In the context of data integration projects, personnel security encompasses procedural and personnel measures for limiting access to confidential information, where access is limited to authorised staff for approved purposes only. The personnel security measures that are used for data integration projects may vary according to the differences in personnel security policies that apply across agencies and the assessed risk of the project.
However, the range of measures recommended for data integration projects are:
- access to unit record information is decided on a strict need-to-know basis through a formal approval process. Individuals must only have access to information that is required for them to perform specific functions or tasks for a specific data integration project. The ‘need-to-know’ principle is a fundamental rule of personnel security according to the Protective Security Framework and is mandatory for all data integration projects.
- a senior officer is responsible for managing and monitoring access control, including reviewing who can access particular datasets when personnel move positions and their work no longer requires access.
- appropriate personnel security arrangements are in place to ensure only those who are eligible and suitable to have access to the information are authorised to have access. For example, staff undergo security checks, sign an undertaking to acknowledge their confidentiality responsibilities, and are subject to sanctions or penalties for breaches of confidentiality. In the case of high risk projects penalties for disclosure should include jail terms and/or fines.
- the policies, protocols and obligations regarding security, the protection of personal information and breaches of security or confidentiality are communicated to all staff on an on-going basis through training, policy and procedural documentation and other corporate awareness raising activities.
- induction and training strategies are in place for staff to place a strong emphasis on the appropriate use of the technology environment, e.g. not having passwords written down where they can be discovered by third parties, not storing confidential information on laptops or thumb drives without protection such as encryption and passwords.
For more information about other aspects of data security see:
- Personnel security
- Physical security
- Information and communication technology security