Why information protection is important
What is information protection?
Information protection (or information security as defined by the National Institute of Security and Standards) refers to the protection of information and information systems from unauthorised access, use, disclosure, disruption, modification, or destruction. Information protection is important to provide:
-
confidentiality, which means preserving authorised restrictions on access and disclosure, including means for protecting personal privacy and proprietary information; and
-
integrity, which means guarding against improper information modification or destruction, and includes ensuring information nonrepudiation and authenticity; and
-
availability, which means ensuring timely and reliable access to and use of information.
Information protection employs security solutions, encryption, and other technologies, as well as policies and processes, to secure information.
Why information protection is important
Data and information are valuable assets. Information protection is important for many reasons, including:
-
protecting your Personally Identifiable Information (PII)
-
protecting UQ’s information and decisions
-
protecting Intellectual Property (IP) and research secrets
-
to ensure compliance with legislation
-
to protect the reputation of UQ and researchers
-
and more.
UQ information that is leaked, manipulated or becomes unavailable may lead to reputational, compliance, health and safety or financial damages.
Protecting your Personally Identifiable Information
The University collects confidential information and PII that can relate to: current staff and their partners or next of kin; business partners and clients; customers and other members of the public. This information needs to be protected in order to prevent that data being misused by third parties for fraud, such as phishing scams and identity theft.
Data protection is also crucial to help prevent cybercrimes by ensuring details (specifically banking) and contact information are protected to prevent fraud.
Confidential business decisions
Data breaches may lead to the unauthorised disclosure of any UQ information that has been classified higher than ‘OFFICIAL - PUBLIC’. This has the potential to cause harm, serious harm or deformation to UQ, another organisation or an individual.
Examples could include information on business decisions which could affect revenue, an organisational restructure proposal, academic misconduct committee decisions, business cases, budgets, etc.
Legislation
There are many laws around data protection that University must comply with. Significant ones include:
-
Information Privacy Act 2009
-
Information Privacy Regulation 2009
-
Privacy Act 1988
-
University of Queensland Act 1998
-
Information Security Policy (IS18:2018)
-
Information Governance Policy.
In addition, there are myriad further Federal Acts, Queensland Acts, Federal Policies, Queensland Policies, Global Regulations (such as the GDPR), and even research partnership agreements may include further privacy stipulations.
Furthermore, the Australian Government’s Notifiable Data Breach Scheme imposes financial penalties for data breaches.
Protecting research data and Intellectual Property
UQ is a research institution, committed to ‘the pursuit of excellence’ and being at the forefront of many research endeavors. As such, the research data UQ researchers collect is valuable.
Intellectual property (IP) refers to creations or knowledge resulting from intellectual efforts. IP gives the owner the right to decide how others can use the creations.
In many situations, the research data or IP may be confidential, hold research secrets, or even be collected in partnership with industry.
-
UQ commonly undertakes confidential research. For example: medicine, design, trade secrets, Aboriginal culture, or endangered species.
-
UQ has many agreements with funding bodies, hospitals, industry, government and other collaborators; these agreements contain obligations around confidentiality and IP.
In fact, nation state cyber threat actors commonly target Universities and research institutions to obtain confidential research data. A data breach of research data collected for a research partnership with the Australian Defense Force (ADF) could put top-secret ADF information in the hands of an enemy state.
-
For more information on IP see the Intellectual Property for Staff, Students and Visitors - Policy or read the Library’s Intellectual Property and Copyright module.
Protecting reputation
Organisations suffer damage to their brand and reputation as the result of data breaches. The community may lose faith and trust in the organisation, and its commitment to privacy.
In addition, the leakage of confidential research data can impact a researcher, or research institution’s, reputation.