Protection of Personally Identifiable Information (PII) is a growing concern for many people and businesses. Traditionally, legal teams may only have thought about protecting personal data when providing documents to a regulatory body, court or another party in response to Notices to Produce, Disclosure Orders etc… consideration being given to whether personal information should be redacted. However, there is now a more serious threat to PII in the form of Data Breaches.
Overview
Under Australian Legislation data including Personally Identifiable Information (PII) is
protected under the Privacy Act 1988 as well as under the Australia Government Notifiable Data Breaches Scheme which introduced in 2018 requires Australian Government agencies and organisations to notify individuals affected by data breaches that are likely to result in serious harm.
Definition of PII
The Office of the Australian Information Commissioner defines Personal Information as ‘information or an opinion about an identified individual, or an individual who is reasonably identifiable. It includes names, email addresses, home addresses, passport and driver’s license numbers, employment status, criminal record, age, ethnicity, race— the list goes on. Identifying all of these diverse forms of data is not a simple task.
Problem
Traditionally legal teams may only have thought about protecting personal data when providing documents to a regulatory body, court or another party in response to Notices to Produce, Disclosure Orders etc…consideration being given to whether personal information should be redacted. However, there is now a more serious threat to PII in the form of Data Breaches.
Over the 2020–21 financial year, the Australian Cyber Security Centre reported that it received over 67,500
cybercrime reports, an increase of nearly 13 per cent from the previous financial year. This represents one cyber-attack every 8 minutes.
And in the last few years there have been a number of notable data breaches including:
- 3 billion Yahoo users security questions, passwords and financial info
- 700m LinkedIn users email address, phone numbers and profiles
- 350m Facebook users account names and phone numbers
- 330m Twitter user’s passwords
- 32m Ashley Madison user’s names, email addresses, home address, credit card payment history and other personal details
Solution
Automated Identification
Law In Order can use Relativity Redact and tools such as Azure Cognitive Services to identify, highlight and or redact relevant information in three simple steps:
i. Identify the information you wish to identify and redact or highlight.
ii. Set the rules as to what will be automatically redacted or highlighted.
Relativity Redact and Azure Cognitive Services have a number of pre-set options that can be combined with rules of your choice to identify common patterns such as Credit Card Numbers, Driver License Numbers, Tax File Numbers, Birth Dates, as well as Persons and Company names. Redactions can be applied automatically with a redaction label identifying the information as Confidential, PII or with any text of your choice.
iii. QA the results
Once documents with potentially relevant material are identified QA is carried out to ensure the information identified is indeed what you are looking for.
Human Identification
Whilst Automated Redaction is the recommended initial approach, there are certain tasks that will require human reviewers to Quality Assurance, review and redact or highlight documents.
Quality Assurance
Where redactions have been applied automatically using Relativity Redact. Law In Order’s Document Review team can carry out the Quality Assurance as required. Ensuring that the data being identified is correct.
Documents not Suitable for Automated Redaction / Highlighting
Where documents are not suitable for automated redaction, for example documents where the quality of text is poor and may not be able to be read by the software, for example handwritten notes or low-quality scanned documents, Law In Order’s Document Review team can undertake the review of these document and redact or highlight any relevant text manually.
PII that is not Suitable for Pattern Recognition
Whilst automated redaction / highlighting is possible where you have a list of known names or a repeatable regular pattern such as a Tax File Number, if you wish to identify and redact all names or text that is not easily identifiable by patter recognition, an automated workflow may not be sufficient for your needs. In this case Law In Order’s Document Review team can undertake the review of these document and redact or highlight any relevant text manually.
Summary
Using a combination of technology and human reviewers Law In Order can provide a quick and cost efficient workflow to assist you meeting your data protection and reporting obligations.
For further information, please contact:
Linda Fernandez, Chief Client Officer, Law In Order
sydney@lawinorder.com