1. Watch the video “Massive cyberattack strikes Anthem” below (1 min 43 s).
2. Review the Case Study: Practical Applications of an Information Privacy Plan on page 443 of the textbook. Based on the video, your readings this week, and the case study, please respond to the following questions:
. What information privacy principals have been breached?
. How were the information privacy principals breached?
. What would you do to address the situation?
XYZ University is a medium-sized tertiary education provider in the state of Queensland, Australia. In undertaking its normal business of teaching, learning, and research, the university collects, stores, and uses “personal information,” that is, anything that identifies a person’s identity.
With respect to students, this information may include, among other things, records relating to admission, enrollment, course attendance, assessment, and grades; medical records; details of student fees, fines, levies, and payments, including bank details; tax file numbers and declaration forms; student personal history files; qualifications information; completed questionnaire and survey forms; records relating to personal welfare, health, equity, counseling, student and graduate employment, or other support matters; records relating to academic references; and records relating to discipline matters.
The bulk of this information is retained in the student management information systems and in the file registry. Academic and administrative staff, at various levels, have access to these records only as required to carry out their duties. Portions of the information held in university student records are disclosed outside the university to various agencies, such as the Australian Taxation Office; the Department of Education, Employment and Workplace Relations; other universities; consultant student services providers; the Department of Immigration and Citizenship; and overseas sponsorship agencies.
· Personal information is collected and used only for a lawful purpose that is directly related to the collector’s function.
· Before the information is collected, the individual concerned should be made aware of the purpose, whether it is required by law, and to whom the information will be passed on.
· Files containing personal information should be held securely and protected against loss; unauthorized access, use, modification, or disclosure; or any other misuse.
· Personal information can only be disclosed to another person or agency if the person concerned is aware of it and has consented and the disclosure is authorized or required by law.
· Personal information should not be used without taking reasonable steps to ensure that it is accurate, up to date, and complete.
Roger, a photocopier technician, has been asked to repair an office photocopier that just broke down while someone was copying a grievance matter against an employee of the agency. The officer who was copying the file takes the opportunity to grab a cup of coffee and leaves Roger in the photocopy room while the photocopier cools down. While waiting, Roger flips through the file and realizes that the person against whom the grievance was made lives on the same street as he does.
Tom telephones a student at home about attending a misconduct hearing. The student is not at home; however, the student’s partner, Christine, answers the phone. She states that she knows all about the misconduct hearing but asks for clarification of the allegations. When pressed, Tom provides further details. Tom feels comfortable about providing this information to Christine because she is the student’s partner, and she has already told Tom that she knows all about her partner’s misconduct hearing.