodology that lets organizations verify many types of transactions by leveraging a
collaborative digital ledger and a predetermined network of individual contributors or
keepers of the blockchain. Once transactions or other data are inside the secure
blockchain ledger, cryptography takes over and verification hurdles drastically decrease
the chances of data being stolen (Stanganelli, 2016). Blockchain is both private based and
public based whereby, private is permission based and can only be accessed by
authorized people while public is anonymous. Their combination provides a stronger
security methodology for securing sensitive information over any network.
e. Security of personal information
Security of personal information is critical for agencies and organizations to uphold
personal information with integrity. According to Australian Privacy Policy (APP 011),
an entity must take reasonable steps to secure and protect personal information that it
holds from unauthorized access, misuse, interference, modification, or disclosure
("Chapter 11: APP 11 — Security of personal information| Office of the Australian
Information Commissioner - OAIC", 2015). It is required therefore that whenever the
entity no longer needs personal information for any reasonable purpose under both
primary or secondary purpose, the respective entity should take measures to destroy the
personal information accordingly or ensure that the data cannot be identified whatsoever.
keys are only valid for one-time sign in. This prevents any possibility of leaked keys to
be used by unauthorized personnel to access various systems.
Digital Identities have been collaborated with blockchain technology which is a
methodology that lets organizations verify many types of transactions by leveraging a
collaborative digital ledger and a predetermined network of individual contributors or
keepers of the blockchain. Once transactions or other data are inside the secure
blockchain ledger, cryptography takes over and verification hurdles drastically decrease
the chances of data being stolen (Stanganelli, 2016). Blockchain is both private based and
public based whereby, private is permission based and can only be accessed by
authorized people while public is anonymous. Their combination provides a stronger
security methodology for securing sensitive information over any network.
e. Security of personal information
Security of personal information is critical for agencies and organizations to uphold
personal information with integrity. According to Australian Privacy Policy (APP 011),
an entity must take reasonable steps to secure and protect personal information that it
holds from unauthorized access, misuse, interference, modification, or disclosure
("Chapter 11: APP 11 — Security of personal information| Office of the Australian
Information Commissioner - OAIC", 2015). It is required therefore that whenever the
entity no longer needs personal information for any reasonable purpose under both
primary or secondary purpose, the respective entity should take measures to destroy the
personal information accordingly or ensure that the data cannot be identified whatsoever.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
Implementation of strategies in enabling secure personal information include access
security, ICT security, data breaches, physical security, third party providers' used
security features, internal procedures, and standards for the protection of the personal
information.
The security considerations that ensure security of personal information is composed of
measures to avoid:
i. Misuse of personal information – this is a situation where an Agency uses
personal information for a purpose that is not permitted by the Privacy Act. All
organizations that hold personal information should uphold bound privacy
requirements in relation to the use of personal information.
ii. Interference with personal information – this occurs when an attack on personal
information both internal and external. The attacks on a computer system then
interferes the information held by an APP entity leads to exposure of personal
information.
iii. Loss of personal information – explains a situation that covers deliberate or
accidental loss of personal information held by an APP entity both physically and
electronically. Physical loss is whereby hard copy documents and any computer
resource while electronical loss means that information is lost in an event of
systems failure. This specified loss may also result from theft from unauthorized
access on the data.
iv. Unauthorized access of personal information – occurs when personal information
that an entity holds is accessed by any individual that is not allowed to access the
security, ICT security, data breaches, physical security, third party providers' used
security features, internal procedures, and standards for the protection of the personal
information.
The security considerations that ensure security of personal information is composed of
measures to avoid:
i. Misuse of personal information – this is a situation where an Agency uses
personal information for a purpose that is not permitted by the Privacy Act. All
organizations that hold personal information should uphold bound privacy
requirements in relation to the use of personal information.
ii. Interference with personal information – this occurs when an attack on personal
information both internal and external. The attacks on a computer system then
interferes the information held by an APP entity leads to exposure of personal
information.
iii. Loss of personal information – explains a situation that covers deliberate or
accidental loss of personal information held by an APP entity both physically and
electronically. Physical loss is whereby hard copy documents and any computer
resource while electronical loss means that information is lost in an event of
systems failure. This specified loss may also result from theft from unauthorized
access on the data.
iv. Unauthorized access of personal information – occurs when personal information
that an entity holds is accessed by any individual that is not allowed to access the
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
information. Unauthorized access can also be internal by employees or external
entities.
v. Unauthorized modification of personal information – this is a scenario where
stored personal information is altered by unauthorized person.
vi. Unauthorized disclosure – occurs when an entity makes personal information
accessible and visible to other entities outside the specified organization or release
the personal information from its effective control.
f. Access to personal information
The Data Protection Acts, 1988 and 2003 outlines that, an individual has the right to find
out, free of charge, if a person (an individual or an organization) holds information about
you. Moreover, one has the right to obtain a description of explanation to be told of the
purpose for holding their information as well as obtaining a copy of their personal
information.
APP 12 requires an APP entity that holds personal information about an individual to
give the individual access to that information on request ("Chapter 12: APP 12 — Access
to personal information| Office of the Australian Information Commissioner - OAIC",
2014). The Australian Privacy Principle allow individual to be granted access of their
information from an entity that holds their data.
However, the accessibility of personal information in guided by outlined minimum access
requirements that has to be met by an individual or any third-party organization that
request access of any personal information. Proper verification of individual identity is
key before granting access to personal information. It approves the accessibility from
entities.
v. Unauthorized modification of personal information – this is a scenario where
stored personal information is altered by unauthorized person.
vi. Unauthorized disclosure – occurs when an entity makes personal information
accessible and visible to other entities outside the specified organization or release
the personal information from its effective control.
f. Access to personal information
The Data Protection Acts, 1988 and 2003 outlines that, an individual has the right to find
out, free of charge, if a person (an individual or an organization) holds information about
you. Moreover, one has the right to obtain a description of explanation to be told of the
purpose for holding their information as well as obtaining a copy of their personal
information.
APP 12 requires an APP entity that holds personal information about an individual to
give the individual access to that information on request ("Chapter 12: APP 12 — Access
to personal information| Office of the Australian Information Commissioner - OAIC",
2014). The Australian Privacy Principle allow individual to be granted access of their
information from an entity that holds their data.
However, the accessibility of personal information in guided by outlined minimum access
requirements that has to be met by an individual or any third-party organization that
request access of any personal information. Proper verification of individual identity is
key before granting access to personal information. It approves the accessibility from
documented legislation or other applicable legislation. Further processing of personal
information may require the individual to abide by the Freedom of Information Act. The
accessibility of any personal information under the FOI act requires an individual to meet
the minimum stipulated requirements.
Organizations may refuse to grant access to individuals under the APP 12. The Australian
Privacy Principle has outlaid grounds unto which individuals may be refuted access to
their personal information. The grounds include:
i. Giving access of personal information may reveal the intentions of the
organization in relation to the negotiations that in one way or the other prejudice
those negotiations.
ii. The organization reasonably believes that giving access would pose a serious
threat to the life, health, and safety of any individual or the public.
iii. Giving access would be unlawful.
iv. Giving access would reveal evaluative information generated within the
organization regarding a commercially sensitive decision-making process, among
others.
information may require the individual to abide by the Freedom of Information Act. The
accessibility of any personal information under the FOI act requires an individual to meet
the minimum stipulated requirements.
Organizations may refuse to grant access to individuals under the APP 12. The Australian
Privacy Principle has outlaid grounds unto which individuals may be refuted access to
their personal information. The grounds include:
i. Giving access of personal information may reveal the intentions of the
organization in relation to the negotiations that in one way or the other prejudice
those negotiations.
ii. The organization reasonably believes that giving access would pose a serious
threat to the life, health, and safety of any individual or the public.
iii. Giving access would be unlawful.
iv. Giving access would reveal evaluative information generated within the
organization regarding a commercially sensitive decision-making process, among
others.
⊘ This is a preview!⊘
Do you want full access?
Subscribe today to unlock all pages.
Trusted by 1+ million students worldwide
1 out of 31
Related Documents
Your All-in-One AI-Powered Toolkit for Academic Success.
+13062052269
info@desklib.com
Available 24*7 on WhatsApp / Email
![[object Object]](/_next/static/media/star-bottom.7253800d.svg)
Unlock your academic potential
Copyright © 2020–2025 A2Z Services. All Rights Reserved. Developed and managed by ZUCOL.